Security

• 11/29/05

1

Hack Job

In his April 2005 Campus Technology feature on security technology, senior contributing editor Matt Villano suggested that the best way to avoid security breaches might be to pay for them: 'In the last two years, [hack] attacks have occurred at the University of Georgia, the University of Texas at Austin, the University of Missouri-Kansas City, the University of California-San Diego, and the University of California-Berkeley, to name a few. In all of these cases, the hackers exploited vulnerabilities in technology set up to foster collaboration and the free exchange of information. Across the board, the hackers scored sensitive information, putting users at risk. These cases may not represent the norm across North America, but increasingly, US schools are feeling the need to step up security measures to protect their users from invasions of this kind. Most schools take a traditional approach, purchasing the latest and greatest Intrusion Prevention System (IPS) technology from vendors that serve the corporate world...' A plethora of security products exist, and on many campuses you'll find a mixture of Intrusion Detection Prevention (IDP), Secure Socket Layer (SSL), and Virtual Private Network (VPN) technologies, in products such as the FortiGate line from Fortinet, and the REM Security management console from eEye Digital Security. Vendors such as Symantec, Check Point Software Technologies, and Cisco Systems have also unveiled products that draw from these technologies. Villano points out that some schools use a multi-pronged strategy, '...combining off-the-shelf tools with proprietary measures, to keep things safe. And some of these trailblazing schools champion a strategy that employs the services of 'ethical hackers' to poke around a network to find vulnerabilities for system administrators to fix.' Read more

2

UC-Berkeley's reaction to 98K+ missing SSNs

On March 11, 2005, someone walked off with a notebook computer containing the Social Security numbers of thousands of applicants and students, current and former, from UC-Berkeley's Graduate Division records. The computer, taken from a restricted office area, contained data from as far back as 1976 to the spring of 2004, including birthdates and/or addresses to match the SSNs and names in about a third of the records. Administrators at UC-Berkeley were reeling from the realization that on the same campus where Nobel laureates push at the boundaries of human endeavor, 98,000-plus SSNs were left exposed on an easily lifted laptop computer. The university quickly provided 'I.D. Alert' Web pages with helpful information about the incident, including a variety of useful resources on identity theft for individuals whose personal information might have been compromised. The Web pages serve as a good model for dealing with at least one aspect of a painful issue. Read more

3

Can I Have My Wallet and Keys Back, Howard?

A man well ahead of his time, the late technology visionary, strategist, and speaker Howard Strauss was proposing 2015 technologies at the 2003 Syllabus conference, and had audiences still mulling over his comments in 2005. In this Educause Quarterly article responding to Strauss's proposals, Glenn Everett considers potential personal ubiquitous portal technology (PUP) and, indulging in a 'smidgen of paranoia,' poses some questions about future privacy. Read more

4

'You have no privacy. Get over it.'

Sun Microsystems Chairman and CEO Scott McNealy's haunting words from 1999 still hang over a complex, patchwork landscape of security and privacy issues today. In 'Privacy & Compliance, Better Safe than Sorry,' UCLA's director of Information Technology Policy Kent Wada offered CT readers some insight into the security/ privacy dilemma on campus, along with a few principles to consider as they rally to protect institutional data and wade through the 'alphabet soup' of external regulations: 'Beyond individual state legislation, there is an alphabet soup of federal legislation that colleges and universities must comply with. HIPAA, the Health Insurance Portability and Accountability Act, defines privacy and security standards for the protection of personally identifiable medical information, among other things. GLBA, the Gramm-Leach-Bliley Act, creates obligations to protect customer financial information. Then there is FERPA, the Family Education Rights and Privacy Act protecting student information, already well-known to higher education. FERPA, however, is also one of more than a dozen statutes amended by the USA PATRIOT Act of 2001 (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism), to give law enforcement greater access to confidential information... Technologists, higher education, and others have spent decades making online access to information ubiquitous. The grand challenge now lies in managing the access to meet societal expectations not just about access, but about privacy as well.' Read more

5

Role-based access:
A case study at UNC-Charlotte

Enterprise Systems columnist Mathew Schwartz recently took a look at access control technologies: 'Goodbye mainframe, hello access-control questions. When the University of North Carolina at Charlotte began moving from mainframe-based financial and human resources systems to Oracle databases, application servers, and multiple Web interfaces, IT security officer Carter Heath knew he'd have to adapt. 'We always had Resource Access Control Facility (RACF) sitting in front of the mainframe for access control purposes. That provided us assurances of who's getting what off of the mainframe.' In the emerging postmainframe environment, however, the university still needed access controls, but the question was, what would they be? Furthermore, would they fit the existing security paradigm? 'We're here to guard things,' notes Heath. 'We don't own your data, we don't own those systems. We're here to provide security protections to those systems, and enable you to get access into those systems in the most secure manner possible.' ...He came across the Identity appliance from Trusted Network Technologies (TNT), a device 'that was able to provide access control to multiple resources by an identity,' he says. 'That was intriguing.' In January 2005, he received an evaluation unit, and by May the university had purchased an Identity appliance and added it to the production environment. Currently it's using Identity version 2.0. From an identity management standpoint, Heath is lucky: the university, a Novell shop, already had extensive institutional experience with access controls, and was using ZENworks from Novell for application delivery. It also had Microsoft's Active Directory, as well as group-level permissions and processes for adding or removing users. Hence the TNT appliance was able to work with an existing infrastructure.' Read more

6

Are our institutions getting a 'black eye' over identity theft?

In 2005, the cumulative effect of reports in the popular press about security breaches on college and university campuses has apparently taken its toll, at least on the public's confidence level about the security of personal data on campuses in general. An August 21, 2005 article in The Boston Globe examines the problem. What's your institution's rep? Read more

7

Sensitive data: here, there, and everywhere

Back in March 2005, CT asked Indiana University's Chief Security and Policy Officer Mark Bruhn for his Top 10 IT security and policy recommendations. They included: Get rid of sensitive data ASAP; make everyone responsible; give users a method to communicate sensitive info; realize that security is a cost of doing business. Get all Top 10.

8

The 'Zen' of Risk Assessment

Risk assessment may take time and resources, but if you make it an ongoing process, you may not only manage costs—you may also see greater benefits. In an Educause Quarterly article, Cedric Bennett and Richard Jacik examine risk assessment: 'Leverage What You Know: We recommend an approach for assessing risk in which overall risk assessment is more of an ongoing process than a project. It produces usable results from the start, which can provide broad guidance for security strategies and plans and also focus traditional risk assessment toward specific assets and resources.' Read more

9

Beating the Spim-Spam Man

Contributing editor Wendy Chretien gave beleaguered IT professionals hope in the battle against viruses and spam, in her April 2005 CT article: 'Are your users asking IT to please do something about spam? What about spim (spam via instant messaging)? Were your campus network services on the ropes after that last malevolent virus attack? ... A multilevel approach considering all potential malware entry points will provide your campus with the most effective protection. Tools in your box include communications with users, judicious use of policies and enforcement, and specialized training for network administrators, as well as more tangible options such as focused software and hardware... [User Desktops and Laptops] is where most campus IT folks surrender, because it's notoriously difficult to manage all the disparate devices out there... Today, there are feasible methods to combat the virus threat at this level, assuming one has the support of the campus... Examples include Symantec Antivirus Corporate Edition (Norton is now owned by Symantec), McAfee Active Virus Defense, Sophos Anti-Virus, and Trend Micro. A relatively new technique to ensure compliance is to compel users' systems (on login) to first access a security system, which checks the system for antivirus software and which will deny full network access if that software is not present and/or updated. Some of these solutions can also download the latest antivirus version to the non-compliant system. Cisco Systems calls its version the 'Network Admission Control.'' Read more

10

How do you take your spam?

Spam and e-mail scams are changing from day to day. They're not only changing shape, eluding management strategies—they are getting worse; more dangerous. For those looking for an easy-to-follow update, an article provided on the AppRiver Web site serves as a good summary of what's happening with 'The Waning Innocence of Spam.' (Regarding the notion of innocent spam, feel free to ask, 'Was it ever?') Read more

11

Fighting spyware:
The first step is understanding it

The Anti-Spyware Coalition, a group 'dedicated to building a consensus about definitions and best practices in the debate surrounding spyware and other potentially unwanted technologies' has released a draft of its 'Spyware Definitions and Supporting Documents.' The coalition, made up of software companies, academics, and consumer groups, will consider public comments about the document in its quest to understand how to control the rogue technologies. During this process, the draft document will be helpful to interested parties who are—often desperately—grasping at ways to combat the stealthy menace. Are your vendors trying to understand spyware? Currently, about 30 security-conscious companies and organizations are involved in the coalition, among them: Blue Coat Systems, Computer Associates , Dell , F-Secure Corp., HP, Mi5 Networks, LANDesk, Lavasoft, McAffee Inc., Microsoft, Panda Software, Sophos, Symantec, Tenebril, Trend Micro, Webroot Software, Websense, and Yahoo!. Read more

12

Spyware monsters

'There is really no cure-all solution for spyware,' advises Christofer Sean Cordes in his November 2005 Educause Quarterly article, 'Monsters in the Closet: Spyware Awareness and Prevention.' But awareness helps, along with some understanding of the general characteristics of spyware and the efforts underway on behalf of spyware prevention. And if you want an ounce of prevention, Cordes has some specific suggestions, mentioning a range of possibilities including Spykiller.com (now TrustSoft), Lavasoft's Adware , Spybot Search and Destroy , and even add-ons like the Google Toolbar with Popup Blocker or SpoofStick . Read more

13

Is spyware impacting the ways people choose to use the Internet?

Spyware is prominent among the blights that interfere with or flaunt otherwise easy and fruitful access and exchange of information via the Internet. In a report published this past summer by the Pew Internet & American Life Project, analysts concluded that nine out of 10 Internet users have adjusted their behavior out of fear of falling victim to spyware, and that many of the 'fears are grounded in experience.' Read the report

14

Doing the right thing for cybersecurity on campus

What responsibility do presidents and CIOs have to ensure cybersecurity on their campuses? Explore the question in an Educause/Internet2 Computer and Network Security Task Force video produced by George Mason University (VA). Among other issues, a panel discussion considers a recent statistic that in the corporate world, an estimated 80-plus percent of corporations have had security breaches that went unreported. But higher education may have a better approach: Speaking about the higher education community, University of Maryland, Baltimore County CIO Jack Suess comments, 'When we have incidents, we're reporting them, we're making them public; we're doing the right thing.' Presidents, CIOs, security officers, and others in higher education who are trying to do the right things for their campus environments may wish to download the video.

15

Incident report categorizations and factor analysis

Made possible by funding from the National Science Foundation and the Educause-Internet2 Security Task Force, the 'Final Report of the Computer Incident Factor Analysis and Categorization Project, Volume I: College and University Sample' covers more than 300 security incidents over a two-year period. The report provides detailed information from 36 colleges and universities, including factor analysis and recommendations for mitigation and prevention. Read the report

16

Data Incident Notification Templates

Recently contributed by the Security Task Force (established by Internet2 and Educause) and posted on the Educause Web site, these incident notification templates can help you communicate quickly and effectively should your institution experience a breach. Read the report

17

Education, incident response, and technical controls

Public communication of a network security strategy is a key element in any IT organization's security arsenal. Penn State's network security strategy was recently articulated as a three-pronged approach, and one that would not threaten the culture of openness. A short article offered by the university's online news service presents the essentials effectively. Read more

18

The Case for IT Security in Academia

In a January/February 2005 Educause Review article, 'Leading by Example: The Case for IT Security in Academia,' Mary Ann Davidson, Oracle's chief security officer, examines ethics, economics, and the social implications of IT security, outlining academia's leading role in the broader discussion of securing cyberspace. Read more

19

While IT security concern grows, progress on DR planning is slow

Campus Computing's 2005 National Survey on Information Technology in US Higher Education points to a growing concern about IT security on campus: 'College and university IT officials identify 'network and data security' as the 'single most important IT issue' affecting their institutions over the next two-three years,' begins the executive summary. Notably, a new survey item reveals that half (50.7 percent) of responding institutions experienced hacks or attacks on their campus networks. The report also notes that disaster recovery planning hasn't gained much ground: 'Surprisingly, four years after the September 2001 attacks and the then very public discussions about IT disaster recovery, only three-fifths (57.4 percent) of campuses report a strategic plan for IT disaster recovery, little changed from 2004 (55.5 percent) or even 2002 (53.0 percent).' Read more

20

Katrina takes its toll on higher education

An interactive map on The Chronicle of Higher Education's Web site offers a good overview of the damage by Katrina to several campuses on the hurricane-ravaged Gulf Coast. Mouse over the locations to display individual summaries—click through for an inset map of New Orleans.

21

When is a disaster too catastrophic?

In November 2005 CT, contributing editor Dian Schaffhauser took a long look at disaster recovery planning: 'Although many have argued that the proportions the disaster Katrina wrought (a Category 4/5 hurricane accompanied by no end of additional and devastating complications) went far beyond a scale that can be planned for, others insist that the tools of disaster recovery planning (DRP) aren't necessarily prohibitive in terms of dollar or time investment, nor do they need to be highly complex. Keeping up a blog on an emergency Web site d'esn't require complicated technology, for instance. And while populating a blog is a far cry from rebuilding research data that has been destroyed, on the heels of any disaster communication becomes vital: It is the link that holds survivors and supporters together while they take emotional and physical stock. In such times, reliable information becomes gold.' There are also many types of communications solutions available from vendors; one example is Telident 911 from Teltronics, a system that pinpoints the location of any 911 call on the campus PBX and feeds the information to local police and fire dispatch centers, as well as to campus emergency personnel. Besides emergency communications strategies, colleges and universities have a range of data recovery solutions in place, such as maintaining real-time disk-based backups using software like Symantec LiveState Recovery. And Schaffhauser points out that 'For some, data is concern number one in any DRP. Keenan Baker, a storage specialist with technology products and services provider CDW-G, considers the focus on data protection the starting point of any disaster recovery plan.' Other companies like universal hardware solutions provider STORServer can also provide integrated solutions incorporating server, disks, tape, and software, along with integration services, so your institution can be prepared with incremental backups. Read more

22

From the edge of Katrina - Louisiana State University's

Brian Voss offers a unique view of disaster planning, asking, 'What if you're the last ones standing? Traditional DR thinking has to do with what to do if your data center is gone. How do you recover? How do you restore services for your institution? And that's very valid, as my colleagues at Tulane (LA), UNO, and other New Orleans universities are experiencing most directly right now. But what if your campus suddenly becomes the refuge for not only your neighboring institutions, but also local, state, and federal agencies? What if you are the site of last resort? How will you deal with a sudden influx of users placing unimaginable demands upon your environment and resources?' Read more

23

Outsourcing or Out of Business?

John Webster's article for Campus Technology's C2 newsletter proposes outsourcing as a disaster planning strategy. 'The timestamp says Wednesday 8/24/2005 11:46 AM. The subject line reads 'UCIS 182-81 PeopleSoft Tools.' It is the final e-mail I will receive from Tulane University (LA). Forty-eight hours later I receive a phone call, informing me of the evacuation of the school... According to the Association of American Universities, more than 30 colleges and universities along the Gulf Coast were severely damaged by hurricane Katrina. Tulane...was among the hardest hit. Its 13,000 students will not return this semester, awaiting the school's projected January reopening... For me, Katrina changed the way I will address Disaster Recovery (DR) planning. Much like post 9/11, this is a good time for schools to revisit disaster planning—or the lack of it—in preparation for the next campus-killing event we all know is out there.' Read more

24

Before the Disaster

Want yet another take on disaster recovery planning? Security columnist Doug Gale posed the following question in the April 2005 issue of CT: 'Why focus on disaster recovery, when effective business continuity management could keep recovery to a minimum? ... People are often confused about the difference between disaster recovery and business continuity management (BCM). Yet, while disaster recovery is the act of recovering from a disaster, BCM is a broader term that includes anticipating and planning for bad things, as well as the actual disaster recovery process. Let's put it this way: After the flood, Noah was practicing disaster recovery; before the flood, he was practicing business continuity management. Basically, business continuity management attempts to answer two questions: a) What can go wrong? And b) How can an institution reasonably prepare to minimize the impact? ... Business continuity management is neither easy nor cheap. But in an increasingly complex world driven by intertwined systems, it is essential.' Read more

25

Do you have 'roaming scholar' problems?

In his article on 'Federated Network Authentication,' online at O'Reilly Media, Matthew Gast explains: 'Researchers and scholars may hold appointments at multiple institutions or be involved in research teams that draw members from across the country or the world. Frequent visitors require network access. Without a full-time appointment, they may not be eligible for full access at the visited institution, but the hassle of repeatedly provisioning guest accounts is no solution.' Gast relates some of the current buzz about federated network authentication, and provides his own observations: 'To reflect the messy realities of building a federated network, a more generic trust mechanism needs to be developed.' Read more

26

Wireless Security with 802.1x

In a recent Educause Live! Webcast seminar, Michael Griego helps you understand how the 802.1x standard can authenticate wireless users and provide encryption. Referencing his experiences at the University of Texas-Dallas, Griego provides information about the technology in the higher education context while he sorts out the issues of authentication with 802.1x. Read more

27

Authentication: The Power of Who

In the January 2005 issue of CT, senior contributing editor Matt Villano checks out identity management applications on campus, where next-generation technologies may be closer than you think: 'In the ever-changing environment of academic technology, it's one thing to secure your enterprise network, but entirely another to provision it to control access based on a user's identity. With this in mind, imagine a network that grants access to certain systems based upon who a particular user is; a network that requires users to sign in only once, and remembers who they are for the remainder of their session. Think of a network that d'esn't require passwords at all; a network that ties all access to a USB key or the biometric codes of a human fingerprint. Then, envision a network combining all of these characteristics; so sophisticated it operates seamlessly with networks at other schools, and allows users access to similar systems elsewhere in the academic world.' An example of trailblazing identity management is Temple University (PA): 'Today, all of the school's identity management is tied together under one solution: Sun Java from Sun Microsystems. When users register on the system, they are provisioned for systems of every sensitivity level. If a user is expected to perform nothing on the campus network but e-mail and other basic functions, all that he needs to access the system is his password. If a user is expected to access more sensitive systems, he is given additional authenticating factors, such as the USB token or access to a biometric reader. Under this approach, a user's identity never needs to be re-provisioned; the more access a user needs, however, the more he must prove that he is who he says he is.' Less is more, when it comes to passwords... so how about just one thumbprint? 'Last year, Digital Persona provided [San Francisco State University] with U.are.U optical fingerprint scanners that plug into USB ports and capture a 500 dpi image of a user's fingerprint, encrypt it, send it to the Digital Persona IDentity Engine server, and compare the data with fingerprint information already stored in a database. If the system determines a match, it grants the user access to any variety of systems based upon parameters in the user's file. If the system fails to find a pairing, it denies access and offers the user only the most basic of services, which generally consists of nothing but simple Web browsing.' And at the University of Alaska, P-Synch, from M-Tech Information Technology, enables individual users to synchronize their passwords across different, multiple applications. Read more

28

If you think provisioning is a hassle, consider de-provisioning

At Western Michigan University, Director of Planning and Middleware Services Greg Lozeau observed: 'Provisioning student e-mail systems, especially with the number of different systems we had on campus, was challenging, but de-provisioning the students was painful. Sun's Java Messaging Server, coupled with the power of Sun Identity Manager, offered a better approach.' WMU's identity management case study, available via Sun's Web site, offers insight on the sticky de-provisioning problem. Read more (pdf)

29

UK schools' Shibboleth trial

Shibboleth, the open source authentication system, has enjoyed more adoption across the pond than in the US. Shibboleth provides a means to authenticate a user just once for multiple systems that operate in a federated trust model. In the UK, a very large trial this past spring involved more than 500,000 students and some 50,000 instructors. Read more

30

It's Not All About Hackers

In his September 2005 column for CT, Doug Gale focuses attention on the physical access layer of campus security: 'In our own discussions of cyber security, we often omit the simplest security of all: controlling physical access to our computer facilities. It used to be a tedious process to steal information from someone's computer, but the proliferation of small memory devices, personal digital assistants (PDAs), and music players that plug directly into a PC's USB port now make it possible to transfer huge amounts of information to an easily concealed gadget. It's also pretty easy to just walk off with a laptop. In short, controlling physical access to computers—those on desks or those in the computer room—is just as important as preventing hackers from accessing our networks.' Read more

31

Piracy on the Seas of Higher Education

The famous notion of Walt Kelly's Pogo, 'We Have Met the Enemy and He is Us,' may help point out another security issue: piracy. Especially in our own communities. In an April 27, 2005 issue of Campus Technology's C2 eNewsletter, Penn State President Graham Spanier writes: 'When we stand by idly and allow our students to abuse the privilege of high-speed Internet access for illegal downloading, we are failing our principles and we are failing our students. We are not campuses of thieves. Students don't go to the local Blockbuster and walk out with the latest DVD without paying. Undergrads don't go to the campus bookstore and sneak out with a new textbook. So why, we must ask ourselves, do we have such a moral blind spot when it comes to stealing on the Internet?' Read more

32

Piracy and the unintended consequences of technology

In her June 8, 2005 contribution to the C2 newsletter, Rochester Institute of Technology (NY) CIO Diane Barbour wonders whether we might be 'fighting the right battle in the wrong place... I read with interest Graham Spanier's article 'Piracy on the Seas of Higher Education' in the 4/27/2005 issue of C2. Like many other university administrators I am concerned about the lack of ethical behavior and the misuse of university resources by our students as they engage in peer-topeer file sharing of copyrighted materials... By the time students arrive on campuses, they have been listening to music and watching movies online for several years and mostly for free. The behavior has become second nature to them. While they know the practice is illegal, it is not perceived to be particularly wrong. I think we need to focus on the root cause of this behavior which is the fact that ethical behavior, as it relates to technology, is not being taught in K-12. It is time to more actively engage our social scientists and K-12 teachers, to focus on teaching cyber ethics at an early age.' Read more

33

CALEA compliance

Security isn't just securing your own network; it's also complying with external demands from national security and law enforcement agencies. Among the range of compliance issues facing institutions is CALEA, the Communications Assistance for Law Enforcement Act. Though CALEA has been in effect since 1994, institutions are focusing on a new update that would potentially extend wiretaps to the Internet and could force institutions into an 'unfunded mandate' to make significant, costly changes to their networks in order to comply. Educause Policy Analyst Wendy Wigen sheds some light on this issue in an October 17, 2005 recorded interview, posted on the Educause Web site. Access the interview, and look for updates.

34

Cyber security makeover

Working with technology solution provider CDW-G, Barton County Community College (KS) employs a full-blown cyber security strategy. 'The increasing severity of computer viruses and malicious code has transformed information security from a low IT priority to an operational necessity,' says Charles Perkins, co-team leader, Information Services at Barton County Community College. 'The evolving cyber threats were outpacing our existing firewall technology and making it increasingly challenging to monitor and manage our IT environment efficiently.' Barton CCC took full advantage of advice from CDW-G, and among its security enhancements was a new firewall and Virtual Private Network (VPN) solution, which included a dashboard view of all subnets. Using built-in application intelligence from Check Point Software Technologies, Barton can identify and block malicious activity at the firewall, in real time. Read more