Risks and standards development in networking and Blackberrys/Mobility

[James H Moore <jhmfa () RIT EDU>]

We are about to kick off the development of two new standards at RIT,
networking and mobility.

 

The way that we do this is to call together a core team of technical and
"business" experts from the colleges and divisions, in order to gather
requirements.

 

Our first task is to do risk mapping, identifying risks and then
prioritizing them.  We have to identify all risks, including risks of
lost productivity if certain features are not present. We also have to
identify risks involving the commitment of future resources if
operational complexity is significantly increased.

 

What I'm looking for is review of my identification of some high-level
risks.  I believe there are others, I just need someone to bounce these
off of.

 

Risks of implementing and not implementing network controls/defenses

 - Zero-day network attack - depends on payload

*       productivity loss on most if not all desktop/laptop computers 
*       possible disconnection from the Internet
*       possible loss of data from servers

- DHCP/DNS/LDAP/Authentication/Access Control services loss

*       could be from a zero day network attack
*       could be from spoofing, or duplicating services
*       resulting in the unreliable services

- Secondary risks from legacy technology - if networking protocols are
not inventoried

*       increasing management burden
*       decreasing focus on most significant protocols

- Inferior detection

*       changes in behavior not detected (new protocols)
*       loss of productivity

- Increase cost and burden

*       Cost to acquire Intrusion Prevention gear
*       Cost to acquire Protocol Inventory sensors
*       Cost to acquire / set up scanning service
*       Cost to acquire log aggregation console
*       Maintenance and monitoring of  Intrusion Prevention gear
*       Maintenance and monitoring of  Protocol Inventory sensors
*       Maintenance and monitoring of  scanning service
*       Maintenance and monitoring of  log aggregation console

 

 

Mobility - Use of Blackberrys, Wireless PDAs, Smartphones, for email,
and web.

(Mobility will also include the use of BlueTooth in conjunction with
above)

[Sidenote:  New York, like about 16 other states has recently passed an
Information Security Breach and Notification Act, which means if one of
these mobile devices is lost, we need to notify people whose data may
have been lost.]

 

Risks

*       Decline in Institutional reputation from notices if loss of
confidential data is experienced
*       Loss of enrollment/revenue from reputation loss
*       Cost of reconstructing data on the device to determine loss of
confidential data
*       Productivity loss, possibly from having to change
passwords/accounts, if there are automatic logins
*       New complexity in virus/worm protection (one more set of
platforms)
*       Network risks associated with open ports
*       Integration with Authentication / Access Control (and ability to
support access control)
*       File system risks

 

If not supported:

*       Loss of productivity/momentum from delayed responses
*       Users and small groups will roll their own, without solid
economic base for security and support, also without priorities to
protect systems

 

This is a brain dump.  Can some of you help me clean this up (between
Educause sessions).

 

Jim

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)

""In the middle of difficulty lies opportunity." Albert Einstein

"The release of new internet threats have not created a new problem. It
has merely made more urgent the necessity of solving an existing one."
Parallels quote by Albert Einstein on atomic energy