Slaying Security Dragons

Security vulnerabilities higher ed must face

J'e St. SauverJ'e St Sauver is the director of User Services and Network Applications at the University of Oregon Computing Center, where he and his staff are responsible for supporting academic users of UO’s large shared systems, as well as PCs, Macs, and Linux/Unix systems. St Sauver is a senior technical advisor for the Messaging Anti-Abuse Working Group, and also co-chairs the Educause Security Effective Practices Working Group. He is a member of the Internet2 (I2) SALSA working group, the I2 End-to-End Performance Initiative (E2Epi) Technical Advisory Group, and the I2 Abilene Network Technical Advisory Committee. St Sauver frequently speaks and writes on computing and networkingrelated topics. Here, he gives CT his own take on the 10 most vulnerable areas for IT security in higher education.

Want to be considered for Campus Technology’s Top 10? Send your countdown and a brief background/bio summary to [email protected]

10

Passwords: Are we really continuing to use passwords alone, in 2006?

  • There are other options like hardware crypto tokens. Some say they’re too costly.
  • We create, distribute, and reset passwords just to see them lost, forgotten, or compromised.
  • There’s a lot of denial about the scope of password-related security problems.
9

What about non-encrypted traffic?

  • We still have unencrypted legacy protocols like FTP (file transfer protocol) running in the clear, including over wireless networks.
  • And no, WEP (wired equivalent privacy) d'es not constitute “encryption” for wireless nets!
8

Look at backups—or the lack thereof.

  • Poll a dozen people: When did they last back up their laptop or desktop?
  • It’s a good bet that the few who could give you an answer aren’t doing a full backup or storing their backups securely.
7

Outdated, impossible-to-secure systems are still on the wire.

  • Versions of Windows earlier than XP aren’t safe to expose to the Internet.
  • Few institutions have effective hardware and software asset tracking in place, so you probably don’t even know where these ancient systems lie.
6

Watch persistent, long-term vulnerabilities in mainstream applications.

  • Check www.secunia.com for the mainstream applications used on campus.
  • Given the known vulnerabilities you may (be horrified to) uncover, you’ll want to make your software recommendations very clear to users.
5

Is malware not detected by mainstream antivirus/antispyware software?

  • Signature-based antivirus software is not keeping up with malware’s pace.
  • Heads up! Be ready for rootkits that hide malware from detection and eradication efforts.
4

Deal with denial of service attacks.

3

Face the insider threat.

  • Do you have personnel processes that can avoid risky hires in the first place?
  • …And controls to detect potential insider abuses?
2

Monitor IT security threats on non-enterprise networks (e.g., SCADA systems).

  • Don’t forget systems that control the physical plant or building access, or do process control for instrumentation and other dedicated services.
  • They’re often not as disconnected from the Internet as you might think.
1

Beware of overreaction—or underreaction—to IT security threats.

  • With a constant stream of new threats, it’s easy to fall into a siege mentality, resulting in absurd proposals such as “Install another layer of firewalls!”
  • A better response would be more IT security staff in the trenches.

Featured

  • From Fire TV to Signage Stick: University of Utah's Digital Signage Evolution

    Jake Sorensen, who oversees sponsorship and advertising and Student Media in Auxiliary Business Development at the University of Utah, has navigated the digital signage landscape for nearly 15 years. He was managing hundreds of devices on campus that were incompatible with digital signage requirements and needed a solution that was reliable and lowered labor costs. The Amazon Signage Stick, specifically engineered for digital signage applications, gave him the stability and design functionality the University of Utah needed, along with the assurance of long-term support.

  • cybersecurity analyst in a modern operations center monitors multiple digital screens showing padlock icons, graphs, and a global map with security markers

    Louisiana State University Doubles Down on Larger Student-Run SOC

    In an effort to provide students with increased access to real-world cybersecurity experience, Louisiana State University has expanded its relationship with cybersecurity solutions provider TekStream to launch TigerSOC, a new student-run security operations center.

  • flowing lines and geometric shapes representing data flow and analysis

    Complete College America Launches Center to Boost Data-Driven Student Success Strategies

    National nonprofit Complete College America (CCA) recently launched the Center for Leadership, Institutional Metrics, and Best Practices (CLIMB), with the goal of helping higher education institutions use data-driven strategies to improve student outcomes.

  • geometric pattern features abstract icons of a dollar sign, graduation cap, and document

    Maricopa Community Colleges Adopts Platform to Combat Student Application Fraud

    In an effort to secure its admissions and financial processes, Maricopa Community Colleges has partnered with A.M. Simpkins and Associates (AMSA) to implement the company's S.A.F.E (Student Application Fraudulent Examination) across the district's 10 institutions.