Results from the CIFAC Project and What They Mean to You

Virginia E. Rezmierski

Daniel M. Rothschild

April 4, 2005

Washington, DC

Advisory Board

Mark S. Bruhn, B.S., CISSPIndiana University

Shawn A. Butler, Ph.D.Carnegie Mellon University

Robert Clark, Jr., B.A., CIA, CBMGeorgia Tech

Tracy Mitrano, Ph.D., J.D.Cornell University

Rodney Petersen, J.D., Ph.D.EDUCAUSE

E. Eugene Schultz, Ph.D.Lawrence Berkeley Nat’l Laboratory

Barbara Simons, Ph.D.Association for Computing Machinery

Eugene H. Spafford, Ph.D.Purdue University CERIAS

John J. Suess, M.S.University of Maryland – Baltimore County

D. Frank Vinik, J.D.United Educators

Participating Colleges and UniversitiesPublic Private

Large(≥10,000)

San Jose State UniversityUC Berkeley

University of Illinois - ChicagoSUNY Binghamton

University of Massachusetts - AmherstUMD College Park

Georgia TechGeorgia State

University of Texas at San AntonioUniversity of Texas at Austin

Michigan State University

Stanford UniversityUniversity of Chicago

Northwestern UniversityCornell University

Syracuse UniversityBoston University

MITGeorgetown University

Emory University

Small &Medium(<10,000)

California State University - Monterrey BayUniversity of Massachusetts - Boston

University of Maryland - Baltimore CountyUniversity of Michigan - Flint

University of Michigan - DearbornSaginaw Valley State University

Santa Clara UniversityLoyola University of Chicago

Lake Forest CollegeLeMoyne College

Hampshire CollegeAmerican University

Southwestern UniversityFindlay UniversityCleary University

Concordia University (MI)

Incident definitionAn incident is an event that utilizes or exploits information technology resources or security flaws therein, either byaccident or by design and through malice or otherwise, that causes, directly or indirectly, one or more of thefollowing occurrences:

Compromise of proprietary, confidential, or protected data, System disruption which impedes user(s)’ access to data or

other IT resources, Violates IT use policies set out and made known by the

administrator(s) of the IT systems in question, Violates norms commonly accepted within the community of

system user(s) for use of IT resources, Attempting or conspiring engage or represent oneself or

another to be engaged in any aforementioned behavior.

Incident Descriptives

Large Public36%

Large Private27%

Small Public21%

Small Private16%

Incident Focus

People29%

Data26%

Systems45%

Incident SeriousnessNot at all (1)

2%

Somew hat (2)26%

Quite (3)31%

Extremely (4)41%

Incident Prevention Access control tools Personnel Training and education Existence of policy

Incident Cause and Response Training and education Requirements for use of institutional

resources Accidental or careless behavior Malicious or abusive behavior

Stimuli to ActionProbability of damage to institutional reputationCost to the department, college, or university

Time involved for resolutionNumber of machines affected

Type of machines affectedType and sensitivity of data involved

Probability of further access or damageNumber of people affected

Level, status, or rank of people affectedProbability of damage or danger to persons

Stimuli to ActionProbability of damage to institutional reputationCost to the department, college, or university

Time involved for resolutionNumber of machines affected

Type of machines affectedType and sensitivity of data involved

Probability of further access or damage

Best Practices: Prevention Technical best practices

Strong passwords Configuration Patch/debug Firewall/IDS/IPS/(v)ACL Access control

Foundational best practices Education, training, and awareness Policy, procedure, and enforcement

Best Practices: Mitigation Technical best practices

Access control/blocking Auditing

Foundational best practices Decisive, timely action Interdepartmental cooperation and communication Procedures Straightforward communication w. affected parties Education, training, and awareness

Best Practices: Manage Technical best practices Foundational best practices

Interdepartmental IRT Communication between incident handlers Straightforward communication w. affected parties Quick resolution

Thoughts to take away

1. There are a lot of incidents happening

2. Students are a major factor

3. People want to share information

4. Having policies and procedures is vital

5. Education of users and staff is important

6. Quarantining is on the rise

Thoughts to take away

7. Automated enforcement tools are on the rise

8. Perceptions of seriousness are role-dependent

9. Interdepartmental IRTs are increasing

10. Risk managers and auditors are missing

11. Campuses are maturing in technology, policy, and procedures

The CIFAC ProjectGerald R. Ford School of Public Policy

The University of Michigan712 Oakland Avenue

Ann Arbor, MI 48104-3021

734.615.9595 p734.998.6688 f

cifac.staff@umich.edu

1Apr05 17:10