8 Spots for Tightening Security <br>on Campus
- By Linda L. Briggs
- 01/21/04
Security is a tough challenge these days in any environment. On college and
university campuses, keeping data and systems secure is even tougher. That's
true for several reasons: academic environments encourage open atmospheres that
are conducive to security vulnerabilities; file-swapping remains a popular,
if often illegal, activity for students; funds and personnel are usually spread
thin; and many campuses run heterogeneous environments with a range of hardware
and software, some owned by the school, some by the students. Adding wireless
to the mix, as many schools now have done, compounds the problem.
Your challenge is to lock down your campus even under those conditions - while
keeping your constituents reasonably happy with their access to information
and services. It's a delicate balance, no doubt. To help you see how your peers
are handling security, Syllabus talked with CIOs, Chief Security Officers
and other IT managers at several institutions about their top concerns and how
they're addressing them. From those discussions, we've put together the following
list of security hot spots. You may find some of the ideas very useful; the
rest may simply give you a sense of kinship with others in IT who are facing
the same challenges you do in securing their own campuses.
1. Educate Every User
Nearly everyone we spoke with brought this up. Any IT administrator needs to
spread the word on secure computing practices, but compounding your challenge
is that a portion of your user base turns over each year, leaving you with a
new set of customers to educate. You also must grant rights to technology resources
initially, and probably adjust them during the year. Finally, you need to reclaim
a student's access quickly once the student leaves school.
Ariel Silverstone, chief information security officer at 35,000-student Temple
University outside Philadelphia, finds security awareness to be his No. 1 challenge.
Unlike in a government or corporate environment, where the need for security
is obvious, he points out that universities must work with users who are accustomed
to open environments and often don't even think about security concerns. For
example, "students today have always been able to download MP3" files,
Silverstone points out, and many take file-sharing technologies for granted
without considering how security might be compromised.
Silverstone says that Temple has successfully used a variety of methods to
educate users on computer security, including posters, e-mail blasts, brochures,
seminars, and a recent "security day" on campus that featured Pez
containers shaped like bugs.
At the Rochester Institute of Technology, CIO Diane Barbour described similar
ongoing education efforts, such as a recent "security week" that included
students and faculty helping to present seminars on security. One focus: What
users themselves can do to secure their own systems, as well as how the IT department
can help.
2. Focus on Virus Protection
If you have limited resources, this is the place to start. Temple University's
Silverstone sees viruses as the most obvious and pervasive security hole on virtually
any campus, and the one to attack first. His advice, which he's followed successfully
at Temple: Get an anti-virus product, install it, and make it mandatory on every
machine, both clients and servers. He also highly recommends firewalls where possible.
At Temple, with 35,000 students, "we catch 1,400 viruses a day," Silverstone says,
which equates to 1,400 service calls a day that aren't happening. Last year's
Blaster virus, he estimates, cost the university half a million dollars - and
that figure would have been higher if Temple hadn't stopped it fairly quickly.
But firewalls aren't always workable, as Carnegie Mellon University's John
K Lerchey points out. "There's no way we can put up firewalls," Lerchey,
the computer and network security coordinator for the campus, says. "We
have researchers with such a wide variety of software and research
It's
difficult to dictate which ports you can and cannot use." Firewalls, he
concludes, are "a great solution on desktop machines," but to deploy
a firewall solution campus-wide, Carnegie would need a full-time person to maintain
the firewall rules alone.
Widely distributed virus protection, he concurs, is much easier. "We distribute
[Symantec's] Norton Antivirus - anyone can get and use it." Since 99 percent
of viruses attack Windows machines, Lerchey says, simply keeping virus checkers
installed and up-to-date is a huge help. He says Carnegie Mellon just released
a new virus installer that is set by default to update users' virus software
every day instead of every week, the previous default.
"Get an anti-virus product,
install it, and make it mandatory on every machine, both clients and servers."
Also, virus protection is best if extended beyond the desktop, as this case
study from Virginia Tech.
With 70,000 users, Virginia Tech's IT staff recently decided they needed a more
pervasive security solution. The staff expanded the virus protection program
beyond users' desktops, realizing they needed more than a security solution
that depended on users maintaining up-to-date files on their computers.
Virginia Tech chose a specialized solution: a messaging appliance that checks
for viruses on the server side. Whatever you choose to protect the enterprise,
be sure to get a site license that allows you to provide every student's system
with virus protection, thus giving you a security solution that's centrally
managed. And in your education efforts, remember to stress the importance of
virus protection at the server and workstation tiers.
3. Educate Faculty
Students, of course, aren't your entire user base; faculty and staff use the
networks as well. For example, you'll want to discourage faculty from things
like using e-mail improperly (using unencrypted e-mail to send out grades, for
example). Again, provide both education and the software and guidance needed
to do the job correctly.
At the Rochester Institute of Technology, Barbour says the security issue that
keeps her awake at night is unauthorized software running somewhere on campus
that isn't under the central IT umbrella. "That's where I'm focusing most
of my attention right now
. [Those systems] could be very vulnerable to
hacking." One theoretical example: A specialized program set up by an individual
faculty member on his or her computer, without the proper security clearance
or configuration. To help with addressing the issue, RIT now has a full-time
Information Security Officer who develops policies to help make sure systems
are secure.
4. Stop Denial of Service Attacks
In its simplest form, a denial of service attack sends more data to your network
than it can handle, thus overflowing the buffers and resulting in a loss of
service to users. Most DoS attacks are malicious and intended to bring the network
down, and though they typically don't destroy data, they can. Some recent viruses
can be classified as denial of service attacks.
As with many things having to do with campus security, a college or university
network may be especially susceptible to a DoS attack because of its openness.
Versions of Microsoft Windows, by far the most popular operating systems for
hacking, are especially vulnerable.
There are many ways to protect your network, from virus software to firewalls
to how you configure your operating systems. For a primer on defeating denial-of-service
attacks, you can start with this useful article from SANS,
a well-respected security research, training and certification institute. The
article contains instructions for administrators on, among other things, preventing
your network from being used as a broadcast amplification site - an unwitting
accomplice in a denial-of-service attack.
5. Sell Security to Management
Here's another challenge for all IT professionals, but that may be especially
tough on campus because of tight funds: getting management on board for any
security push. It's important that your school's top managers see security as
the priority it is,
and act accordingly - that is, that they allocate
realistic funds for the software you need to lock down your systems, for education
programs, and for adequate personnel.
Management responds to numbers, so putting together estimates on what security
breaches are costing the school in terms of down time, hours spent by your staff
repairing the damage, and so forth, can be effective. Damage to the school's
reputation can also be a warning point; many large-scale cyber-attacks have
made ample use of university computers.
For Susan Monsen, director of IT services at Yale University's Law School,
lack of resources is definitely an issue. Her biggest challenge: Dealing with
compromised student laptops on the network. "We don't have a way to scan and
remove viruses" automatically system-wide yet, she says. "That's something we're
working on." Regarding security in general, she says, "There are good tools
out there, but they're very expensive."
"There are good tools out there,
but they're very expensive."
The problem peaked in September at the law school, when a widely spread virus
was attacking Microsoft operating systems and unsuspecting students returned
to campus with infected laptops. Now, the problem is down to three or four laptops
a week, she says.
Requiring students to register their network cards in order to get access outside
the campus on the university's network helps, she says - students can then be
tracked down through a database and contacted if necessary through their network
IDs.
6. Set and Enforce Testing Standards
As you continue to develop, integrate, and enforce working security policies
for your organization, cooperation and communication among various groups on
campus are key. Among other things, this becomes important in setting and enforcing
testing standards for how new software is deployed. In examining how an SQL
server was compromised, a case study from the University of Memphis highlights
the
importance of policies
for making sure that testing is conducted in keeping with agreed-upon security
policies. As the authors of the case study conclude in one of their findings
after the security breach was closed, agreeing on what tests are required before
deployment into the production environment is paramount:
"Equilibrium between experimentation and security standards must be established.
It may not be appropriate to deploy an application into a production environment
unless appropriate security testing has been performed
Service administrators
must understand the importance of securing, and keeping secure, the production
environments upon which services depend."
7. Review Data Retention Policies
With the enactment of the USA Patriot Act in 2001 ("Uniting and Strengthening
America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
Act of 2001"), data retention has become a security hot spot.
Setting record-retention policies, never easy, has become even more difficult.
According to Fred Beshears, senior strategist at Educational Technology Services
at the University of California-Berkeley, FERPA, an older government mandate
to protect student records, conflicts with the Patriot Act, which allows for
governmental access to student records in some cases. In short, Beshears says,
"You get into all these gnarly problems on [privacy]."
For an in-depth discussion of the conflicts of privacy and security on today's
campus, and some insights into the issue, read the in-depth discussion by Kent
Wada, information technology security and policy coordinator at the University
of California-Los Angeles.
Among other things, Wada notes that in the face of the Patriot Act and other
legislation, security concerns regarding e-mail become more difficult than ever
and probably need to be reviewed and reassessed. "The balancing act is to keep
relevant data only as long as it is legitimately needed, and no longer, lest
it become a liability."
"The balancing act is
to keep relevant data only as long as it is legitimately needed, and no longer,
lest it become a liability."
He notes that this same balancing act applies in other areas of data as well:
"This is also true for electronic records of another sort: computer transaction
logs. Web servers, e-mail servers, and other network devices all automatically
note when services are used
Policies should be viewed in the larger records
management context rather than as a separate effort. "
8. Curb File Sharing
The still hugely popular practice of file sharing, particularly videos and music,
via peer-to-peer software, remains an obvious Achilles heel.
As Wada notes in his article on campus security versus privacy, recording and
motion picture industry executives are pushing schools to do more to curb illicit
file sharing, thus turning up the heat on IT administrators. Not only is file
sharing generally illegal, depending on what's being shared, but peer-to-peer
networks, of course, are a huge security risk.
Many colleges and universities are fighting the file-sharing issue through
attempts at education on their Web sites. For example, the University of California
at Davis offers this article for students on legitimate music download sites
and options: http://technews.ucdavis.edu/news2.cfm?id=623.
Also, articles like this one on the University
of Wisconsin-Madison Web site , which clearly state that the recording industry
in now prosecuting individuals for file-sharing violations, are becoming more
common. And Penn State is modeling for students the good practice of staying
within the law by providing students with legal means to download
music files. As part of the education process, and to remind students of
the facts about file sharing, consider posting similar information and tools
on your own campus Web site or portal if you haven't already.
An Ongoing Challenge
IT administrators tasked with campus security face special challenges. But the
struggle for a secure campus isn't a futile one; there are many steps you can
take to help ensure that you, along with faculty, students and staff, sleep
easier at night. In general, it's probably best to look at security as an ongoing
challenge, one that will require some of your resources for a long time to come.
In fact, Rochester Institute of Technology's Barbour predicts that things will
get worse before they get better, as society and IT experts only gradually get
security issues under control and can begin to act proactively. "We're
just seeing the tip of the iceberg. The worst of it is yet to come, and it's
going to take a while to catch up." Accept the security challenge and begin
now to tighten your campus networks.