Educause Security Discussion mailing list archives
Re: IHEs & NATIONAL STRATEGY: Single Point-Of-Contact
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Mon, 23 Sep 2002 15:59:34 -0500
Sorry for the acronyms. "ISAC" is "Information Sharing and Analysis Center". The creation of such centers was "encouraged" by Presidential (Clinton) Decision Directive 63. See http://www.nipc.gov/infosharing/infosharing.htm. "REN-ISAC" is "Research and Educational Networking ISAC". "MOU" is Memorandum of Understanding. Other economic sector ISACs have been formed and are active. See http://www.nipc.gov/infosharing/infosharing6.htm. We initiated the development of the REN-ISAC at IU because of the Global NOC's access to national and international network data, because of support that can be provided to the REN-ISAC by the Applied Network Management Lab and other Pervasive Computing Labs also located at IU, and because of support that our security engineers can provide as well. We haven't published operations/procedures for the REN-ISAC yet, as we first have to negotiate agreements with the various governing bodies of the networks managed by the IU Global NOC. But, I guess this note will be a start... Yes, the idea is that this Center will be the clearinghouse for threat and warning information (and other useful security information) for organizations connected to networks that the Global Network Operations Center (http://globalnoc.iu.edu) manages (e.g., Abilene) but also for campuses that are not connected to these networks but that are implicated in incidents that occur on these networks or otherwise in reports sent to the REN-ISAC. In the (hopefully near) future, a more comprehensive Higher Education ISAC, or HE-ISAC, is what we want to create. I've attached a *very* short white paper I wrote on services that an HE-ISAC might provide. Presumably, the REN-ISAC would evolve into the HE-ISAC but that hasn't been discussed in any detail at all to this point. Threat and attack information will be collected by the REN-ISAC from instrumentation already installed on various networks and analyzed through the use of console software, and then passed to contacts at organizations implicated in the event. So, for example, if we see a DDoS attack being waged from IIT computers against systems at Purdue (Purdue is on Abilene; not sure if IIT is), we would contact someone at IIT to let you know that you probably have compromised machines, and we would contact Purdue in case they hadn't noticed that they were being attacked. Of course, victims and sources can be all over the world... Also, as part of the ISAC infrastructure, threat and warning information will be passed to the REN-ISAC from the Feds and from the other active ISACs, and then this information will be passed to organizations implicated in the report. Or, if the information is more generally applicable, it will be reported to all contacts that the REN-ISAC has on file. So, if a security-type is identified for all campuses, the REN-ISAC could use that list to disseminate warning information gleaned from sensors, or reported to it by other sources. Certainly campuses can and should send the REN-ISAC information about things occuring at home as well, to request advice or help if necessary, and the REN-ISAC would pass that information along to other higher ed contacts, the Feds, and the other ISACs if it might be useful generally to protection of the national infrastructure. The information would be sanitized to protect the privacy of the reporting campus or individuals, if the circumstance warranted. Clearly the REN-ISAC is in infancy, and there will be much more information imparted as things become more solidified. But, I hope this is helpful. M. Mark S. Bruhn Chief IT Security and Policy Officer Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 -----Original Message----- From: Kevin Shalla [mailto:Kevin.Shalla () IIT EDU] Sent: Monday, September 23, 2002 11:52 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] IHEs & NATIONAL STRATEGY: Single Point-Of-Contact I guessing here on what this means, but it sound like some other organization does triage before it gets to a specific university - correct? Definitions please for ISAC, MOU, REN-ISAC. At 10:55 AM 9/23/2002 -0500, Mark S. Bruhn wrote:
A 24X7 higher education ISAC will help here, I think. The people staffing such an org will know the higher education community, and will be technically able to triage incident reports. The first limited-service iteration of a higher education ISAC (for Research and Educational Networking) will be at Indiana University, associated with the Global Network Operations Center, which is already 24X7. See http://globalnoc.iu.edu/. We are poised (legal people doing final review) to sign an MOU with the NIPC. Whilst we certainly don't want to publish home numbers widely to law enforcement and ISPs, having a higher education ISAC with that information shouldn't (at least in my opinion) be problematic. If a report or situation associated with a particular campus is bad enough, the ISAC operators would attempt to contact the person(s)identified for that campus. The theory here is that ISPs (as members of the IT ISAC) and law enforcement (as part of the law enforcement ISAC) will make reports to the NIPC, as well as directly to other ISACs if warranted. The NIPC will pass that along to the other ISACs. The REN-ISAC will take that information, do some analysis, and make sure it gets to the campuses that need to have it. Or, to all campuses for which they have contact information, if it's a more global threat. Operational details of the REN-ISAC will be sent out widely, once they are developed. There is also a white paper that discusses a full-service ISAC that may (should absolutely, I think) succeed the REN-ISAC. We will post that to the Task Force web site as soon as I
can
discuss that with Rodney Petersen.
Kevin Shalla Manager, Student Information Systems Illinois Institute of Technology <mailto:Kevin.Shalla () iit edu> ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Attachment:
Higher Education Information Sharing and Analysis Center.pdf
Description: Higher Education Information Sharing and Analysis Center.pdf
Current thread:
- IHEs & NATIONAL STRATEGY: Single Point-Of-Contact Rodney Petersen (Sep 19)
- <Possible follow-ups>
- Re: IHEs & NATIONAL STRATEGY: Single Point-Of-Contact Gary Flynn (Sep 19)
- Re: IHEs & NATIONAL STRATEGY: Single Point-Of-Contact Jim Moore (Sep 19)
- Re: IHEs & NATIONAL STRATEGY: Single Point-Of-Contact Allen Chang (Sep 20)
- Re: IHEs & NATIONAL STRATEGY: Single Point-Of-Contact Dan Updegrove (Sep 22)
- Re: IHEs & NATIONAL STRATEGY: Single Point-Of-Contact Kevin Shalla (Sep 23)
- Re: IHEs & NATIONAL STRATEGY: Single Point-Of-Contact Bruhn, Mark S. (Sep 23)
- Re: IHEs & NATIONAL STRATEGY: Single Point-Of-Contact Kevin Shalla (Sep 23)
- Re: IHEs & NATIONAL STRATEGY: Single Point-Of-Contact Bruhn, Mark S. (Sep 23)
- Re: IHEs & NATIONAL STRATEGY: Single Point-Of-Contact Nick Tate (Sep 23)