Data Privacy >> What We Can Learn From the Suits
- By Joseph C. Panettieri
Savvy college and university administrators are engaging government and
business experts to ensure data security and privacy on campus. Maybe they’re
on to something.
When it comes to designing secure networks and ensuring privacy, colleges and
universities can learn a lot from Uncle Sam and corporate America. After all,
schools face many of the same privacy and information security challenges seen
in the business and government sectors, notes Chrisan Herrod, chief security
officer of the US Securities and Exchange Commission (www.sec.gov).
The fact of the matter is, in the age of cyber crime and identity theft, hackers
don’t discriminate among academia, the government, and corporate America.
Generally speaking, colleges and universities, small businesses, and financial
services firms are most frequently targeted by hackers, according to Symantec
Security Threat Report, which is published twice annually.
Still, academia’s open, collaborative nature provides the perfect breeding
ground for hackers to test nefarious code. Small businesses, on the other hand,
are easily targeted because they typically lack dedicated IT teams. And financial
services firms are popular targets for hackers who are hoping to profit from
their attacks, notes Symantec.
“You can’t generalize about vertical markets, though,” notes
Darwin John, former CIO of the Federal Bureau of Investigation, and now a strategic
advisor for Blackwell Consulting Services (www.bcsinc.com)
in Chicago. “These days, everyone is a potential target for computer-related
crime and identity theft.”
John points to several security trends that cut across universities, business,
and government. For instance:
- No. 1 concern. Senior execs across a range of
industries see security as their top concern in implementing converged IP
networks, according to a joint study released in November by AT&T Inc.
- Viruses proliferate. One in every 44 e-mails
received by people worldwide contained a computer virus in 2005, according
to an annual security report by UK-based antivirus firm Sophos PLC (www.sophos.com).
- Spyware abounds. Roughly 80 percent of enterprise
computers are infected with some kind of adware or spyware, according to Webroot
Software Inc. (www.webroot.com).
- Keylogging is ‘hot.’ There are now
more than 6,000 keylogging applications circulating on the Internet, up 65
percent from 2005, according to VeriSign Inc. (www.verisign.com).
Keylogging software is spyware that records users’ keystrokes and sends
that confidential information—including user names and passwords for
financial systems—to eagerly awaiting hackers.
- Windows increasingly vulnerable? During the first
half of 2005, Symantec documented more than 10,866 new Windows viruses and
worms, up 48 percent compared to the second half of 2004. Each variant represents
a new, distinct threat against which administrators must protect their systems
and for which antivirus vendors must create a new antivirus definition.
- Gone phishing. One out of every 125 e-mail messages
is now a phishing attempt, according to Symantec.
With these concerns in mind, businesses now spend roughly 5.9 percent of their
IT budgets on security, according to Gartner Inc. (www.gartner.com),
the Stamford, CT-based technology research firm. Yet, that figure is conservative
since it only covers security-specific products (such as firewalls and antivirus
software), and ignores time and effort that programmers take to design inherently
secure applications from the get-go. Commercial code typically has anywhere
from one to seven bugs per 1,000 lines of code, according to the National
CyberSecurity Partnership’s (NCSP; www.cyberpartnership.org)
Working Group on the Software Lifecycle. Despite the best efforts of the software
industry, the number of vulnerabilities found in commercial applications and
operating systems continues to rise. During the first half of 2005, Symantec
documented 1,862 new vulnerabilities in third-party commercial software, up
46 percent from the corresponding period in 2004.
“Patching your systems before hackers exploit the vulnerabilities is
a never-ending battle,” says Jill Cherveny-Keough, director of Academic
Computing at New York Institute of Technology.
Emulate the Best
Where d'es all of this business and government sector insight leave higher education?
Instead of designing a security and patch-management strategy from scratch,
say many experts, universities can leverage best practices currently used by
the government and big business (see “Best Practices for IT Security,”
For starters, universities should consider hiring a chief information security
officer (CISO), who reports to either the CIO or university president. A study
released this past December by the International Information Systems Security
Certification Consortium (ICS2; www.isc2.org)
shows that CISOs and CIOs are gaining clout in corporate boardrooms. The “ultimate
responsibility for information security moved up the management hierarchy, with
more respondents identifying the board of directors and CEO, or a CISO/CSO as
being accountable for their company’s information security.”
If funding (about $150,000 or more annually) for a CISO position isn’t
possible, universities can turn to third-party consulting firms such as Acxiom
Corp. (www.acxiom.com) that
specialize in data privacy and security guidance. Acxiom, for instance, provides
privacy consulting to some of the largest organizations in the world, assisting
them with compliance strategies and best practices in privacy and security.
Uncle Sam also offers extensive advice on computer security. The National Institute
of Standards and Technology (NIST; www.nist.gov),
for one, has documented guidance for performing risk assessments across an enterprise.
In 2005, the SEC’s Herrod used the NIST guidelines to conduct a risk assessment
and policy gap analysis for a community college, and feels the information was
invaluable. “Universities should take a serious look at their major financial
systems and evaluate them using certification and accreditation guidance published
by NIST,” he says. This type of detailed risk assessment can alleviate
state and federal audit issues, and ensure that universities comply with the
Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability
and Accountability Act (HIPAA), and other compliance mandates, he notes.
Under FERPA, for instance, schools must generally afford students who are 18
years or over, or attending a postsecondary institution:
- Access to their education records
- An opportunity to seek to have the records amended
- Some control over the disclosure of information
from the records
Moreover, any system used for storing student medical information must comply
with HIPAA, which ensures patient privacy.
Another key standard worth embracing is ISO 17799 (www.17799.com).
The standard is a comprehensive set of controls for ensuring information security.
Although the federal government has not officially adopted ISO 17799, it is
a best practice that the SEC and most other federal financial organizations
use. “I encourage early adoption of this standard as a way to ensure compliance
with federal regulations,” says Herrod. “I recommend it even more
so if the university is a publicly traded entity.”
Aside from network security, universities also must master physical security
of their data centers and telecommunications facilities. Although Federal Emergency
Management Agency (FEMA) drew fire for its poor response to Hurricane Katrina,
the organization offers proven best practices for safeguarding physical infrastructure.
Best Practices for IT Security
1. Employ defense-in-depth practices, which emphasize multiple, overlapping,
and mutually supportive defensive systems to guard against single-point failures
in any specific technology or protection methodology. This should include
the deployment of antivirus, firewalls, intrusion detection, and intrusion
protection systems on client systems. Enterprises should also ensure that
they are actively monitoring their environments 24/7 against attack.
2. Turn off and remove unneeded services, especially default operating system
services that aren’t required.
3. If a blended threat exploits one or more network services, disable or block
access to those services until a patch is applied.
4. Always keep patch levels up to date, especially on computers that host
public services (such as HTTP, FTP, SMTP, and DNS servers) and are accessible
through a firewall.
5. Enforce an alphanumeric password policy, and consider embracing biometric
technology to replace passwords on highly sensitive systems, such as financial
6. Configure e-mail servers to block or remove e-mail that contains file attachments
that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PIF,
and .SCR files.
7. Isolate infected computers quickly to prevent further compromise within
organization. Perform a forensic analysis and restore the computers using
8. Train employees and students not to open attachments unless they are expecting
them. Also, do not execute software that is downloaded from the Internet unless
it has been scanned for viruses.
9. Ensure that emergency response procedures are in place. This includes
having a backup-and-restore solution in place in order to restore lost or
compromised data in the event of a successful attack or catastrophic data
10. Educate management on security budgeting needs. Enterprises typically
spend about 5.9 percent of their IT budgets on security. That figure is expected
to rise to 8 to 10 percent by 2008, according to Gartner Inc (www.gartner.com).
11. Test security to ensure that adequate controls are in place.
12. Ensure that only applications approved by your organization are deployed
on desktops, mobile systems, and servers. Remember, both spyware and adware
could be automatically installed on systems along with file-sharing programs,
free downloads, and freeware and shareware versions of software, or by clicking
on links or attachments in e-mail messages, or via instant messaging clients.
Sources: Symantec, Gartner, et al
Best Practices from Business
Meanwhile, university CIOs can also glean security lessons from their counterparts
in corporate America. In particular, many businesses are more effectively addressing
patch management. And that’s no small feat. During a typical month, IT
managers must examine, test, and deploy multiple patches for operating systems
and applications across servers, desktops, and mobile systems. Failing to deploy
a patch in a timely manner can leave systems open to cyber prowlers. Deploy
a patch too soon—without proper testing—and the new code could wind
up conflicting with other IT systems, and knock applications offline.
What’s a CIO to do? Progressive IT organizations are using a combination
of systems management software (such as LANDesk Software’s Security Suite;
www.landesk.com), and application
management software (such as Macrovision Corp.’s FLEXnet product family;
software creates a database of all patches applied to all university systems.
Using this database, administrators can determine which systems require additional
patching. The database also allows IT managers to track potential conflicts
between existing and new patches, according to a spokesperson for Macrovision.
LANDesk’s software, in turn, pushes patches out to targeted systems in
a matter of minutes.
Many enterprises have also embraced biometric technology to safeguard mobile
and desktop systems used by CFOs, CEOs, and other executive leaders. The ThinkPad
T43P notebook, from Lenovo (www.ibm.com),
has built-in biometric technology that has won strong praise from corporate
executives. Users simply slide a finger over a biometric reader (located close
to the notebook’s keyboard) in order to log on to the system. “Through
biometrics, we’re finally transitioning from passwords,” says Edward
Golod, president of Revenue Accelerators (www.rac-inc.com),
a sales consulting firm in New York. “Within the next two to three years,
I think most executive leaders will make the switch to biometric-enabled notebooks.”
Despite biometrics and other emerging technologies, it’s difficult for
universities and businesses to stay one step ahead of hackers. Indeed, CIOs
must increasingly combat automated attacks, known as “bots” (short
for “robots”). According to Symantec, bots are programs that are
covertly installed on a user’s computer in order to allow an unauthorized
user to control the system remotely. They are designed to let an attacker create
an automated network of compromised computers—known as a bot network—that
can be remotely controlled to collectively conduct malicious activities. In
the first six months of 2005, more than 10,000 Internet-connected PCs were infected
with bot software each day, according to Symantec. The best way to combat bot
systems is to keep antivirus software and patches updated.
Meanwhile, CIOs are also keeping close tabs on their voice over IP (VoIP) systems.
Roughly 75 percent of large US businesses have tested VoIP, according to Heavy
an Internet site that tracks IP convergence. But as VoIP systems gain critical
mass, they become larger and larger targets for attack. Indeed, VoIP systems
can be vulnerable to a wide range of attacks, including:
- Attempts to discover legitimate IP phone addresses
through so-called “directory harvesting” techniques
- The clogging of voicemail systems with voice
spam sent as audio files
- Voice phishing, in which voicemails urge users
to return calls and leave personal financial information
- Denial of service (DoS) attacks against voice
- Vulnerabilities in VoIP products that may be
exploited for malicious purposes
Still, there’s no need to panic, says Dartmouth College
(NH) CTO Brad Noblet. Dartmouth has used VoIP across its IT infrastructure for
several years. Many of the VoIP systems are based on Windows servers. As a result,
Noblet makes sure that those systems adhere to the same best practices for IT
security and patch management found with other Windows-based servers at the
Even so, proper security remains a moving target for universities, businesses,
and government agencies alike. “Unfortunately, any security fix is perishable,”
notes former FBI CIO John. “The threats are dynamic. Therefore the fixes
or solutions must be dynamic to stay ahead of the threats.”