First Steps First

If you’re relying on the next whiz-bang technology to finally secure your network, you’re missing your best defense.

Anywhere, January 3, 2005. Longtime resident John D'e today charged the Anywhere Police Department with negligence in the recent burglary of his home in the exclusive but crime-plagued Ocean View Community. Police spokesman I.M. Harried responded to reporters that a preliminary investigation indicated that the home had been unlocked and that the owner, who was in Hawaii for a two-week vacation, had left all the doors and windows open to air out the house. It appeared that the home alarm system had not been activated. Mr. D'e is seeking unspecified damages from the city.

While we’ve all experienced e-mail spam and computer viruses, higher education has generally treated network security as an annoyance rather than a serious threat. Other than complaining after each incident, college and university administrators largely ignore the underlying problems—which may more closely resemble John D'e throwing open his doors and windows before departing for Hawaii than we’d like to think. Think about it: How many students regularly scan their computers for viruses? How many faculty are concerned about unauthorized network connections? How many staff members and students set up rogue wireless networks? How many administrators care about policies addressing the ownership of radio frequency spectrum on campus?

The reality is that network attacks are surging and have the potential to seriously disrupt the way we do business on campus. In fact, they already have: You may recall the story about the prestigious West Coast university recently reporting that a computer hacker accessed the names, Social Security numbers, and personal data of about 1.4 million people after breaking into a campus researcher’s database which was being used to study home healthcare.

Who is legally liable for the identity theft resulting from such an attack? Is the researcher liable? The university? Or is it the state agency, which provided the researcher with his data?

Silicon vs. Carbon

Historically, higher education’s answer has been to call for more technical gizmos, such as firewalls, to protect the perimeter of the campus network and the core backbone. But I say: That’s analogous to trying to stop bank robberies and burglaries by asking the police to throw a cordon around an entire city and to increase street patrols. It may help, but it sure won’t eliminate burglaries.

The problem is carbon based, not silicon based. It seems to be human nature to avoid accepting responsibility for our own actions, and look for a technical “quick fix” to the problems that are actually the result of our own behavior. Just as reducing the risk of burglary starts with locking the doors and windows, network security starts at the desktop. Ask yourself these questions:

  • Have all current patches to the operating system been applied?
  • Are anti-virus software scans done regularly with up-to-date tools?
  • Is this being done for every computer on campus?
  • Are the applications themselves secured?
  • Is sensitive personal information sent unencrypted across the network?
  • In short, do we meet the test of common sense?

Unfortunately, the corporate-style solution of locking down every machine, prohibiting users from installing anything but corporate-approved and -monitored software, and enforcing organizational polices by draconian methods (“Deviate from company IT policy and you’re fired.”) isn’t an attractive option for higher education. If we are to retain the open and creative environment we cherish, we must nurture a culture that places the emphasis on individual responsibility in support of institutional requirements.

Here again, the analogy about protecting one’s own property is useful. In response to a growing number of bank robberies in the early 1990s, Bankers’ Hotline editorialized in their December 1992 issue, “The first thing banks, savings and loans, and credit unions must do is change some of their attitudes, which classify robberies as a simple cost of doing business. We have to return to the good old days of banking when such acts were viewed as a personal affront to the institution itself and to the community as a whole.”

Three Components of Information Security

Campus information security in the age of computers and computer networks has three components:

One—A culture that expects, indeed demands, individual and institutional responsibility and accountability. If we don’t in our heart of hearts believe that information security is important, then the rest d'esn’t really matter.

Two—A set of institutional policies that codifies institutional and personal expectations, requirements, responsibilities, and procedures. Since these policies represent a tradeoff between individual and institutional risk, and the individual freedoms that have made higher education an engine for innovation and discovery, they must be widely discussed before adoption. Only then are we prepared to deploy the final component...

Three—A layered defense of campus information that uses both technical gizmos and human expertise. This layered defense must be based upon a robust process of identity management that guarantees we are who we say we are and that we have the appropriate authorization to get the information we seek.

Steve Hare, associate VP for Security and Privacy at Purdue University (IN) puts it this way, “Despite your best efforts, you can’t eliminate network intrusions; the best you can do is reduce institutional risk and exposure—and that can only be done by a layered defense, based on institutional policy, best practices, and increased awareness, that starts at the desktop and works it way to the campus perimeter.”

In upcoming columns on security, we’ll explore campus culture and policies in more detail, as well as your best-layered defense based upon identify management. In the meantime, watch those doors and windows.

comments powered by Disqus