Data Privacy >> What We Can Learn From the Suits

• By Joseph C. Panettieri
• 02/03/06

Savvy college and university administrators are engaging government and business experts to ensure data security and privacy on campus. Maybe they’re on to something.

When it comes to designing secure networks and ensuring privacy, colleges and universities can learn a lot from Uncle Sam and corporate America. After all, schools face many of the same privacy and information security challenges seen in the business and government sectors, notes Chrisan Herrod, chief security officer of the US Securities and Exchange Commission (www.sec.gov). The fact of the matter is, in the age of cyber crime and identity theft, hackers don’t discriminate among academia, the government, and corporate America. Generally speaking, colleges and universities, small businesses, and financial services firms are most frequently targeted by hackers, according to Symantec Corp.’s (www.symantec.com) Security Threat Report, which is published twice annually.

Still, academia’s open, collaborative nature provides the perfect breeding ground for hackers to test nefarious code. Small businesses, on the other hand, are easily targeted because they typically lack dedicated IT teams. And financial services firms are popular targets for hackers who are hoping to profit from their attacks, notes Symantec.

“You can’t generalize about vertical markets, though,” notes Darwin John, former CIO of the Federal Bureau of Investigation, and now a strategic advisor for Blackwell Consulting Services (www.bcsinc.com) in Chicago. “These days, everyone is a potential target for computer-related crime and identity theft.”

John points to several security trends that cut across universities, business, and government. For instance:

• No. 1 concern. Senior execs across a range of industries see security as their top concern in implementing converged IP networks, according to a joint study released in November by AT&T Inc. (www.att.com).
• Viruses proliferate. One in every 44 e-mails received by people worldwide contained a computer virus in 2005, according to an annual security report by UK-based antivirus firm Sophos PLC (www.sophos.com).
• Spyware abounds. Roughly 80 percent of enterprise computers are infected with some kind of adware or spyware, according to Webroot Software Inc. (www.webroot.com).
• Keylogging is ‘hot.’ There are now more than 6,000 keylogging applications circulating on the Internet, up 65 percent from 2005, according to VeriSign Inc. (www.verisign.com). Keylogging software is spyware that records users’ keystrokes and sends that confidential information—including user names and passwords for financial systems—to eagerly awaiting hackers.
• Windows increasingly vulnerable? During the first half of 2005, Symantec documented more than 10,866 new Windows viruses and worms, up 48 percent compared to the second half of 2004. Each variant represents a new, distinct threat against which administrators must protect their systems and for which antivirus vendors must create a new antivirus definition.
• Gone phishing. One out of every 125 e-mail messages is now a phishing attempt, according to Symantec.

With these concerns in mind, businesses now spend roughly 5.9 percent of their IT budgets on security, according to Gartner Inc. (www.gartner.com), the Stamford, CT-based technology research firm. Yet, that figure is conservative since it only covers security-specific products (such as firewalls and antivirus software), and ignores time and effort that programmers take to design inherently secure applications from the get-go. Commercial code typically has anywhere from one to seven bugs per 1,000 lines of code, according to the National CyberSecurity Partnership’s (NCSP; www.cyberpartnership.org) Working Group on the Software Lifecycle. Despite the best efforts of the software industry, the number of vulnerabilities found in commercial applications and operating systems continues to rise. During the first half of 2005, Symantec documented 1,862 new vulnerabilities in third-party commercial software, up 46 percent from the corresponding period in 2004.

“Patching your systems before hackers exploit the vulnerabilities is a never-ending battle,” says Jill Cherveny-Keough, director of Academic Computing at New York Institute of Technology.

Emulate the Best

Where d'es all of this business and government sector insight leave higher education? Instead of designing a security and patch-management strategy from scratch, say many experts, universities can leverage best practices currently used by the government and big business (see “Best Practices for IT Security,” below).

For starters, universities should consider hiring a chief information security officer (CISO), who reports to either the CIO or university president. A study released this past December by the International Information Systems Security Certification Consortium (ICS2; www.isc2.org) shows that CISOs and CIOs are gaining clout in corporate boardrooms. The “ultimate responsibility for information security moved up the management hierarchy, with more respondents identifying the board of directors and CEO, or a CISO/CSO as being accountable for their company’s information security.”

If funding (about $150,000 or more annually) for a CISO position isn’t possible, universities can turn to third-party consulting firms such as Acxiom Corp. (www.acxiom.com) that specialize in data privacy and security guidance. Acxiom, for instance, provides privacy consulting to some of the largest organizations in the world, assisting them with compliance strategies and best practices in privacy and security.

Federal Guidelines

Uncle Sam also offers extensive advice on computer security. The National Institute of Standards and Technology (NIST; www.nist.gov), for one, has documented guidance for performing risk assessments across an enterprise. In 2005, the SEC’s Herrod used the NIST guidelines to conduct a risk assessment and policy gap analysis for a community college, and feels the information was invaluable. “Universities should take a serious look at their major financial systems and evaluate them using certification and accreditation guidance published by NIST,” he says. This type of detailed risk assessment can alleviate state and federal audit issues, and ensure that universities comply with the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), and other compliance mandates, he notes.

Under FERPA, for instance, schools must generally afford students who are 18 years or over, or attending a postsecondary institution:

• Access to their education records
• An opportunity to seek to have the records amended
• Some control over the disclosure of information from the records

Moreover, any system used for storing student medical information must comply with HIPAA, which ensures patient privacy.

Another key standard worth embracing is ISO 17799 (www.17799.com). The standard is a comprehensive set of controls for ensuring information security. Although the federal government has not officially adopted ISO 17799, it is a best practice that the SEC and most other federal financial organizations use. “I encourage early adoption of this standard as a way to ensure compliance with federal regulations,” says Herrod. “I recommend it even more so if the university is a publicly traded entity.”

Aside from network security, universities also must master physical security of their data centers and telecommunications facilities. Although Federal Emergency Management Agency (FEMA) drew fire for its poor response to Hurricane Katrina, the organization offers proven best practices for safeguarding physical infrastructure. (See www.fema.gov/library/prepandprev.shtm.)

Best Practices from Business

Meanwhile, university CIOs can also glean security lessons from their counterparts in corporate America. In particular, many businesses are more effectively addressing patch management. And that’s no small feat. During a typical month, IT managers must examine, test, and deploy multiple patches for operating systems and applications across servers, desktops, and mobile systems. Failing to deploy a patch in a timely manner can leave systems open to cyber prowlers. Deploy a patch too soon—without proper testing—and the new code could wind up conflicting with other IT systems, and knock applications offline.

What’s a CIO to do? Progressive IT organizations are using a combination of systems management software (such as LANDesk Software’s Security Suite; www.landesk.com), and application management software (such as Macrovision Corp.’s FLEXnet product family; www.macrovision.com). Macrovision’s software creates a database of all patches applied to all university systems. Using this database, administrators can determine which systems require additional patching. The database also allows IT managers to track potential conflicts between existing and new patches, according to a spokesperson for Macrovision. LANDesk’s software, in turn, pushes patches out to targeted systems in a matter of minutes.

Many enterprises have also embraced biometric technology to safeguard mobile and desktop systems used by CFOs, CEOs, and other executive leaders. The ThinkPad T43P notebook, from Lenovo (www.ibm.com), has built-in biometric technology that has won strong praise from corporate executives. Users simply slide a finger over a biometric reader (located close to the notebook’s keyboard) in order to log on to the system. “Through biometrics, we’re finally transitioning from passwords,” says Edward Golod, president of Revenue Accelerators (www.rac-inc.com), a sales consulting firm in New York. “Within the next two to three years, I think most executive leaders will make the switch to biometric-enabled notebooks.”

Remaining Threats

Despite biometrics and other emerging technologies, it’s difficult for universities and businesses to stay one step ahead of hackers. Indeed, CIOs must increasingly combat automated attacks, known as “bots” (short for “robots”). According to Symantec, bots are programs that are covertly installed on a user’s computer in order to allow an unauthorized user to control the system remotely. They are designed to let an attacker create an automated network of compromised computers—known as a bot network—that can be remotely controlled to collectively conduct malicious activities. In the first six months of 2005, more than 10,000 Internet-connected PCs were infected with bot software each day, according to Symantec. The best way to combat bot systems is to keep antivirus software and patches updated.

Meanwhile, CIOs are also keeping close tabs on their voice over IP (VoIP) systems. Roughly 75 percent of large US businesses have tested VoIP, according to Heavy Reading (www.heavyreading.com), an Internet site that tracks IP convergence. But as VoIP systems gain critical mass, they become larger and larger targets for attack. Indeed, VoIP systems can be vulnerable to a wide range of attacks, including:

• Attempts to discover legitimate IP phone addresses through so-called “directory harvesting” techniques
• The clogging of voicemail systems with voice spam sent as audio files
• Voice phishing, in which voicemails urge users to return calls and leave personal financial information
• Denial of service (DoS) attacks against voice servers
• Vulnerabilities in VoIP products that may be exploited for malicious purposes

Still, there’s no need to panic, says Dartmouth College (NH) CTO Brad Noblet. Dartmouth has used VoIP across its IT infrastructure for several years. Many of the VoIP systems are based on Windows servers. As a result, Noblet makes sure that those systems adhere to the same best practices for IT security and patch management found with other Windows-based servers at the university.

Even so, proper security remains a moving target for universities, businesses, and government agencies alike. “Unfortunately, any security fix is perishable,” notes former FBI CIO John. “The threats are dynamic. Therefore the fixes or solutions must be dynamic to stay ahead of the threats.”