Higher Education & Information Security
5.1K views | +0 today
Follow
Higher Education & Information Security
Information Security and Cybersecurity in Higher Education
Your new post is loading...
Your new post is loading...
Scooped by Higher Ed InfoSec Council
Scoop.it!

CISOs Must Engage the Board About Information Security

CISOs Must Engage the Board About Information Security | Higher Education & Information Security | Scoop.it
With technology now at the center of nearly all business processes, information security is no longer simply an operational concern. It deserves a place on the board's strategic agenda. And that means the CISO needs to step up in the boardroom.

 

"Your organization will come under attack. It's not a matter of 'if.' It's a matter of 'when.' And security is no longer simply an operational concern. As technology has become the central component of nearly all business processes, security has become a business concern. As a result, information security should sit firmly on the boardroom agenda."

 

"It's not just about compliance... It's about overall risk management."

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” | Higher Education & Information Security | Scoop.it

In March, readers followed along as Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, downloaded a list of more than 16,000 cryptographically hashed passcodes. Within a few hours, he deciphered almost half of them. The moral of the story: if a reporter with zero training in the ancient art of password cracking can achieve such results, imagine what more seasoned attackers can do.

 

Imagine no more. We asked three cracking experts to attack the same list Anderson targeted and recount the results in all their color and technical detail Iron Chef style. The results, to say the least, were eye opening because they show how quickly even long passwords with letters, numbers, and symbols can be discovered.

 

The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that "5f4dcc3b5aa765d61d8327deb882cf99" and "7c6a180b36896a0a8c02787eeafb0e4c" are the MD5 hashes for "password" and "password1" respectively.

Higher Ed InfoSec Council's insight:

For more details on password hashing, see the earlier Ars feature "Why passwords have never been weaker—and crackers have never been stronger": http://arstechnica.com/security/2012/08/passwords-under-assault/

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Why you need a security buddy (and how to find one)

Why you need a security buddy (and how to find one) | Higher Education & Information Security | Scoop.it
Michael Santarcangelo explains why pairing security pros with non-security people helps each partner do their job more effectively - and reduces risk for the enterprise
more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Australia's National Cyber Security Awareness Week, May 20-24, 2013

Australia's National Cyber Security Awareness Week, May 20-24, 2013 | Higher Education & Information Security | Scoop.it

National Cyber Security Awareness Week is an annual Australian Government initiative held in partnership with industry, community and consumer organisations and all levels of government.

 

The aim of Awareness Week is to help Australians using the internet – whether at home, the workplace or school – understand the simple steps they can take to protect their personal and financial information online.

 

With nearly 1,400 partners coming together for Awareness Week, the message of cyber security will be heard around Australia through a range of events, including seminars, webinars, media, social media, and other distribution channels.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Why don't risk management programs work?

Why don't risk management programs work? | Higher Education & Information Security | Scoop.it

When the moderator of a panel discussion at the recent RSA conference asked the audience how many thought their risk management programs were successful, only a handful raised their hands. So Network World Editor in Chief John Dix asked two of the experts on that panel to hash out in an email exchange why these programs don't tend to work.

 

Alexander Hutton is director of operations risk and governance at a financial services firm (that he can't name) in the Greater Salt Lake City area, and Jack Jones is principal and Co-Founder of CXOWARE, Inc., a SaaS company that specializes in risk analysis and risk management.

 

Jones: "Risk management programs don't work because our profession doesn't, in large part, understand risk. And without understanding the problem we're trying to manage, we're pretty much guaranteed to fail."

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Data Dealer: Online Privacy Game

The gleefully sarcastic online game about collecting and selling personal data. Also available on Facebook!
Higher Ed InfoSec Council's insight:

Visit http://datadealer.com/ to try the game!

more...
Rescooped by Higher Ed InfoSec Council from Higher Education & Privacy
Scoop.it!

DOJ: We don't need warrants for e-mail, Facebook chats

DOJ: We don't need warrants for e-mail, Facebook chats | Higher Education & Information Security | Scoop.it

The U.S. Department of Justice and the FBI believe they don't need a search warrant to review Americans' e-mails, Facebook chats, Twitter direct messages, and other private files, internal documents reveal.

 

Government documents obtained by the American Civil Liberties Union and provided to CNET show a split over electronic privacy rights within the Obama administration, with Justice Department prosecutors and investigators privately insisting they're not legally required to obtain search warrants for e-mail. The IRS, on the other hand, publicly said last month that it would abandon a controversial policy that claimed it could get warrantless access to e-mail correspondence.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Containing the Security Threat of Mobile Apps in Higher Ed (EDUCAUSE Review)

Containing the Security Threat of Mobile Apps in Higher Ed (EDUCAUSE Review) | Higher Education & Information Security | Scoop.it

The rapid proliferation of smartphones, tablets, and other mobile devices has created a new challenge for college and university IT administrators. With the use of personal mobile devices now mainstream, users of software increasingly expect to get things done on their smartphones. Unlike first-generation applications, such as campus bus schedules, a growing number of new offerings touch enterprise data. The time has come for IT managers to put measures in place that ensure mobile data security across the enterprise. Security issues throughout the enterprise mobile ecosystem, from physical devices to app distribution to the actual code being executed on smartphones, must be systematically addressed. A number of new open-source and community-source technologies can help, including the Kurogo Mobile Platform and the Kuali Mobility for the Enterprise (KME) platform.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Times may change, but the CSO's song remains the same

Times may change, but the CSO's song remains the same | Higher Education & Information Security | Scoop.it
A 2002 CSOonline article reminds us that despite what progress and advances we witness in the industry, security's mission doesn't change
more...
No comment yet.
Rescooped by Higher Ed InfoSec Council from Higher Education & Privacy
Scoop.it!

The Facebook Privacy Infographic

The Facebook Privacy Infographic | Higher Education & Information Security | Scoop.it

Did you know that there are 13 million Facebook users who have never touched their Facebook privacy settings?

 

That may seem like a small number when taken in light of the 751 million monthly active users the company recently reported but 13 million is still a number which should not be dismissed.

 

According to this infographic, 28 percent of all Facebook users share all, or almost all, of their wall posts with an audience wider than just their friends.

 

Furthermore, 11 percent of Facebook users said that someone else has tried to use their login without their permission.

 

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

How to Craft the Best BYOD Policy

How to Craft the Best BYOD Policy | Higher Education & Information Security | Scoop.it

What is a good BYOD policy? Step one is to clarify the rights of both company and employee and state upfront what's business and what's personal. But there's a lot more to it. In this interview with a technology transactions lawyer, CIO.com explores the do's and don'ts of BYOD policies.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

50 Must-Read Higher Education Information Technology Blogs 2013

50 Must-Read Higher Education Information Technology Blogs 2013 | Higher Education & Information Security | Scoop.it

The best higher ed information technology blogs on MOOCs, cloud computing, mobile learning, social media, digital pedagogy and more. (Submitted and voted on by EdTech readers.)

more...
Higher Ed InfoSec Council's comment, May 1, 2013 11:59 AM
Check out EDUCAUSE blogs (included in this year's list of must-read higher ed IT blogs): http://www.educause.edu/blogs
Scooped by Higher Ed InfoSec Council
Scoop.it!

Listening - The First Step of Many (EDUCAUSE blog)

Listening - The First Step of Many (EDUCAUSE blog) | Higher Education & Information Security | Scoop.it

When I was asked by EDUCAUSE to write a blog about the experiences of a first-time CIO, I was concerned that I wouldn't have enough to write about that would be of interest to the EDUCAUSE community. It then occurred to me that I'd like to approach this the way I approach many situations like this - ask and listen!

 What would you like to see me write about in future blog posts? Please suggest topics that you'd like to see covered in the areas of being a first-time CIO and/or how to prepare to get a first CIO job in higher education...
more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Analyzing the Cost of a HIPAA-Related Breach Through the Lens of the Critical Security Controls

Analyzing the Cost of a HIPAA-Related Breach Through the Lens of the Critical Security Controls | Higher Education & Information Security | Scoop.it

John Pescatore compares Idaho State University's (ISU) projected cost of settling HIPAA violations with the US Department of Health and Human Services (HHS) to what it would have cost the university to implement security controls that could have (helped) protect its systems from breaches. The estimated cost to ISU, including the fine, the costs of managing the breach, and the implementation of a Corrective Action Plan is US $1 million over two years. Putting in place certain Critical Security Controls that would have detected the issue that exposed patient data would cost an estimated US $75,000. Even adding in extras like vulnerability assessments and monitoring would put the cost at US $500,000, equivalent to one year's share of the above cost.

more...
No comment yet.
Rescooped by Higher Ed InfoSec Council from Higher Education & Privacy
Scoop.it!

School database loses backers as parents balk over privacy

School database loses backers as parents balk over privacy | Higher Education & Information Security | Scoop.it

A $100 million database set up to store extensive records on millions of public school students has stumbled badly since its launch this spring, with officials in several states backing away from the project amid protests from irate parents.

 

The database, funded mostly by the Bill & Melinda Gates Foundation, is intended to track students from kindergarten through high school by storing myriad data points: test scores, learning disabilities, discipline records - even teacher assessments of a child's character. The idea is that consolidated records make it easier for teachers to use software that mines data to identify academic weaknesses. Games, videos or lesson plans would then be precisely targeted to engage specific children or promote specific skills.

 

The system is set up to identify millions of children by name, race, economic status and other metrics and is constructed in a way that makes it easy for school districts to share some or all of that information with private companies developing education software.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Information Security: The future workforce | TechRepublic

Information Security: The future workforce | TechRepublic | Higher Education & Information Security | Scoop.it
This infographic highlights the top skills organizations are looking for in a security professional.
more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Seven Ways Banks Can Leverage a 'Security Data Scientist'

Seven Ways Banks Can Leverage a 'Security Data Scientist' | Higher Education & Information Security | Scoop.it

Security executives are stepping in line and forming their own strategies, approaches, and use cases to achieve that new competitive edge. CISO’s are conquering this frontier by reducing risk and fraud, whether it stems from cyber data loss or questionable customer transactions.

 

In general, businesses have made progress in laying the foundations for the required technical data-mart infrastructure and the organization structure to support big data security initiatives. And yet, there is much work to be done in other component areas of the complex journey of building the successful security program.

 

Organizations can benefit by leveraging existing skilled and proven data scientists from within the core business community to propel the journey forward.

 

Here are seven ways that CISOs of banking institutions can leverage the Security Data Scientist.

Higher Ed InfoSec Council's insight:

Although this is an article about the banking industry leveraging security data scientists, it offers steps that may be relevant for the higher education community.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Idaho State University Settles HIPAA Security Case for $400,000 | PHIprivacy.net

Idaho State University Settles HIPAA Security Case for $400,000 | PHIprivacy.net | Higher Education & Information Security | Scoop.it

Idaho State University (ISU) has agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  The settlement involves the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients at ISU’s Pocatello Family Medicine Clinic.

 

ISU operates 29 outpatient clinics and is responsible for providing health information technology systems security at those clinics. Between four and eight of those ISU clinics are subject to the HIPAA Privacy and Security Rules, including the clinic where the breach occurred.

 

The HHS Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of the breach in which the ePHI of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities.

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Money talks, but at what cost?

Money talks, but at what cost? | Higher Education & Information Security | Scoop.it

Are we creating a cyber professional salary bubble that will eventually burst, asks Holly Ridgeway, SVP and CISO enterprise systems at PNC.

 

"It is a great time to be in the cyber security field. But, have you noticed the growing challenges of recruiting and retaining good cyber talent? Six-figure salaries used to take years to achieve. Now, if you have a specialized cyber skill set, you can attain that figure with only a few years of experience. So, the question is: Are we growing cyber professionals who do not have the foundation needed to perform at a sustained level? Are we so desperate for these skill sets that we are willing to outbid each other?"

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Amid a barrage of password breaches, “honeywords” to the rescue

Amid a barrage of password breaches, “honeywords” to the rescue | Higher Education & Information Security | Scoop.it

Security experts have proposed a simple way for websites to better secure highly sensitive databases used to store user passwords: the creation of false "honeyword" passcodes that when entered would trigger alarms that account hijacking attacks are underway.

 

The suggestion builds on the already established practice of creating dummy accounts known as honeypot accounts. It comes as dozens of high-profile sites watched user data become jeopardized—including LivingSocial, dating site Zoosk, Evernote, Twitter, LinkedIn, and eHarmony to name just a few from the past year. Because these dummy accounts don't belong to legitimate users of the service and are normally never accessed, they can be used to send a warning to site administrators when attackers are able to log in to them. The new, complementary honeyword measure—proposed in a research paper titled "Honeywords: Making Password-Cracking Detectable—was devised by RSA Labs researcher Ari Juels and MIT cryptography professor Ronald Rivest, the latter who is the "R" in the RSA cryptography scheme.

more...
Joerg Asma's curator insight, May 9, 2013 12:11 PM

From Honeypot 2 HoneyWord - interesting approach, but hoy to avoid honeywords u dont know

Scooped by Higher Ed InfoSec Council
Scoop.it!

Women leaders in security recognized

Women leaders in security recognized | Higher Education & Information Security | Scoop.it

Each year, the Executive Women's Forum announces their "Women of Influence" Awards at their annual EWF event.

 

The awards, co-presented by Alta Associates and CSO Magazine, recognize outstanding women in several categories: one winner from the public sector, a private solutions provider from the security industry, a corporate practitioner from the private sector, and a "One to Watch," a future leader in the security field. This year, a lifetime achievement award was also given. The winners were nominated by peers in the security community.

 

CSO asked each winner of the 2012 WOI awards to give us their perspective on their success, lessons learned in their careers — and how women are making their mark in the security industry today.

more...
No comment yet.
Rescooped by Higher Ed InfoSec Council from Higher Education & Privacy
Scoop.it!

Who Really Owns Your Personal Data?

Who Really Owns Your Personal Data? | Higher Education & Information Security | Scoop.it

Thanks to an exploding number of wellness apps and wearable devices, you may be beaming biodata into the cloud right now. As the Quantified Self movement picks up steam, who stands to profit? (Hint: not you.) And can those cashing in on Big Data use your heart rate against you? (Take a guess.)

more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

Facebook Trusted Contacts lets friends bail you out of a hack attack

Facebook Trusted Contacts lets friends bail you out of a hack attack | Higher Education & Information Security | Scoop.it
Facebook Thursday announced a new security tool called Trusted Contacts for users who suspect they've been hacked.
more...
No comment yet.
Scooped by Higher Ed InfoSec Council
Scoop.it!

How Terrible Copyright Law Hurts Security Research

How Terrible Copyright Law Hurts Security Research | Higher Education & Information Security | Scoop.it
It was hard to believe, but the student insisted it was true. He had discovered that compact discs from a major record company, Sony BMG, were installing dangerous software on people’s computers, without notice.

 

The graduate student, Alex Halderman (now a professor at the University of Michigan), was a wizard in the lab. As experienced computer security researchers, Alex and I knew what we should do: First, go back to the lab and triple-check everything. Second, warn the public.

 

But by this point, in 2005, the real second step was to call a lawyer. Security research was increasingly becoming a legal minefield, and we wanted to make sure we wouldn’t run afoul of the Digital Millennium Copyright Act. We weren’t afraid that our research results were wrong. What scared us was having to admit in public that we had done the research at all.

 

Meanwhile, hundreds of thousands of people were inserting tainted music CDs into their computers and receiving spyware. In fact, the CDs went beyond installing unauthorized software on the user’s computer... 

more...
No comment yet.
Rescooped by Higher Ed InfoSec Council from Higher Education & Privacy
Scoop.it!

Why Does Privacy Matter? One Scholar's Answer

Why Does Privacy Matter? One Scholar's Answer | Higher Education & Information Security | Scoop.it

If we want to protect privacy, we should be more clear about why it is important.

...

[Privacy] is better understood as an important buffer that gives us space to develop an identity that is somewhat separate from the surveillance, judgment, and values of our society and culture. Privacy is crucial for helping us manage all of these pressures -- pressures that shape the type of person we are -- and for "creating spaces for play and the work of self-[development]."

more...
No comment yet.