Educause Security Discussion mailing list archives
Risks and standards development in networking and Blackberrys/Mobility
From: James H Moore <jhmfa () RIT EDU>
Date: Tue, 18 Oct 2005 18:19:08 -0400
We are about to kick off the development of two new standards at RIT, networking and mobility. The way that we do this is to call together a core team of technical and "business" experts from the colleges and divisions, in order to gather requirements. Our first task is to do risk mapping, identifying risks and then prioritizing them. We have to identify all risks, including risks of lost productivity if certain features are not present. We also have to identify risks involving the commitment of future resources if operational complexity is significantly increased. What I'm looking for is review of my identification of some high-level risks. I believe there are others, I just need someone to bounce these off of. Risks of implementing and not implementing network controls/defenses - Zero-day network attack - depends on payload * productivity loss on most if not all desktop/laptop computers * possible disconnection from the Internet * possible loss of data from servers - DHCP/DNS/LDAP/Authentication/Access Control services loss * could be from a zero day network attack * could be from spoofing, or duplicating services * resulting in the unreliable services - Secondary risks from legacy technology - if networking protocols are not inventoried * increasing management burden * decreasing focus on most significant protocols - Inferior detection * changes in behavior not detected (new protocols) * loss of productivity - Increase cost and burden * Cost to acquire Intrusion Prevention gear * Cost to acquire Protocol Inventory sensors * Cost to acquire / set up scanning service * Cost to acquire log aggregation console * Maintenance and monitoring of Intrusion Prevention gear * Maintenance and monitoring of Protocol Inventory sensors * Maintenance and monitoring of scanning service * Maintenance and monitoring of log aggregation console Mobility - Use of Blackberrys, Wireless PDAs, Smartphones, for email, and web. (Mobility will also include the use of BlueTooth in conjunction with above) [Sidenote: New York, like about 16 other states has recently passed an Information Security Breach and Notification Act, which means if one of these mobile devices is lost, we need to notify people whose data may have been lost.] Risks * Decline in Institutional reputation from notices if loss of confidential data is experienced * Loss of enrollment/revenue from reputation loss * Cost of reconstructing data on the device to determine loss of confidential data * Productivity loss, possibly from having to change passwords/accounts, if there are automatic logins * New complexity in virus/worm protection (one more set of platforms) * Network risks associated with open ports * Integration with Authentication / Access Control (and ability to support access control) * File system risks If not supported: * Loss of productivity/momentum from delayed responses * Users and small groups will roll their own, without solid economic base for security and support, also without priorities to protect systems This is a brain dump. Can some of you help me clean this up (between Educause sessions). Jim - - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 475-4122 (lab) (585) 475-7950 (fax) ""In the middle of difficulty lies opportunity." Albert Einstein "The release of new internet threats have not created a new problem. It has merely made more urgent the necessity of solving an existing one." Parallels quote by Albert Einstein on atomic energy
Current thread:
- Risks and standards development in networking and Blackberrys/Mobility James H Moore (Oct 18)