Educause Security Discussion mailing list archives
Re: future of cybersecurity in Higher Ed
From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Mon, 2 Oct 2006 08:22:01 -0700
Bret Blackman asked: #What do you see as strategic issues and serious threats in regards to #cybersecurity for Higher Education over the next 2 years? Interesting questions, I think. Just to name a few strategic issues...................................... -- Retaining management support for IT security as an institutional priority -- Staffing/funding/sustainably scaling IT security -- Policy-level support -- Getting the balance right between IT risk minimization and business process requirements (e.g., "A boat is safe in the harbor, but that's not why you buy a boat.") -- Obtaining/retaining user interest in/cooperation w.r.t. IT security in the face of a seemingly never-ending stream of complex technical threats -- Improved survivability through avoidance of monoculturality in systems, software, infrastructure providers, etc. while simultaneously controlling complexity (including the management of distributed systems) -- Moving away from finger pointing/blame allocation when incidents do occur, as they inevitably will (scapegoating and the "Pinata Syndrome" are not conducive to candor and sustained substantive progress) -- Getting the balance right between incident response/incident mitigation and proactive incident prevention And just to name a few serious threats in general terms .................... -- BGP-related attacks -- DNS-related attacks -- Botnets, including: -- Their creation via malware (and while we're talking about malware, let me also mention viruses, trojans, worms, root kits, spyware, crimeware, etc., whether botnet-related or not) -- Botnet *uses* (including DDoS attacks, email spam, etc.) -- Passwords and other authentication-related threats, including: -- Password quality and sufficiency (trust me, you really want 2 factor!) -- Phishing and other social engineering threats targeting passwords -- System breaches and data loss/corruption, including loss of PII -- Encryption (or lack thereof) on the wire, over wireless, and on the box -- Patching and system/application change management -- The impact of policies/governmental regulation/litigation (including intellectual property-related areas) -- Some more traditional risks such as: -- The insider threat -- Physical security threats to critical facilities and/or critical staff -- Coping with natural disasters and continuity of operations -- VoIP-related issues -- Risks associated with non-traditional computing devices (cell phones and other mobile devices, printers and other peripherals, etc.) -- Non-enterprise network attacks (e.g., attacks on physical plant systems for example) Regards, Joe ---- Joe St Sauver (joe () oregon uoregon edu) http://www.uoregon.edu/~joe/ Disclaimer: all opinions strictly my own
Current thread:
- future of cybersecurity in Higher Ed Bret R Blackman (Oct 01)
- <Possible follow-ups>
- Re: future of cybersecurity in Higher Ed John C. A. Bambenek (Oct 01)
- Re: future of cybersecurity in Higher Ed Michael McLaughlin (Oct 02)
- Re: future of cybersecurity in Higher Ed Steve Brukbacher (Oct 02)
- Re: future of cybersecurity in Higher Ed Valdis Kletnieks (Oct 02)
- Re: future of cybersecurity in Higher Ed Brad Judy (Oct 02)
- Re: future of cybersecurity in Higher Ed Joe St Sauver (Oct 02)
- Re: future of cybersecurity in Higher Ed Jere Retzer (Oct 02)