Re: IHEs & NATIONAL STRATEGY: Single Point-Of-Contact

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

Sorry for the acronyms.

"ISAC" is "Information Sharing and Analysis Center".  The creation of
such centers was "encouraged" by Presidential (Clinton) Decision
Directive 63.  See http://www.nipc.gov/infosharing/infosharing.htm.
"REN-ISAC" is "Research and Educational Networking ISAC".  "MOU" is
Memorandum of Understanding.  

Other economic sector ISACs have been formed and are active.  See
http://www.nipc.gov/infosharing/infosharing6.htm.

We initiated the development of the REN-ISAC at IU because of the Global
NOC's access to national and international network data, because of
support that can be provided to the REN-ISAC by the Applied Network
Management Lab and other Pervasive Computing Labs also located at IU,
and because of support that our security engineers can provide as well.
We haven't published operations/procedures for the REN-ISAC yet, as we
first have to negotiate agreements with the various governing bodies of
the networks managed by the IU Global NOC.  But, I guess this note will
be a start...

Yes, the idea is that this Center will be the clearinghouse for threat
and warning information (and other useful security information) for
organizations connected to networks that the Global Network Operations
Center (http://globalnoc.iu.edu) manages (e.g., Abilene) but also for
campuses that are not connected to these networks but that are
implicated in incidents that occur on these networks or otherwise in
reports sent to the REN-ISAC.  In the (hopefully near) future, a more
comprehensive Higher Education ISAC, or HE-ISAC, is what we want to
create.  I've attached a *very* short white paper I wrote on services
that an HE-ISAC might provide.  Presumably, the REN-ISAC would evolve
into the HE-ISAC but that hasn't been discussed in any detail at all to
this point.

Threat and attack information will be collected by the REN-ISAC from
instrumentation already installed on various networks and analyzed
through the use of console software, and then passed to contacts at
organizations implicated in the event.  So, for example, if we see a
DDoS attack being waged from IIT computers against systems at Purdue
(Purdue is on Abilene; not sure if IIT is), we would contact someone at
IIT to let you know that you probably have compromised machines, and we
would contact Purdue in case they hadn't noticed that they were being
attacked.  Of course, victims and sources can be all over the world...

Also, as part of the ISAC infrastructure, threat and warning information
will be passed to the REN-ISAC from the Feds and from the other active
ISACs, and then this information will be passed to organizations
implicated in the report.  Or, if the information is more generally
applicable, it will be reported to all contacts that the REN-ISAC has on
file.  So, if a security-type is identified for all campuses, the
REN-ISAC could use that list to disseminate warning information gleaned
from sensors, or reported to it by other sources.

Certainly campuses can and should send the REN-ISAC information about
things occuring at home as well, to request advice or help if necessary,
and the REN-ISAC would pass that information along to other higher ed
contacts, the Feds, and the other ISACs if it might be useful generally
to protection of the national infrastructure.  The information would be
sanitized to protect the privacy of the reporting campus or individuals,
if the circumstance warranted.

Clearly the REN-ISAC is in infancy, and there will be much more
information imparted as things become more solidified.  But, I hope this
is helpful.

M. 

Mark S. Bruhn
Chief IT Security and Policy Officer
Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326


-----Original Message-----
From: Kevin Shalla [mailto:Kevin.Shalla () IIT EDU] 
Sent: Monday, September 23, 2002 11:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] IHEs & NATIONAL STRATEGY: Single
Point-Of-Contact


I guessing here on what this means, but it sound like some other
organization does triage before it gets to a specific university -
correct?  Definitions please for ISAC, MOU, REN-ISAC.

At 10:55 AM 9/23/2002 -0500, Mark S. Bruhn wrote:
> A 24X7 higher education ISAC will help here, I think.  The people
> staffing such an org will know the higher education community, and will
> be technically able to triage incident reports.  The first
> limited-service iteration of a higher education ISAC (for Research and
> Educational Networking) will be at Indiana University, associated with
> the Global Network Operations Center, which is already 24X7.  See
> http://globalnoc.iu.edu/.  We are poised (legal people doing final
> review) to sign an MOU with the NIPC.
>
> Whilst we certainly don't want to publish home numbers widely to law
> enforcement and ISPs, having a higher education ISAC with that
> information shouldn't (at least in my opinion) be problematic.  If a
> report or situation associated with a particular campus is bad enough,
> the ISAC operators would attempt to contact the person(s)identified for
> that campus.
>
> The theory here is that ISPs (as members of the IT ISAC) and law
> enforcement (as part of the law enforcement ISAC) will make reports to
> the NIPC, as well as directly to other ISACs if warranted.  The NIPC
> will pass that along to the other ISACs.  The REN-ISAC will take that
> information, do some analysis, and make sure it gets to the campuses
> that need to have it.  Or, to all campuses for which they have contact
> information, if it's a more global threat.
>
> Operational details of the REN-ISAC will be sent out widely, once they
> are developed.  There is also a white paper that discusses a
> full-service ISAC that may (should absolutely, I think) succeed the
> REN-ISAC.  We will post that to the Task Force web site as soon as I
can
> discuss that with Rodney Petersen.


Kevin Shalla
Manager, Student Information Systems
Illinois Institute of Technology
<mailto:Kevin.Shalla () iit edu>

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

Attachment: Higher Education Information Sharing and Analysis Center.pdf
Description: Higher Education Information Sharing and Analysis Center.pdf