First Steps First

If you’re relying on the next whiz-bang technology to finally secure your network, you’re missing your best defense.

Anywhere, January 3, 2005. Longtime resident John D'e today charged the Anywhere Police Department with negligence in the recent burglary of his home in the exclusive but crime-plagued Ocean View Community. Police spokesman I.M. Harried responded to reporters that a preliminary investigation indicated that the home had been unlocked and that the owner, who was in Hawaii for a two-week vacation, had left all the doors and windows open to air out the house. It appeared that the home alarm system had not been activated. Mr. D'e is seeking unspecified damages from the city.

While we’ve all experienced e-mail spam and computer viruses, higher education has generally treated network security as an annoyance rather than a serious threat. Other than complaining after each incident, college and university administrators largely ignore the underlying problems—which may more closely resemble John D'e throwing open his doors and windows before departing for Hawaii than we’d like to think. Think about it: How many students regularly scan their computers for viruses? How many faculty are concerned about unauthorized network connections? How many staff members and students set up rogue wireless networks? How many administrators care about policies addressing the ownership of radio frequency spectrum on campus?

The reality is that network attacks are surging and have the potential to seriously disrupt the way we do business on campus. In fact, they already have: You may recall the story about the prestigious West Coast university recently reporting that a computer hacker accessed the names, Social Security numbers, and personal data of about 1.4 million people after breaking into a campus researcher’s database which was being used to study home healthcare.

Who is legally liable for the identity theft resulting from such an attack? Is the researcher liable? The university? Or is it the state agency, which provided the researcher with his data?

Silicon vs. Carbon

Historically, higher education’s answer has been to call for more technical gizmos, such as firewalls, to protect the perimeter of the campus network and the core backbone. But I say: That’s analogous to trying to stop bank robberies and burglaries by asking the police to throw a cordon around an entire city and to increase street patrols. It may help, but it sure won’t eliminate burglaries.

The problem is carbon based, not silicon based. It seems to be human nature to avoid accepting responsibility for our own actions, and look for a technical “quick fix” to the problems that are actually the result of our own behavior. Just as reducing the risk of burglary starts with locking the doors and windows, network security starts at the desktop. Ask yourself these questions:

  • Have all current patches to the operating system been applied?
  • Are anti-virus software scans done regularly with up-to-date tools?
  • Is this being done for every computer on campus?
  • Are the applications themselves secured?
  • Is sensitive personal information sent unencrypted across the network?
  • In short, do we meet the test of common sense?

Unfortunately, the corporate-style solution of locking down every machine, prohibiting users from installing anything but corporate-approved and -monitored software, and enforcing organizational polices by draconian methods (“Deviate from company IT policy and you’re fired.”) isn’t an attractive option for higher education. If we are to retain the open and creative environment we cherish, we must nurture a culture that places the emphasis on individual responsibility in support of institutional requirements.

Here again, the analogy about protecting one’s own property is useful. In response to a growing number of bank robberies in the early 1990s, Bankers’ Hotline editorialized in their December 1992 issue, “The first thing banks, savings and loans, and credit unions must do is change some of their attitudes, which classify robberies as a simple cost of doing business. We have to return to the good old days of banking when such acts were viewed as a personal affront to the institution itself and to the community as a whole.”

Three Components of Information Security

Campus information security in the age of computers and computer networks has three components:

One—A culture that expects, indeed demands, individual and institutional responsibility and accountability. If we don’t in our heart of hearts believe that information security is important, then the rest d'esn’t really matter.

Two—A set of institutional policies that codifies institutional and personal expectations, requirements, responsibilities, and procedures. Since these policies represent a tradeoff between individual and institutional risk, and the individual freedoms that have made higher education an engine for innovation and discovery, they must be widely discussed before adoption. Only then are we prepared to deploy the final component...

Three—A layered defense of campus information that uses both technical gizmos and human expertise. This layered defense must be based upon a robust process of identity management that guarantees we are who we say we are and that we have the appropriate authorization to get the information we seek.

Steve Hare, associate VP for Security and Privacy at Purdue University (IN) puts it this way, “Despite your best efforts, you can’t eliminate network intrusions; the best you can do is reduce institutional risk and exposure—and that can only be done by a layered defense, based on institutional policy, best practices, and increased awareness, that starts at the desktop and works it way to the campus perimeter.”

In upcoming columns on security, we’ll explore campus culture and policies in more detail, as well as your best-layered defense based upon identify management. In the meantime, watch those doors and windows.

Featured

  • two large brackets facing each other with various arrows, circles, and rectangles flowing between them

    1EdTech Partners with DXtera to Support Ed Tech Interoperability

    1EdTech Consortium and DXtera Institute have announced a partnership aimed at improving access to learning data in postsecondary and higher education.

  • Abstract geometric shapes including hexagons, circles, and triangles in blue, silver, and white

    Google Launches Its Most Advanced AI Model Yet

    Google has introduced Gemini 2.5 Pro Experimental, a new artificial intelligence model designed to reason through problems before delivering answers, a shift that marks a major leap in AI capability, according to the company.

  •  laptop on a clean desk with digital padlock icon on the screen

    Study: Data Privacy a Top Concern as Orgs Scale Up AI Agents

    As organizations race to integrate AI agents into their cloud operations and business workflows, they face a crucial reality: while enthusiasm is high, major adoption barriers remain, according to a new Cloudera report. Chief among them is the challenge of safeguarding sensitive data.

  • stylized AI code and a neural network symbol, paired with glitching code and a red warning triangle

    New Anthropic AI Models Demonstrate Coding Prowess, Behavior Risks

    Anthropic has released Claude Opus 4 and Claude Sonnet 4, its most advanced artificial intelligence models to date, boasting a significant leap in autonomous coding capabilities while simultaneously revealing troubling tendencies toward self-preservation that include attempted blackmail.