Title: Consortium for School Networking
1Any Questions Before We Start?
Cyber Security for the Digital District
Cyber Security for the Digital District
Cyber Security for the Digital District
Any Questions Before We Start?
- Consortium for School Networking
Mass Networks Education Partnership
2Presentation Overview
Cyber Security for the Digital District
Cyber Security for the Digital District
Cyber Security for the Digital District
Presentation Overview
- 1. Security trendy or timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
3 Trendy or Timely?
Security
Why spend time on Security?
The Imperfect Storm
1. Security Trendy or Timely?
2. What does security mean in my district?
- The technology flood new products and
possibilities bring intended and unintended-
consequences - Trends convergence and ubiquity
- wireless (soon mesh) networks
- Text-messaging cell phones
- Handhelds (PDAs)
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
4 Trendy or Timely?
Security
The Imperfect Storm
National concern on security
1. Security Trendy or Timely?
- SANS Institute SANS Top 20 Security
Vulnerabilitieshttp//www.sans.org/top20/ - Department of Homeland Security National Cyber
Alert System http//www.us-cert.gov/ - Business Software Alliance, Information
Technology Assn of America, TechNet, and US
Chamber or Commerce National Cyber Security
Partnership (http//www.cyberpartnership.org/) - Coming in December the National Cyber Security
Early Warning Contact Network (EWAN).
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
5 Trendy or Timely?
Security
The Imperfect Storm
National concern on security
1. Security Trendy or Timely?
The Department of Homeland Security has
announced a new critical vulnerability in all
versions of Pepsi, including Pepsi, Diet Pepsi,
and the critical Mountain Dew developer support
platform. The flaw is essentially an
authentication vulnerability that allows hackers
to determine the Pepsi-iTunes song give-away code
without properly authenticating with the bottle
cap lid through the purchase mechanism. Source
slashnot.com
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
the critical Mountain Dew developer platform?
6 Trendy or Timely?
Security
The Imperfect Storm
Rapid evolution of Malware
1. Security Trendy or Timely?
SPAM Can Spam Act 80 of kids using email
receive has little effect inappropriate messages
2. What does security mean in my district?
SPIM Spam for IM expected to rise 300 in 2004
3. Getting started asking the right questions
Viruses Slammers lesson In first minute
infected population on monoculture doubled in
size every 8.5 seconds.
4. Security assessment and response
Phish a clever lure Increased 50 in Feb 2004
5. Making security permanent
Worms growing nastier Bagle.q infects when
message is opened - no attachment needed
Zero Day pre-patch malware patches rushed out
with minimal testing
Hammer Spammer-Spawner Worms send email addresses
to spammer
7 Nows the Time
Security
- IT comes of age technology is no longer an
option. - NCLB Accountability
- Innovation invariably involves informationSchool
districts cannot run without technology
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
8 Nows the Time
Security
-
- IT comes of age technology is no longer an
option. - NCLB Accountability
- Innovation invariably involves information
1. Security Trendy or Timely?
-
- E-Entropy menaces the information world.
- Morphing Malware SPIM, Hammers, Spoofs, Phish
- Expanding Spam email traffic stalls productivity
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
9 Nows the Time
Security
IT comes of age technology is no longer an
option. NCLB Accountability Innovation invariably
involves information
E-Entropy menaces the information
world. Morphing Malware SPIM, Hammers, Spoofs,
Phish Expanding Spam email traffic jams
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
- New vulnerabilities require new vigilance
- Protecting students
- from crossing guards to firewalls
- Protecting educational assets
- from padlocks to biometrics
4. Security assessment and response
5. Making security permanent
10 Getting a Grip
Security
So troubles brewing, but
1. Security Trendy or Timely?
What does security mean in my district?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
11What is Security?
The Absence of Risk
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
SourceCarnegie-Mellon Univ. OCTAVE
12What is Security?
Security is
1. Security Trendy or Timely?
the presence of well-designed and well-run
information systems
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
13What is Security?
Security is
1. Security Trendy or Timely?
- providing
- the freedom to learn.
2. What does security mean in my district?
3. Getting started asking the right questions
by inspiring trust in and encouraging effective
use by appropriate stakeholders,
4. Security assessment and response
so that the inevitable mishaps impacting the
organizations assets are promptly, effectively,
and ethically dealt with.
so that the inevitable mishaps impacting the
organizations assets are promptly, effectively,
and ethically dealt with.
5. Making security permanent
14Security Getting Started
Eight Questions
A Superintendent Should Ask The Chief Technology
Officer
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
15Security Getting Started
Eight Questions A Superintendent Should Ask
The Chief Technology Officer
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
16Security Getting Started
Eight Questions A Superintendent Should Ask
The Chief Technology Officer
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
17Security Getting Started
Eight Questions A Superintendent Should Ask
The Chief Technology Officer
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
18Security Getting Started
Eight Questions A Superintendent Should Ask
The Chief Technology Officer
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
19Security Getting Started
Eight Questions A Superintendent Should Ask
The Chief Technology Officer
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
20Security Getting Started
Eight Questions A Superintendent Should Ask
The Chief Technology Officer
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
21Security Getting Started
Eight Questions A Superintendent Should Ask
The Chief Technology Officer
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
22Security
Assessment and Response
1
District Security Checklist
1. Security Trendy or Timely?
- Five topic areas to get a handle on where the
district is now
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
23Security
Assessment and Response
1
District Security Checklist
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
24Security
Assessment and Response
1
District Security Checklist
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
25Security
Assessment and Response
1
District Security Checklist
1. Security Trendy or Timely?
- Getting a handle on where the district is now
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
26Security
Assessment and Response
1
District Security Checklist
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
27Security
Assessment and Response
1
District Security Checklist
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
28Security
Assessment and Response
1
District Security Checklist
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
29Security
Assessment and Response
1
- District Security Checklist
Security Planning Grid The Superintendent and
CIO/IT Director reviewthe Security Planning Grid
for a quick takeon the districts level of
security preparedness.
2
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
30Security
Assessment and Response
2
Security Planning Grid
1. Security Trendy or Timely?
- Provides benchmarks for assessing key factors
contributing to security preparedness - Uses the same topic areas for consistency
- Helps prioritize security improvement action steps
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
31Security
Assessment and Response
2
Security Planning Grid
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
32Security
Assessment and Response
2
Security Planning Grid
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
33Security
Assessment and Response
2
Security Planning Grid
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
34Security
Assessment and Response
1
- District Security Checklist
2
Security Planning Grid
1. Security Trendy or Timely?
3
- Act and Plan
- Action Identify and eliminate immediate
vulnerabilities - Plan Justify implementation of a security
protocol -
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
35Security
Making Security Permanent
1
Purpose Clarify ITs role in district
mission Scope Set boundaries and budgets on
inquiry Values Define internal expectations
and external requirements for security
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
36 Security
Protocol for Permanent Security
2. Risk Analysis
1. Set Security Goals
2-A. Identify Risks. Technology, data,
expertise Systems Network architecture, IT
operations Data Accuracy, integrity,
security, privacy People Staff, users,
stakeholders Measure Potential impact of
disruptive events
1-A. Purpose of IT Security Review Confirm
Organizational Mission Overall Role of IT
Convene Security Oversight and Planning
Team Objective Keep security planning focused
and useful
1. Security Trendy or Timely?
2. What does security mean in my district?
1-B. Scope of Inquiry Set Boundaries and
Budgets Agree Which IT tools, data, services
to review Establish Schedule for security
planning process Determine Initial budget
2-B. Assess Vulnerabilities Threats Systems
Look for design, configuration, and maintenance
weaknesses. Physical plant Power supply,
flood, fire, storm theft Organization
Inadequate policies, training, or
staffing People Accidental and intentional
causes
3. Getting started asking the right questions
1-C. Values to Guide Decision-Making Internal
Expectations, External Requirements, National
Guidelines Clarify User expectations for IT
performance Identify Legal and regulatory
requirements Agree on Criteria for judging IT
assets and prioritizing discovered security risks
4. Security assessment and response
2-C. Security Stress Tests Tech
tests Periphery, Internals, Shared
Spaces Review Operations, procedures,
documentation Evaluate User practices,
awareness, expertise Prioritize Security gaps
Rank on impact, then probability
5. Making security permanent
Outcome 1 Security Project Description A
project description that includes goals,
processes, resources, and decision-making
standards
Outcome 2 Prioritized Risk Assessment Report A
ranked list of vulnerabilities to guide risk
reduction efforts
Asset-based concept from Carnegie-Mellons
OCTAVE
37Security
Assessment and Response
1
- District Security Checklist
2
Security Planning Grid
1. Security Trendy or Timely?
3
- Act and Plan
- Action Identify and eliminate immediate
vulnerabilities - Plan Justify implementation of a security
protocol -
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
38Security
Making Security Permanent
1
Purpose Clarify ITs role in district
mission Scope Set boundaries and budgets on
inquiry Values Define internal expectations
and external requirements for security
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
39Security
Making Security Permanent
PurposeScopeValues
1
Setting Security Goals
2
2
Risk Analysis
1. Security Trendy or Timely?
- Whats at risk? Identify IT assets
- OCTAVE Risk Impact Model
- Vulnerabilities and Threats Identify impacts to
- Systems
- People
- IT organizational issues
- Physical plant
- Stress Test Test vulnerabilities to find gaps in
security
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
OCTAVE is registered with the U.S. Patent and
Trademark Office by Carnegie Mellon
University.Operationally Critical Threat, Asset,
Vulnerability EvaluationSM is a service mark of
Carnegie Mellon University
40Security
Making Security Permanent
PurposeScopeValues
1
Setting Security Goals
Whats at risk? Vulnerabilities, ThreatsStress
Test
2
Risk Analysis
1. Security Trendy or Timely?
Risk Reduction
3
2. What does security mean in my district?
Prioritize solutions for security gaps identified
in stress tests Action plan time, staff, and
materials Revise SOP Ensure integration into
existing IT operations
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
41Security
Making Security Permanent
PurposeScopeValues
1
Setting Security Goals
Whats at risk? Vulnerabilities, ThreatsStress
Test
2
Risk Analysis
1. Security Trendy or Timely?
Risk Reduction
Prioritize solutionsAction planRevise SOP
3
2. What does security mean in my district?
4
Crisis Management
3. Getting started asking the right questions
Prioritize possible crisis scenarios consider
probability, severity of impact Develop
comprehensive plans restoration of service,
communication, staffing Practice, Revise, Train,
Practice Revise to include new IT assets
buildings
4. Security assessment and response
5. Making security permanent
42Security
Making Security Permanent
PurposeScopeValues
1
Setting Security Goals
Whats at risk? Vulnerabilities, ThreatsStress
Test
2
Risk Analysis
1. Security Trendy or Timely?
Risk Reduction
Prioritize solutionsAction planRevise SOP
3
2. What does security mean in my district?
Crisis scenarios Inclusive plansPractice,
practice
4
Crisis Management
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
43Security
Making Security Permanent
Since risk is here to stay, security must
become a regular part of all school
routines. Daily (even hourly)
monitoring Weekly backups Monthly
updates Annual Reviews Yearly Budget
cycles Periodic communication with
parents Space planning projects Professional
Development Teaching and Learning
PurposeScopeValues
1
Setting Security Goals
Whats at risk? Vulnerabilities, ThreatsStress
Test
2
Risk Analysis
1. Security Trendy or Timely?
Risk Reduction
Prioritize solutionsAction planRevise SOP
3
2. What does security mean in my district?
Crisis scenarios Inclusive plansPractice,
practice
4
Crisis Management
3. Getting started asking the right questions
4. Security assessment and response
5. Making security permanent
44- To Download
- Eight Questions a Superintendent Should Ask the
CTO - District Security Checklist
- Security Planning Grid
- Slide Shows on public awareness, wireless
security, the Cyber Security Project, and other
topics - White papers on cyber security issues
1. Security Trendy or Timely?
2. What does security mean in my district?
3. Getting started asking the right questions
4. Security assessment and response
Navigate to
5. Making security permanent
http//www.securedistrict.cosn.org/resources
45Thanks!
We welcome your feedback
http//www.securedistrict.cosn.org