Blended Threats: A New Risk to Academic Freedom
The difficulties of balancing security and freedom are now under a national
spotlight as a result of the terrorist attacks of September 11, but institutions
of higher education have struggled with the problem for decades. Universities
have always tried to maintain openness and experimentation in order to promote
a credible environment for teaching, learning, and research. Of course, this
doctrine is double-edged, because openness invites risk.
In the practical arena of computer science, this means knowing that when students
write Common Gateway Interface, or CGI, scripts for university systems, they
are creating well-known targets for malicious users. Also, students might be
encouraged to use software probes to test systems, networks, and Web sites with
the understanding that such utility programs are also widely exploited by hackers
to uncover weaknesses.
Such challenges of balancing openness and security are often dangerously compounded
at the level of system use and administration. For instance, systems are often
improperly installed and configured by non-technical faculty and staff. Or,
a departmental server might be informally administered by a faculty member or
graduate student whose experience with computers is slight.
But even when properly configured, authorized systems can be troublesome. The
growing diversity of operating systems from one school to another requires equal
levels of expertise from already burdened technology support staff. Add to that
the problems of limited budgets, transitory student populations, and inexperienced
users, and achieving healthy checks on openness can become impracticable.
To exacerbate an already troubling security situation, Internet-based attacks
have become more complicated, often combining multiple threats to extend or
propagate the attack. These so-called blended threats demand a more comprehensive
approach to security—one that replaces a “one threat, one cure”
approach with a multilayered defense and response strategy.
A blended threat is malicious code that uses multiple methods to attack or
propagate. Blended threats share a number of characteristics: They cause harm,
they use more than one attack method, they are automated (requiring no user
intervention), they exploit vulnerabilities, and they typically use several
Although blended threats differ in how they infect and spread through systems,
all such threats can send the cost of lost productivity, cleanup, and recovery
into the stratosphere. Recovering a single infected system can take an entire
day, and the strain of repairing thousands of systems is formidable, even for
the most efficient university security team.
Under the pressure of budget and time constraints, many universities often
simply react to the latest threat. Security priorities are based on addressing
current attacks rather than on preventing future problems. However, code remediation
is the most costly and least efficient way to deal with security issues. Security
must become a part of the operating business plan of a university, rather than
To that end, universities can take several steps to reduce their vulnerability
to current and emerging security threats. An effective combination of best practices
and technology should include the following components:
- Conduct an information campaign. An information campaign aimed at educating
students, faculty, and staff about security threats and what those threats
mean in behavioral terms can be highly effective in preventing security breaches.
If users recognize unsafe practices, they are less likely to put their systems
at risk. If they know what to do when their systems are compromised, they
can prevent a serious problem from becoming a nightmare.
- Deploy antivirus software, intrusion-detection tools, and firewalls. Antivirus
software on desktop computers, servers, and gateways protects against malicious
code at its points of entry. Intrusion-detection software detects unauthorized
activity and security breaches and, in some cases, can respond automatically.
Firewalls control incoming and outgoing traffic, allowing only authorized
activity across the university network. The University at Buffalo uses Norton
AntiVirus from Symantec Corp. on all Microsoft Corp. Windows desktops and
Microsoft Exchange Servers. As a result, both incoming and outgoing viruses—including
script-based threats—are detected and either repaired or quarantined
before they have an opportunity to spread. The university makes the software
available to all students through its “Tech Tools” CD and secure
- Keep apprised of security events. Internet security organizations such as
the SANS Institute (www.sans.org) and the CERT Coordination Center (www.cert.org)
provide current information on the latest national and international computer
security incidents and threats. In addition, many vendors provide up-to-the-minute
security advisories and assistance based on information gathered and analyzed
by their own security experts.
- Identify and patch critical systems. Keeping operating systems and applications
up-to-date with the latest security patches can prevent even the most sophisticated
blended threats from compromising a university network. Vulnerability assessment
software eases this process by automatically identifying unpatched systems.
- Remove unneeded services. Unneeded services are often installed by default;
they are a security risk because the open port through which they communicate
is commonly used by hackers and viruses. Vulnerability assessment software
is useful in detecting such services. Administrators can also visit one of
a growing number of Web sites that will scan their systems, pinpoint potential
problems, and recommend repairs.
- Maintain system logs. Thorough system logs enable administrators to prevent
future attacks by understanding past ones. In addition, if needed, system
logs can give law enforcement officials the documentation they need to investigate
security issues as outlined in the recently passed federal anti-terrorism
legislation, the USA Patriot Act.
- Create a response team. Identify key individuals and the roles they will
assume in the event of a security incident. Set aside a “war room”
where the response team will meet to respond to an event. In addition, make
sure appropriate non-IT communications tools are available, including phones
As technology evolves and Internet use skyrockets, blended threats are likely
to grow in frequency and complexity, increasing the likelihood of attacks at
universities around the world.
But by capitalizing on today’s security technologies, universities can
begin to alleviate these risks and build a protected environment that allows
openness, enhances learning, improves teaching, and advances research.
Code Red and Nimda Worms
The Code Red and Nimda
worms were blended threats. Unleashed in August and September 2001 respectively,
these worms spread rapidly and caused a great deal of damage.
Nimda used four methods
of propagation, including unpatched Microsoft Corp. Internet Information
Server systems, e-mail, visits to compromised Web servers, and systems
that had file-sharing enabled. It was written to find and exploit backdoors
left by previous viruses, including Code Red. Nimda slowed and even stopped
Web traffic for many users and generated excessive traffic at businesses
and educational institutions around the world.
Research firm Computer
Economics estimated that Nimda infected more than 2.2 million servers
and PCs in a 24-hour period and caused more than half a billion dollars
Code Red launched
denial-of-service attacks and defaced Web servers. Code Red II also left
behind Trojan horses for later execution by worms such as Nimda. Because
Code Red processed in memory rather than on a hard disk, and since it
gave no outward indications of its presence, it went largely undetected.
The Code Red worm
cost an estimated $2.6 billion, according to Computer Economics. The research
firm calculated that more than $1 billion dollars was spent cleaning up
1 million infected servers and inspecting another 8 million related servers.
The rest—approximately $1.5 billion—was lost to corporate downtime.
The message left by
these two blended threats is clear: Single-point solutions are ineffective
in thwarting complex, multileveled threats. Instead, organizations need
to deploy security solutions that provide several layers of defense and