First Steps First

  • By Doug Gale
  • 12/30/04

If you’re relying on the next whiz-bang technology to finally secure your network, you’re missing your best defense.

Anywhere, January 3, 2005. Longtime resident John D'e today charged the Anywhere Police Department with negligence in the recent burglary of his home in the exclusive but crime-plagued Ocean View Community. Police spokesman I.M. Harried responded to reporters that a preliminary investigation indicated that the home had been unlocked and that the owner, who was in Hawaii for a two-week vacation, had left all the doors and windows open to air out the house. It appeared that the home alarm system had not been activated. Mr. D'e is seeking unspecified damages from the city.

While we’ve all experienced e-mail spam and computer viruses, higher education has generally treated network security as an annoyance rather than a serious threat. Other than complaining after each incident, college and university administrators largely ignore the underlying problems—which may more closely resemble John D'e throwing open his doors and windows before departing for Hawaii than we’d like to think. Think about it: How many students regularly scan their computers for viruses? How many faculty are concerned about unauthorized network connections? How many staff members and students set up rogue wireless networks? How many administrators care about policies addressing the ownership of radio frequency spectrum on campus?

The reality is that network attacks are surging and have the potential to seriously disrupt the way we do business on campus. In fact, they already have: You may recall the story about the prestigious West Coast university recently reporting that a computer hacker accessed the names, Social Security numbers, and personal data of about 1.4 million people after breaking into a campus researcher’s database which was being used to study home healthcare.

Who is legally liable for the identity theft resulting from such an attack? Is the researcher liable? The university? Or is it the state agency, which provided the researcher with his data?

Silicon vs. Carbon

Historically, higher education’s answer has been to call for more technical gizmos, such as firewalls, to protect the perimeter of the campus network and the core backbone. But I say: That’s analogous to trying to stop bank robberies and burglaries by asking the police to throw a cordon around an entire city and to increase street patrols. It may help, but it sure won’t eliminate burglaries.

The problem is carbon based, not silicon based. It seems to be human nature to avoid accepting responsibility for our own actions, and look for a technical “quick fix” to the problems that are actually the result of our own behavior. Just as reducing the risk of burglary starts with locking the doors and windows, network security starts at the desktop. Ask yourself these questions:

  • Have all current patches to the operating system been applied?
  • Are anti-virus software scans done regularly with up-to-date tools?
  • Is this being done for every computer on campus?
  • Are the applications themselves secured?
  • Is sensitive personal information sent unencrypted across the network?
  • In short, do we meet the test of common sense?

Unfortunately, the corporate-style solution of locking down every machine, prohibiting users from installing anything but corporate-approved and -monitored software, and enforcing organizational polices by draconian methods (“Deviate from company IT policy and you’re fired.”) isn’t an attractive option for higher education. If we are to retain the open and creative environment we cherish, we must nurture a culture that places the emphasis on individual responsibility in support of institutional requirements.

Here again, the analogy about protecting one’s own property is useful. In response to a growing number of bank robberies in the early 1990s, Bankers’ Hotline editorialized in their December 1992 issue, “The first thing banks, savings and loans, and credit unions must do is change some of their attitudes, which classify robberies as a simple cost of doing business. We have to return to the good old days of banking when such acts were viewed as a personal affront to the institution itself and to the community as a whole.”

Three Components of Information Security

Campus information security in the age of computers and computer networks has three components:

One—A culture that expects, indeed demands, individual and institutional responsibility and accountability. If we don’t in our heart of hearts believe that information security is important, then the rest d'esn’t really matter.

Two—A set of institutional policies that codifies institutional and personal expectations, requirements, responsibilities, and procedures. Since these policies represent a tradeoff between individual and institutional risk, and the individual freedoms that have made higher education an engine for innovation and discovery, they must be widely discussed before adoption. Only then are we prepared to deploy the final component...

Three—A layered defense of campus information that uses both technical gizmos and human expertise. This layered defense must be based upon a robust process of identity management that guarantees we are who we say we are and that we have the appropriate authorization to get the information we seek.

Steve Hare, associate VP for Security and Privacy at Purdue University (IN) puts it this way, “Despite your best efforts, you can’t eliminate network intrusions; the best you can do is reduce institutional risk and exposure—and that can only be done by a layered defense, based on institutional policy, best practices, and increased awareness, that starts at the desktop and works it way to the campus perimeter.”

In upcoming columns on security, we’ll explore campus culture and policies in more detail, as well as your best-layered defense based upon identify management. In the meantime, watch those doors and windows.

Featured

  • From Fire TV to Signage Stick: University of Utah's Digital Signage Evolution

    Jake Sorensen, who oversees sponsorship and advertising and Student Media in Auxiliary Business Development at the University of Utah, has navigated the digital signage landscape for nearly 15 years. He was managing hundreds of devices on campus that were incompatible with digital signage requirements and needed a solution that was reliable and lowered labor costs. The Amazon Signage Stick, specifically engineered for digital signage applications, gave him the stability and design functionality the University of Utah needed, along with the assurance of long-term support.

  • Abstract geometric shapes including hexagons, circles, and triangles in blue, silver, and white

    Google Launches Its Most Advanced AI Model Yet

    Google has introduced Gemini 2.5 Pro Experimental, a new artificial intelligence model designed to reason through problems before delivering answers, a shift that marks a major leap in AI capability, according to the company.

  • Training the Next Generation of Space Cybersecurity Experts

    CT asked Scott Shackelford, Indiana University professor of law and director of the Ostrom Workshop Program on Cybersecurity and Internet Governance, about the possible emergence of space cybersecurity as a separate field that would support changing practices and foster future space cybersecurity leaders.

  • Two stylized glowing spheres with swirling particles and binary code are connected by light beams in a futuristic, gradient space

    New Boston-Based Research Center to Advance Quantum Computing with AI

    NVIDIA is establishing a research hub dedicated to advancing quantum computing through artificial intelligence (AI) and accelerated computing technologies.