8 Spots for Tightening Security <br>on Campus

• By Linda L. Briggs
• 01/21/04

Security is a tough challenge these days in any environment. On college and university campuses, keeping data and systems secure is even tougher. That's true for several reasons: academic environments encourage open atmospheres that are conducive to security vulnerabilities; file-swapping remains a popular, if often illegal, activity for students; funds and personnel are usually spread thin; and many campuses run heterogeneous environments with a range of hardware and software, some owned by the school, some by the students. Adding wireless to the mix, as many schools now have done, compounds the problem.

Your challenge is to lock down your campus even under those conditions - while keeping your constituents reasonably happy with their access to information and services. It's a delicate balance, no doubt. To help you see how your peers are handling security, Syllabus talked with CIOs, Chief Security Officers and other IT managers at several institutions about their top concerns and how they're addressing them. From those discussions, we've put together the following list of security hot spots. You may find some of the ideas very useful; the rest may simply give you a sense of kinship with others in IT who are facing the same challenges you do in securing their own campuses.

1. Educate Every User

Nearly everyone we spoke with brought this up. Any IT administrator needs to spread the word on secure computing practices, but compounding your challenge is that a portion of your user base turns over each year, leaving you with a new set of customers to educate. You also must grant rights to technology resources initially, and probably adjust them during the year. Finally, you need to reclaim a student's access quickly once the student leaves school.

Ariel Silverstone, chief information security officer at 35,000-student Temple University outside Philadelphia, finds security awareness to be his No. 1 challenge. Unlike in a government or corporate environment, where the need for security is obvious, he points out that universities must work with users who are accustomed to open environments and often don't even think about security concerns. For example, "students today have always been able to download MP3" files, Silverstone points out, and many take file-sharing technologies for granted without considering how security might be compromised.

Silverstone says that Temple has successfully used a variety of methods to educate users on computer security, including posters, e-mail blasts, brochures, seminars, and a recent "security day" on campus that featured Pez containers shaped like bugs.

At the Rochester Institute of Technology, CIO Diane Barbour described similar ongoing education efforts, such as a recent "security week" that included students and faculty helping to present seminars on security. One focus: What users themselves can do to secure their own systems, as well as how the IT department can help.

2. Focus on Virus Protection

If you have limited resources, this is the place to start. Temple University's Silverstone sees viruses as the most obvious and pervasive security hole on virtually any campus, and the one to attack first. His advice, which he's followed successfully at Temple: Get an anti-virus product, install it, and make it mandatory on every machine, both clients and servers. He also highly recommends firewalls where possible. At Temple, with 35,000 students, "we catch 1,400 viruses a day," Silverstone says, which equates to 1,400 service calls a day that aren't happening. Last year's Blaster virus, he estimates, cost the university half a million dollars - and that figure would have been higher if Temple hadn't stopped it fairly quickly.

But firewalls aren't always workable, as Carnegie Mellon University's John K Lerchey points out. "There's no way we can put up firewalls," Lerchey, the computer and network security coordinator for the campus, says. "We have researchers with such a wide variety of software and research… It's difficult to dictate which ports you can and cannot use." Firewalls, he concludes, are "a great solution on desktop machines," but to deploy a firewall solution campus-wide, Carnegie would need a full-time person to maintain the firewall rules alone.

Widely distributed virus protection, he concurs, is much easier. "We distribute [Symantec's] Norton Antivirus - anyone can get and use it." Since 99 percent of viruses attack Windows machines, Lerchey says, simply keeping virus checkers installed and up-to-date is a huge help. He says Carnegie Mellon just released a new virus installer that is set by default to update users' virus software every day instead of every week, the previous default.

"Get an anti-virus product, install it, and make it mandatory on every machine, both clients and servers."

Also, virus protection is best if extended beyond the desktop, as this case study from Virginia Tech. With 70,000 users, Virginia Tech's IT staff recently decided they needed a more pervasive security solution. The staff expanded the virus protection program beyond users' desktops, realizing they needed more than a security solution that depended on users maintaining up-to-date files on their computers.

Virginia Tech chose a specialized solution: a messaging appliance that checks for viruses on the server side. Whatever you choose to protect the enterprise, be sure to get a site license that allows you to provide every student's system with virus protection, thus giving you a security solution that's centrally managed. And in your education efforts, remember to stress the importance of virus protection at the server and workstation tiers.

3. Educate Faculty

Students, of course, aren't your entire user base; faculty and staff use the networks as well. For example, you'll want to discourage faculty from things like using e-mail improperly (using unencrypted e-mail to send out grades, for example). Again, provide both education and the software and guidance needed to do the job correctly.

At the Rochester Institute of Technology, Barbour says the security issue that keeps her awake at night is unauthorized software running somewhere on campus that isn't under the central IT umbrella. "That's where I'm focusing most of my attention right now…. [Those systems] could be very vulnerable to hacking." One theoretical example: A specialized program set up by an individual faculty member on his or her computer, without the proper security clearance or configuration. To help with addressing the issue, RIT now has a full-time Information Security Officer who develops policies to help make sure systems are secure.

4. Stop Denial of Service Attacks

In its simplest form, a denial of service attack sends more data to your network than it can handle, thus overflowing the buffers and resulting in a loss of service to users. Most DoS attacks are malicious and intended to bring the network down, and though they typically don't destroy data, they can. Some recent viruses can be classified as denial of service attacks.

As with many things having to do with campus security, a college or university network may be especially susceptible to a DoS attack because of its openness. Versions of Microsoft Windows, by far the most popular operating systems for hacking, are especially vulnerable.

There are many ways to protect your network, from virus software to firewalls to how you configure your operating systems. For a primer on defeating denial-of-service attacks, you can start with this useful article from SANS, a well-respected security research, training and certification institute. The article contains instructions for administrators on, among other things, preventing your network from being used as a broadcast amplification site - an unwitting accomplice in a denial-of-service attack.

5. Sell Security to Management

Here's another challenge for all IT professionals, but that may be especially tough on campus because of tight funds: getting management on board for any security push. It's important that your school's top managers see security as the priority it is, and act accordingly - that is, that they allocate realistic funds for the software you need to lock down your systems, for education programs, and for adequate personnel.

Management responds to numbers, so putting together estimates on what security breaches are costing the school in terms of down time, hours spent by your staff repairing the damage, and so forth, can be effective. Damage to the school's reputation can also be a warning point; many large-scale cyber-attacks have made ample use of university computers.

For Susan Monsen, director of IT services at Yale University's Law School, lack of resources is definitely an issue. Her biggest challenge: Dealing with compromised student laptops on the network. "We don't have a way to scan and remove viruses" automatically system-wide yet, she says. "That's something we're working on." Regarding security in general, she says, "There are good tools out there, but they're very expensive."

"There are good tools out there, but they're very expensive."

The problem peaked in September at the law school, when a widely spread virus was attacking Microsoft operating systems and unsuspecting students returned to campus with infected laptops. Now, the problem is down to three or four laptops a week, she says.

Requiring students to register their network cards in order to get access outside the campus on the university's network helps, she says - students can then be tracked down through a database and contacted if necessary through their network IDs.

6. Set and Enforce Testing Standards

As you continue to develop, integrate, and enforce working security policies for your organization, cooperation and communication among various groups on campus are key. Among other things, this becomes important in setting and enforcing testing standards for how new software is deployed. In examining how an SQL server was compromised, a case study from the University of Memphis highlights the importance of policies for making sure that testing is conducted in keeping with agreed-upon security policies. As the authors of the case study conclude in one of their findings after the security breach was closed, agreeing on what tests are required before deployment into the production environment is paramount:

"Equilibrium between experimentation and security standards must be established. It may not be appropriate to deploy an application into a production environment unless appropriate security testing has been performed… Service administrators must understand the importance of securing, and keeping secure, the production environments upon which services depend."

7. Review Data Retention Policies

With the enactment of the USA Patriot Act in 2001 ("Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001"), data retention has become a security hot spot.

Setting record-retention policies, never easy, has become even more difficult. According to Fred Beshears, senior strategist at Educational Technology Services at the University of California-Berkeley, FERPA, an older government mandate to protect student records, conflicts with the Patriot Act, which allows for governmental access to student records in some cases. In short, Beshears says, "You get into all these gnarly problems on [privacy]."

For an in-depth discussion of the conflicts of privacy and security on today's campus, and some insights into the issue, read the in-depth discussion by Kent Wada, information technology security and policy coordinator at the University of California-Los Angeles.

Among other things, Wada notes that in the face of the Patriot Act and other legislation, security concerns regarding e-mail become more difficult than ever and probably need to be reviewed and reassessed. "The balancing act is to keep relevant data only as long as it is legitimately needed, and no longer, lest it become a liability."

"The balancing act is to keep relevant data only as long as it is legitimately needed, and no longer, lest it become a liability."

He notes that this same balancing act applies in other areas of data as well: "This is also true for electronic records of another sort: computer transaction logs. Web servers, e-mail servers, and other network devices all automatically note when services are used… Policies should be viewed in the larger records management context rather than as a separate effort. "

8. Curb File Sharing

The still hugely popular practice of file sharing, particularly videos and music, via peer-to-peer software, remains an obvious Achilles heel.

As Wada notes in his article on campus security versus privacy, recording and motion picture industry executives are pushing schools to do more to curb illicit file sharing, thus turning up the heat on IT administrators. Not only is file sharing generally illegal, depending on what's being shared, but peer-to-peer networks, of course, are a huge security risk.

Many colleges and universities are fighting the file-sharing issue through attempts at education on their Web sites. For example, the University of California at Davis offers this article for students on legitimate music download sites and options: http://technews.ucdavis.edu/news2.cfm?id=623. Also, articles like this one on the University of Wisconsin-Madison Web site , which clearly state that the recording industry in now prosecuting individuals for file-sharing violations, are becoming more common. And Penn State is modeling for students the good practice of staying within the law by providing students with legal means to download music files. As part of the education process, and to remind students of the facts about file sharing, consider posting similar information and tools on your own campus Web site or portal if you haven't already.

An Ongoing Challenge

IT administrators tasked with campus security face special challenges. But the struggle for a secure campus isn't a futile one; there are many steps you can take to help ensure that you, along with faculty, students and staff, sleep easier at night. In general, it's probably best to look at security as an ongoing challenge, one that will require some of your resources for a long time to come.

In fact, Rochester Institute of Technology's Barbour predicts that things will get worse before they get better, as society and IT experts only gradually get security issues under control and can begin to act proactively. "We're just seeing the tip of the iceberg. The worst of it is yet to come, and it's going to take a while to catch up." Accept the security challenge and begin now to tighten your campus networks.