Protecting the Oblivious
- By Rama Ramaswami
College and university technology users have been notoriously blind to their campuses' struggles to protect data from lurking threats. Now, with clever new security measures and campus community awareness initiatives, all that is changing.
When it comes to dealing with cyber attacks, there's no silver bullet. Ironically, however, college educators are already accustomed to wielding what may be the best weapon of all-education. Assaulted by the myriad species of spam, worms, Trojan horses, spyware, viruses, and other diseases that so easily infect and sometimes devastate campus networks, administrators are turning to education as a first line of defense. Many campuses are making vigorous efforts to thoroughly inform students and faculty about the threats their information systems face. Coupled with the installation of multilayered security applications, this approach is proving effective, and IT administrators point to it as a dependable way to combat cyber attacks they believe will only increase in scale and sophistication. At the same time, educators are walking a tightrope between intrusive system monitoring and maintaining the traditional freedom of an academic environment.
Increasingly, the balance may be tipping in favor of intrusion. Universities simply don't make the grade when it comes to electronic data protection, according to a recent study conducted by technology services provider CDW-G. The survey of 151 IT directors and managers from higher education institutions of various sizes reveals that 43 percent of the respondents experienced data loss or theft in 2007, a 10 percent jump over the previous year. For the second year in a row, respondents cited lack of student and faculty awareness of security threats as one of the top reasons for not having made headway against cyber attacks (see "Why So Oblivious?").
Paul Zindell, a security specialist for CDW-G, believes that the unrestricted atmosphere of universities makes them particularly vulnerable to data theft. "Higher ed environments are pretty open," he says. "People want freedom of speech, open access to wireless and the web, and a lot of students use peer-to-peer applications. This is a threat to security and also sucks up a lot of bandwidth."
The balance between intrusive system monitoring and maintaining the traditional freedom of an academic environment now may be tipping in favor of intrusion-because universities simply don't make the grade when it comes to electronic data protection.
In Zindell's view, a robust solution consists of a layered approach that includes a strong antivirus application, gateway spam filter, firewall, secure wireless network, encryption, and controlled access to the internal network. Yet, even institutions with these layer features in place, he says, are subject to breaches by both internal and external hackers. "A lot of colleges tend to fix their systems after something bad happens," he explains. "The problem then becomes big news in the press. But colleges need to be proactive in their approach to security."
At Moravian College (PA), a private liberal arts institution with about 1,500 students, being proactive means actively involving students in data protection. "The greatest threat to web security is the student," says James Beers, the college's networking manager and network engineer. "Students are coming in not knowing the dangers. What we try to do is connect with them; give them resources to educate them. They know how to go do the fun stuff on the internet, but they don't realize that their surfing habits really affect the infections their machines get."
AT EMBRY-RIDDLE, security education and awareness is paramount. Says CIO Cindy Bixler, 'If anyone abuses the access policy, they're terminated. The guardians of the data take that very seriously.'
Beers' solution has been to install an anti-spyware appliance from Mi5 Networks. The solution, called Webgate, automatically runs a program called SpyWash that informs users when their machines are infected. Users can scan and clean their computers without interrupting their work, and without IT involvement. Implemented in 2007, the system replaces a proxy-based solution that frequently got bogged down by traffic. The new application has shown results quickly: Spam is down by 60 to 70 percent. More important, student users have come to realize that security protection is in their best interest, says Beers. Now, "the students know it. They're aware that we're protecting them. Mi5 will either block access to a site altogether, or it lets them download a solution and run it. If there's a bad adware application, the site itself may come up, but the ad is blocked out."
Like other IT administrators, Beers is constantly wrestling with privacy issues. "Public machines are under our control, but we have no control over student machines, and you can't enforce [control] the way you can in a corporate environment," he says. "You can enforce it by blocking internet access-that gets students' attention. When I get an e-mail alert from Mi5, I can block access to a machine, the student can see why, and then he can go clean his machine." Still, this kind of intervention has to be handled skillfully, he explains. "A computer is an extension of a student's life. I have to respect students' privacy and help them along."
"Help" includes providing students with tools to block or at least lessen the severity of attacks. Beers says that Moravian has contracted with security software vendor Kaspersky Lab to provide students with a copy of its antivirus program to load on their machines. "That product has antirootkit and rudimentary anti-spyware," says Beers. "We also ask students to turn on their internal firewalls to protect their machines from attacks from the ResNet."
For Embry-Riddle Aeronautical University (FL), data security issues were compounded by size and geography. A giant institution with 34,000 students across residential campuses in Prescott, AZ, and Daytona Beach, FL, as well as in more than 130 centers worldwide, the university lacked not only a centralized system to track employee access to sensitive data, but also the ability to enforce cohesive security policies.
"One of the biggest challenges is making sure that we can quickly grant access as needed and just as quickly remove access that is not appropriate," says Cindy Bixler, Embry-Riddle's CIO. "We have to make sure that the right people can access the right data. A lot of universities are struggling to do that." Embry- Riddle took its first step by creating a centralized identity management system (using Oracle's Identity and Access Management Suite to set up a single identity for all users, and automated access privileges for more than 60,000 accounts. Previously, the university had used a manual or batch process to make nearly 2,000 changes daily, which typically took 24 to 26 hours to complete and delayed updates to users. The Oracle software cut that time to less than 30 minutes, and also provides near-real-time user updates.
Unlike corporate settings, the educational environment at Embry-Riddle is in constant flux, with students, faculty, and staff changing frequently. Updating the information in various systems is no easy task, according to Eric Fisher, the institution's director of middleware and web content services. "Because of all those changes, processing was very timeconsuming. We wanted a system that would manage all these accounts and do it very quickly. The Oracle system monitors a user account and looks for changes. If, for instance, a student changes apartments in the HR system, or changes degree programs, the system will make those changes automatically. It has taken a cumbersome process and shortened it."
Bixler is quick to point out that technology is only one of many ways to ensure information security. "One of the best tools is education," she says. "We have a separate security education and awareness program for the university as a whole. For example, we encourage shredding reports or not printing them out. There are several different layers of protection. We use a multilayered approach, with firewalls, identity management, timeouts, and complex passwords and logins, to mitigate the risks. Of course, if anyone abuses the access policy, they're terminated. The guardians of the data take that very seriously."
At the same time, security policies are flexible. Both Bixler and Fisher acknowledge that centralized identity control sometimes must yield to the collaborative demands of a university. Fisher likens the college's data access policies to those of a hospital, with access granted on a needto- know basis: "A faculty adviser gets more access than a faculty member who is not an adviser. A student gets one kind of access; a student employee gets a different kind. We don't inhibit a user, but we don't provide too much access."
That kind of balancing act is probably one of the greatest challenges to IT security in higher ed, says Joseph Clark, senior network engineer at the College of Charleston (SC), a public university with about 11,000 students. "You have to keep everyone satisfied and meet their needs, but still provide a secure environment. In contrast, corporations can take the totalitarian view. A corporate VP of security can change anything he wants, but here there are committees involved and everyone wants to be a part of it. You're dealing with a lot of politics, so you just have to keep an open mind."
Clark found an acceptable compromise in a network-based intrusion prevention system from NitroSecurity. He has installed the vendor's NitroGuard IPS program, which detects and blocks attacks, and NitroView ESM, an appliance that allows previously separate data to be correlated and analyzed together, identifying relationships between network activity, security alerts, and events originating from device logs (including server, host, and application logs). This not only ensures security but also provides the precise reporting necessary to comply with regulatory mandates such as the Payment Card Industry Data Security Standard and the Health Insurance Portability and Accountability Act (HIPAA). Users see no difference in their access levels or ability to transfer or receive data over the network.
The greatest threat to web security is the student. -James Beers, Moravian College
The solution, installed in February 2007, has greatly shortened the time it takes to detect and repair breaches. "Before, our security tools were all over the place," Clark says. "We couldn't consolidate everything into one. Now, when we have an attack, we have all the forensics in one place. It takes 30 minutes instead of one day to correlate the data."
It takes a lot, however, to foil a determined hacker. Campuses can't protect themselves on all fronts, especially as cyber thieves come up with ever more exotic attack methods. "Some of the things I'm seeing now I never would have thought of two years ago," says Clark. "For example, they're now using DNS [Domain Name System] to conduct peerto- peer attacks, and DNS is usually allowed undetected through a network. There are a lot of cloaking techniques that hackers use."
Moravian's Beers shares Clark's concern: "I really think social engineering will be the next big thing. People are going to be contacted via chat or e-mail. There will be more personalization, more reconnaissance done before an attack."
In the absence of a crystal ball, many institutions are focusing on specific aspects of security, notably e-mail protection. CDW-G's Zindell believes that e-mail threats are on the rise, particularly on college campuses, which rely heavily on e-mail for communication. "Fraudulent e-mails are so perfectly made that the most sophisticated people are fooled by them," he says. "Dedicated e-mail security appliances are the best solution. There are a lot of companies that offer e-mail solutions as their only product."
Why So Oblivious?
LAST OCTOBER, CDW-G released its third annual Higher Education IT Security Report Card , a national survey of 151 higher education IT directors and managers (from a variety of postsecondary institutions) looking at the state of campus IT security.
And the results aren't good: Fifty-eight percent of respondents reported IT security breaches over the last 12 months; in fact, the survey found that data loss or theft (including the loss of staff or student personal information) increased 10 percent between 2006 and 2007. Who's to blame? Respondents not only cited inadequate funding as a barrier to IT security, but also complained of a lack of support from faculty and students. Unhappily, students' flat-out disregard of security rules and policies (more than a simple lack of awareness) was noted by respondents as the biggest barrier to IT security.
On the faculty side, however, lack of awareness was considered the greatest barrier to security technology implementation, as well as the expectation that exceptions would be made for individuals.
Two universities that have had considerable success with e-mail appliances are Penn State and Georgia Southern University. At Penn State, the Intercollegiate Athletics department, which has more than 300 e-mail users, used an innovative technique to filter spam: It isolated itself from the university's centralized IT system and installed its own open source appliance. That's because Phil Mansfield, systems administrator for the department, discovered that the university's in-house anti-spam software, installed directly on the Microsoft Outlook e-mail server, shut down antivirus functions completely when there were problems with the server. This affected e-mail performance for the entire athletics group.
"I believe that threats come from a wide variety of sources, but e-mail is the main vector," says Mansfield. "It's the easiest to attack and is always allowed through the firewall. To supplement the existing antivirus software already installed, we searched out a front-end gateway SMTP solution. We were looking for a solution that would provide greater spam filtration as well as free up the workload of the back-end provider."
Mansfield opted for SpamTitan, an open source, easy-to-use system that offers what he calls "enterprise-class features at a very affordable price." The minimal investment required gained him a quick signoff on the purchase from university officials. With installation time taking less than one hour for 500 licenses, and a 90 percent increase in spam filtration in the few months that the system has been in use, SpamTitan provided "results from day one," says Mansfield.
Jackie Robinson, IT manager at Georgia Southern, is also a fan of simple, costeffective e-mail solutions. Two years ago, Robinson was battling a blitz of e-mailborne denial-of-service (DoS) attacks, directory harvest attacks, and zombie computers launching outbound campaigns. At one point, she says, the college's e-mail servers were shutting down at about 1 pm daily, causing delays and forcing her to spend several hours a day writing code to combat new attacks.
Robinson turned to Message Assurance Gateway, an e-mail security system from Red Condor. "We looked at about half a dozen big names," she says. "But their applications were too complicated. We had to go through screen after screen, when all we wanted to do was plug it in and keep out spam-not take a weeklong course on how to run the application." In addition to its ease of use, the Red Condor system is highly cost-effective, blocks or quarantines 92 percent of spam, and has resulted in a major savings in staff time, according to Robinson.
Ultimately-and even with the availability of new and better solutions- education is the best defense, as Embry-Riddle's Bixler puts it. Information security, she concedes, is a "cat-and-mouse game. We create better tools, but hackers create better ways to hack. Better education and awareness are our best tools. Our students are very trusting of technology-they grew up with it. We owe them the knowledge so they can keep themselves safe. This challenge is not unique to universities. In every setting, the uneducated employee is the worst threat."
On-Demand Webinar: Making the Grade With Role-Based Network Access: Leveraging User Directories and 802.1X.
Peace (of Mind) in Our Time: These five key security trends are reshaping how universities defend their databases.