Salsa-CSI2 Conference Call
December 6, 2007
 
**Attending**

Chris Misra, University of Massachusetts (Chair)
Phil Denault, WPI
Elliot Kendall, Brandeis University
Brian Smith-Sweeney, New York University
Steve Olshansky, Internet 2
Dean Woodbeck, Internet2 (scribe)
 
**Action Items**
 
[AI] Chris will speak with Dan and Wyman from Cornell about getting the rest of the CU Spider content to Internet2.
 
[AI] Everyone is asked to consider their top 10 problems (or some other number of problems greater than two) in security and share those on the email list.
 
[AI] Chris will contact Jody Eido, co-chair of a security training working group, and put her in touch with Brian or others at NYU to share information about NYU’s staff security training efforts.
 
**Carryover Action Items**
 
[AI] Everyone should review the Google Hacking document on the wiki and either send comments to Elliot or do the editing on the wiki.
 
[AI] Chris will make contact with a potential new member.
 
**Security Metrics**
 
Joel sent out the draft charter for the Educause sub-working group on security metrics (he is chair). There was a general discussion about metrics and that the subject is just starting to mature, but that it doesn’t seem to rank very high on many security prioritiy lists at this point.
 
**CU Spider**
 
[AI] Chris needs to speak with Dan and Wyman from Cornell about getting the rest of the CU Spider content to Internet2.
 
**Top Ten Problems**
 
This discuss came up on Salsa list. The request to the working group is a list of the top 10 problems in the higher ed security space today. The idea is to gather informaiton to help influence discussion and, potentially, funding from granting agencies. [AI] All are asked to consider what they would rank as the top 10 (or some other number greater than two) problems in security and share those on the email list.
 
**Renoir**
 
Phil plans to have something to show for the Tech Burst in January. It won’t be fully functional, but functional enough for a presentation. There was a suggestion to develop a few simple web pages to demonstrate Renoir’s capabilties. Phil is developing the form for use in inputting the data, then will work on inserting actual data.
 
**Shifting Landscape**
 
This was discussed on the Salsa call. The concept is that the security landscape continues to shift and that a state-of-the-art application or process from two years ago may not have value today. The question at hand is how to bring this up on the radar: presentations? white papers?  other awareness activities?
 
Brian has submitted a proposal to do a presentation on “shifting landscape” at Nercomp. Aside from the presentation’s content, it is a good thing just having a presentation and making it known that this is a problem. Brian’s strategy is to get the problems out there for discussion, even if a solution is generally not known at this point. One approach is to take some of the technologies of yesteryear and demonstrate how they no longer work. Some possible topic areas for the presentation:
 

• Problem definition: why do we have a shifting landscape?

• Why are some things breaking?

• Shift in the security landscap?

• What are the hackers doing different?

• Overall implications on what this means and how it changes things?

• Specific technical problems

 
One example of the shift is allocation of resources and change of philosophy. So, instread of filling out 400 tickets, you load Spider and send out 400 notifications.
 
Brian would like feedback on this presentation, as it would be used for Nercomp and Educause. He will send a copy of his proposal to the list.
 
One suggestion was to use anti-virus as an example. Anti-virus is still a good idea, but it is nowhere near as effective as it was two years ago. One statistic shows that the average piece of anti-virus software picks up only 30 percent of malware.
 
Brian said that he sees this presentation/discussion as a step towards a document that the working group has discussed – a definition of problems and a tool taxonomy to go with it.
 
The top 10 problems seems very much related to the shifting landscape. One example Phil mentioned is his ability to trace many day-to-day issues, such as dealing with the newer operating systems like XP and Vista, while still supporting 2000 and Windows98.
 
**Repackaging discussion for new audiences**
 
There was a general discussion about the security landscape both inside and outside of higher education. For those with more advanced knowledge and practices, the changing landscape dicusssion will be valuable. For others, an effective practices discussion would be more valuable. So, even though those on CSI2 and at larger schools may no longer see the need to discuss NetAuth, NAAC and NetRage, there are still people that need this “effective practices” information.
 
Educause seems to have an annual presentation about setting up an information security program. Another approach, in terms of creating awareness, is to do similar presentations at regional organizations (some examples are Nercomp, NITLE, NorthWest Academic Computing Consortium, the Consortium of Liberal Arts Colleges and the Western Interstate Commission for Higher Education). These would be places to engage with smaller schools. The concerns are how smaller insititutions can solve their network problems with limited resources. Chris mentioned that there are organizations working on a developing a NOCsec for smaller schools.
 
Another audience that is important: campus staff members. While many schools do a good job of communicating with students and faculty about security issues, they don’t do a very good job with staff. As it turns out, staff members handle most of the data that is of concern. Brian said that NYU specifically targeted its security awareness events at staff members and it was very successful. [AI] Chris will contact Jody Eido, who co-chairs a security training working group, and get her in touch with Brian or others at NYU to share this information.
 
**AP-less WEP Cracking**
 
Joe St. Sauver is working on material on the current state of WEB and why it doesn’t provide the protection that people need.
 
**Google Hacking**
 
Brian did some testing on the search engine, Gigablast, and originally got numbers that were much lower than Google, but that now are as large or greater than Google. Elliot mentioned that Gigablast restricts the number of searches, so you have to rotate your queries daily. You can see more Google hacking information at:
https://spaces.internet2.edu/display/SalsaCSI2WG/GoogleHackingDescription
 
Brian also mentioned he understands that Google will allow unlimited searching if you have a Google appliance installed and is looking to confirm that.
 
**Future Meetings**
 
Winter 2008 ESCC/Internet2 Joint Techs Workshop January 20-24 in Honolulu. www.hawaii.edu/tip2008/
 
CAMP workshop: Bridging Security and Identity Management, Tempe, Arizona, February 13-15, 2008. www.educause.edu/camp081
 
**No call Dec. 20**