First Steps First
If you’re relying on the next whiz-bang technology to finally secure
your network, you’re missing your best defense.
Anywhere, January 3, 2005. Longtime resident John D'e today charged the
Anywhere Police Department with negligence in the recent burglary of his home
in the exclusive but crime-plagued Ocean View Community. Police spokesman I.M.
Harried responded to reporters that a preliminary investigation indicated that
the home had been unlocked and that the owner, who was in Hawaii for a two-week
vacation, had left all the doors and windows open to air out the house. It appeared
that the home alarm system had not been activated. Mr. D'e is seeking unspecified
damages from the city.
While we’ve all experienced e-mail spam and computer viruses, higher
education has generally treated network security as an annoyance rather than
a serious threat. Other than complaining after each incident, college and university
administrators largely ignore the underlying problems—which may more closely
resemble John D'e throwing open his doors and windows before departing for Hawaii
than we’d like to think. Think about it: How many students regularly scan
their computers for viruses? How many faculty are concerned about unauthorized
network connections? How many staff members and students set up rogue wireless
networks? How many administrators care about policies addressing the ownership
of radio frequency spectrum on campus?
The reality is that network attacks are surging and have the potential to seriously
disrupt the way we do business on campus. In fact, they already have: You may
recall the story about the prestigious West Coast university recently reporting
that a computer hacker accessed the names, Social Security numbers, and personal
data of about 1.4 million people after breaking into a campus researcher’s
database which was being used to study home healthcare.
Who is legally liable for the identity theft resulting from such an attack?
Is the researcher liable? The university? Or is it the state agency, which provided
the researcher with his data?
Silicon vs. Carbon
Historically, higher education’s answer has been to call for more technical
gizmos, such as firewalls, to protect the perimeter of the campus network and
the core backbone. But I say: That’s analogous to trying to stop bank
robberies and burglaries by asking the police to throw a cordon around an entire
city and to increase street patrols. It may help, but it sure won’t eliminate
burglaries.
The problem is carbon based, not silicon based. It seems to be human nature
to avoid accepting responsibility for our own actions, and look for a technical
“quick fix” to the problems that are actually the result of our
own behavior. Just as reducing the risk of burglary starts with locking the
doors and windows, network security starts at the desktop. Ask yourself these
questions:
- Have all current patches to the operating system been applied?
- Are anti-virus software scans done regularly with up-to-date tools?
- Is this being done for every computer on campus?
- Are the applications themselves secured?
- Is sensitive personal information sent unencrypted across the network?
- In short, do we meet the test of common sense?
Unfortunately, the corporate-style solution of locking down every machine,
prohibiting users from installing anything but corporate-approved and -monitored
software, and enforcing organizational polices by draconian methods (“Deviate
from company IT policy and you’re fired.”) isn’t an attractive
option for higher education. If we are to retain the open and creative environment
we cherish, we must nurture a culture that places the emphasis on individual
responsibility in support of institutional requirements.
Here again, the analogy about protecting one’s own property is useful.
In response to a growing number of bank robberies in the early 1990s, Bankers’
Hotline editorialized in their December 1992 issue, “The first thing banks,
savings and loans, and credit unions must do is change some of their attitudes,
which classify robberies as a simple cost of doing business. We have to return
to the good old days of banking when such acts were viewed as a personal affront
to the institution itself and to the community as a whole.”
Three Components of Information Security
Campus information security in the age of computers and computer networks has
three components:
One—A culture that expects, indeed demands, individual
and institutional responsibility and accountability. If we don’t in our
heart of hearts believe that information security is important, then the rest
d'esn’t really matter.
Two—A set of institutional policies that codifies institutional
and personal expectations, requirements, responsibilities, and procedures. Since
these policies represent a tradeoff between individual and institutional risk,
and the individual freedoms that have made higher education an engine for innovation
and discovery, they must be widely discussed before adoption. Only then are
we prepared to deploy the final component...
Three—A layered defense of campus information that uses
both technical gizmos and human expertise. This layered defense must be based
upon a robust process of identity management that guarantees we are who we say
we are and that we have the appropriate authorization to get the information
we seek.
Steve Hare, associate VP for Security and Privacy at Purdue University
(IN) puts it this way, “Despite your best efforts, you can’t eliminate
network intrusions; the best you can do is reduce institutional risk and exposure—and
that can only be done by a layered defense, based on institutional policy, best
practices, and increased awareness, that starts at the desktop and works it
way to the campus perimeter.”
In upcoming columns on security, we’ll explore campus culture and policies
in more detail, as well as your best-layered defense based upon identify management.
In the meantime, watch those doors and windows.