Information Security

Zero to 60 in 10 Years

Howard Muffler, Information Security Officer

Joseph Progar, Information Security Analyst

Embry-Riddle Aeronautical University

BUSINESS IMPERATIVES

Past: Business Imperatives

• Create a “Web Presence”– Convey information– Market to current and prospective

customers

• Expand research capabilities• Explore new markets – local to global

– Reach a wider audience– Defend against competitors

• Enhance student life

Past: Business Imperatives

• Develop online classes and classrooms

• Transition IT from service provider to business driver

• Security imperatives growing as well:– Pay more attention to information

protection!– Recognize the Internet as a dangerous

place

Present: Business Imperatives

• Internet = Requisite business tool– Anytime Anywhere– Empower constituents

• More Self-Services• More communication and collaboration

– Continue to innovate – expand markets further

– Think like an entrepreneur – act like a business

Present: Business Imperatives

• Security is a bigger concern than ever– Don’t end up “In the News”

(involuntarily)– Understand risks; mitigate

vulnerabilities– Formalize security responsibility and

functions– Ensure legal and regulatory compliance

Future: Business Imperatives

• Continue expansion in global markets

• Deliver product anytime and anywhere

• Expand brand recognition• Concentrate on niche competencies

Future: Business Imperatives

• Security will continue to be critical– Imbed awareness into organization

culture– Provide security which doesn’t conflict

with education, productivity, & job responsibilities

– Preserve constituent privacy– Ensure continued legal and regulatory

compliance

ATTACKS

Past: Attackers and their Motives

Attacker• Researchers• TeenagersMotivation• Proof of Concept• Fame / Infamy

Past: Common Attacks

• Viruses• Worms• Trojans• DOS• Web defacement• Scanning• Sniffing

Present: Attackers and their Motives

Attacker• Well educated individuals• Organized crimeMotivation• Money• Power

Present: Common Attacks

• Viruses, Worms, Trojans– Root Kits– Bot Nets– Key loggers

• DDOS• Phishing

Future: Attackers and their Motives

Attacker• Well educated criminals• Ideologies and BusinessesMotives• Money• Politics

Future: Common attacks

• Viruses, Worms, Trojans– Bot Nets– Blended threats

• Encryption– Holding data hostage

NETWORK

Past: Network

Router

Firewall

Internet

Campus

Present: Network

Firewall

Firewall

Firewall

Internet

Campus

Databases

APP

Web

Wireless

Web Servers

Applications

Router w/netflow IPS

Present: NetworkDefense in Depth

Future: Network

Request Access

Evaluate

Process

Deny

Allow

Remediate

ERAU SECURITY RESPONSE

Past: Security Response• Moving away from Laissez Faire (B.I.)• Early safeguards mostly afterthoughts• Focused on virus protection and basic

network security (perimeter protection)• Equipment misuse > info protection• SPAM threat not yet fully appreciated• Y2K = Resource hog

Past: Security Response

• Higher Ed = Prime hacker target (why?)• “Selling” security to upper management• Growing appreciation of “Insider” threat• Virus concerns = “Trio of Trouble” Plus• Stronger efforts re: Regulatory

compliance

Present: Security Response

• Formalization of security responsibilities

• Creation of formal polices and procedures

• Creation/expansion of education and awareness programs

• IT leadership in incident response• First formal Risk Assessment study

Future: Security Response

• Continue to view security holistically• Expand policies and procedures (ISO)• Address new “compliance hammers”• Formalize incident response – Not just

IT• Repeat Risk Analysis regularly• Implement security measures which

don’t just target specific vulnerabilities (adaptive, heuristic)

Five Steps to an Effective Information Security Program

1. Get Upper Management Support2. Start Small3. Adopt a Multilayered Approach4. Keep Security Flexible5. Improve Continuously

Thank You!

Q & A