Re: future of cybersecurity in Higher Ed

[Joe St Sauver <joe () OREGON UOREGON EDU>]

Bret Blackman asked:

#What do you see as strategic issues and serious threats in regards to
#cybersecurity for Higher Education over the next 2 years?

Interesting questions, I think.

Just to name a few strategic issues......................................

-- Retaining management support for IT security as an institutional priority

   -- Staffing/funding/sustainably scaling IT security

   -- Policy-level support

-- Getting the balance right between IT risk minimization and business
   process requirements (e.g., "A boat is safe in the harbor, but that's
   not why you buy a boat.")

-- Obtaining/retaining user interest in/cooperation w.r.t. IT security
   in the face of a seemingly never-ending stream of complex technical
   threats

-- Improved survivability through avoidance of monoculturality in systems,
   software, infrastructure providers, etc. while simultaneously controlling
   complexity (including the management of distributed systems)

-- Moving away from finger pointing/blame allocation when incidents do occur,
   as they inevitably will (scapegoating and the "Pinata Syndrome" are not
   conducive to candor and sustained substantive progress)

-- Getting the balance right between incident response/incident mitigation
   and proactive incident prevention

And just to name a few serious threats in general terms ....................

-- BGP-related attacks

-- DNS-related attacks

-- Botnets, including:

   -- Their creation via malware (and while we're talking about malware,
      let me also mention viruses, trojans, worms, root kits, spyware,
      crimeware, etc., whether botnet-related or not)

   -- Botnet *uses* (including DDoS attacks, email spam, etc.)

-- Passwords and other authentication-related threats, including:

   -- Password quality and sufficiency (trust me, you really want 2 factor!)

   -- Phishing and other social engineering threats targeting passwords

-- System breaches and data loss/corruption, including loss of PII

-- Encryption (or lack thereof) on the wire, over wireless, and on the box

-- Patching and system/application change management

-- The impact of policies/governmental regulation/litigation (including
   intellectual property-related areas)

-- Some more traditional risks such as:

   -- The insider threat

   -- Physical security threats to critical facilities and/or critical staff

   -- Coping with natural disasters and continuity of operations

-- VoIP-related issues

-- Risks associated with non-traditional computing devices (cell phones
   and other mobile devices, printers and other peripherals, etc.)

-- Non-enterprise network attacks (e.g., attacks on physical plant systems
   for example)

Regards,

Joe

----
Joe St Sauver (joe () oregon uoregon edu)
http://www.uoregon.edu/~joe/
Disclaimer: all opinions strictly my own