Top 10 Security Risks For Educational

InstitutionsThursday, April 3, 2008

Presenters:Dr. Tom Cupples, EdD, CISSP, MCSE

Dr. Craig Klimczak, DVM, MS

Security Terms 101The Security Forecast ◦Technology Risks◦Personnel Risks

The Threat to Higher Education

Tools for Coping

Agenda

Thursday, April 3, 2008

Threat – potential cause of an unwanted event which could cause damage to an asset

Vulnerability – weakness of an asset that can be exploited by a threat

Impact – a measure of the effect of an event Risk – the combination of the likelihood of an

event and its potential impact Control – means of managing risk – can be

administrative, technical, managerial, or legal in nature

Security Terms 101

Reference - http://www.iso27001security.com/Top_information_security_risks_for_2008.pdf

Thursday, April 3, 2008

VoIP Professional Attack Toolkits Virtualization Online gaming Vista Storm Worms Pump and Dump Social Networking Sites Online applications Phishing

The Security Forecast CRN

Reference - http://www.crn.com/security/203600054?queryText=top+10+risks+2008

Thursday, April 3, 2008

Browser vulnerabilities Botnets Targeted Phishing VoIP/Mobile Devices Insider Attacks Persistent Bots Spyware Web Applications Blended Phishing with VoIP & Event Phishing Supply chain attacks

The Security Forecast SANS

Reference - http://www.sans.org/top20/

Thursday, April 3, 2008

Web 2.0 Botnets Instant Malware Online Gaming Vista Adware Targeted Phishing Parasitic Malware Virtualization VoIP

The Security Forecast McAfee

Reference - http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_avert_predictions_2008.pdf

Thursday, April 3, 2008

Botnets Malware Online Gaming Social Networking Sites Key Dates of Opportunity Web 2.0 Vista Mobile Devices

The Security Forecast Computer Associates

Reference - http://www.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97702

Thursday, April 3, 2008

Bot Evolution Election Campaigns Mobile Platforms Spam Evolution Virtual Worlds

The Security Forecast Symantec

Reference - http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=endofyear

Thursday, April 3, 2008

VoIP/Mobile Devices & Platforms Professional Attack Toolkits Virtualization & Vista Online & Web-based Applications Browser Vulnerabilities Botnets & Persistent Bots & Bot Evolution Spyware Supply Chain Attacks Web 2.0 Instant Malware, Parasitic Malware & Adware

Technology Risks

Thursday, April 3, 2008

Online Gaming Storm Worms Pump and Dump Social Networking Sites Event, Targeted, & Blended Phishing Insider Attacks Key Dates of Opportunity & Election Campaigns Virtual Worlds

Personnel Risks

Thursday, April 3, 2008

Web Applications Social Engineering Cyber Terrorism Communications Human Error/Lack of Training Crisis Management Strong Passwords/ID Protection Networks (Physical-Wireless, Logical-Social) Identity Life Cycle Management PCI Standard for Payment Acceptance

The Threat to Higher Education

Thursday, April 3, 2008

Microsoft (http://www.microsoft.com/downloads/details.aspx?familyid=E9C4BFAA-AF88-4AA5-88D4-0DEA898C31B9&displaylang=en)

Sun Microsystems (http://www.javapassion.com/j2ee/WebSecurityThreats.pdf)

Tools for Coping with Web Application Threats

Thursday, April 3, 2008

Education Policy Development Procedure Development & Personnel

Training Monitoring

Thursday, April 3, 2008

Tools for Coping with Social Engineering Threats

Federal Bureau of Investigation (http://www.fbi.gov/)

Law Enforcement Training Site (http://www.counterterrorismtraining.gov/pubs/02.html)

Department of Homeland Security (http://www.dhs.gov/index.shtm)

Thursday, April 3, 2008

Tools for Coping with Cyber Terrorism Threats

International Telecommunications Union (http://www.itu.int/net/home/index.aspx)

Federal Communications Commission (http://www.fcc.gov/pshs/)

National Institute of Standards and Technology (http://csrc.nist.gov/)

Thursday, April 3, 2008

Tools for Coping with Communications Threats

Education Policy Development Procedure Development & Personnel

Training Monitoring

Thursday, April 3, 2008

Tools for Coping with Human Error & Lack of

Training

Missouri Department of Homeland Security (http://www.dps.mo.gov/HomelandSecurity/)

Missouri Campus Security Task Force (http://www.dps.mo.gov/CampusSafety/index.htm)

FEMA (http://www.fema.gov) Local Law Enforcement

Thursday, April 3, 2008

Tools for Coping with Crisis Management

Microsoft “How-to” (http://www.microsoft.com/protect/yourself/password/create.mspx)

Microsoft ‘Password Checker” (http://www.microsoft.com/protect/yourself/password/checker.mspx)

Microsoft - What is a Strong Password? (http://technet2.microsoft.com/windowsserver/en/library/d406b824-857c-4c2a-8de2-9b7ecbfa6e511033.mspx?mfr=true)

SANS Tutorial (http://www.sans.org/reading_room/whitepapers/authentication/1636.php)

Thursday, April 3, 2008

Tools for Coping with Strong Passwords & ID Protection Threats

Use Encryption for ◦ Storing Usernames and Passwords◦ Transmitting Usernames and Passwords◦ Storing Files◦ Transmitting files on a

Local Area Network Virtual Private Network Intranet/Extranet

Use two factor authentication when possible Enforce Strong Passwords Use Password Policies that require timely

changes in passwords

Thursday, April 3, 2008

Tools for Coping with Networks

◦ Microsoft (http://www.microsoft.com/windowsserver2003/technologies/idm/ilm.mspx)

◦ Sun Microsystems (http://www.sun.com/storagetek/white-papers/identity_enabled_ilm.pdf)

Thursday, April 3, 2008

Tools for Identity Life Cycle

Management

PCI Standard Website (http://www.pcistandard.com/home.html)

PCI Standard White Paper (https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf)

PCI Forum (http://www.pciforum.us/pci/)

Thursday, April 3, 2008

Tools for PCI Standard for Payment Acceptance

There is no guarantee of total security. The best that can be accomplished is

managing the threats Know your enemy!

Conclusion

Thursday, April 3, 2008

Dr. Tom Cupples tgcupples@stlcc.edu

Dr. Craig Klimczakcklimczak@stlcc.edu

http://www.stlcc.edu

Thursday, April 3, 2008

Questions?