next »

[Colloquy Moderator]

A Chronicle investigation of audits of campus computer systems shows that many colleges are failing to protect their systems and data from hackers and snooping employees, as well as to evaluate the security risks to their networks. Can colleges make their networks more secure without jeopardizing their culture of openness and collaboration? Should colleges be required to publicly disclose breaches in computer security as they do campus crime? Read more ...

[Sam Liles]

Higher education information technology is vulnerable to exploitation via several delivery mechanisms. The vulnerability is increased due to the prevalence of open, unprotected, unmonitored, systems and network ports within the confines of the university. Computing systems can be infected by email attachments that are opened on a shared computing resource, and systems can be infected from infected media such as CD-ROM or disks. Add to this the fact that drop-in lap top stations are being added to campus networks and security will be compromised. Further remove security by removing physical access requirements by adding wireless and CIO’s will wake in a cold sweat. Simple and effective tools are widely available that a client can run if attached to the network and capable of stealing data and passwords sent in plain text. The medium of communication is moot.

Universities straddle a difficult chasm with one foot in academic freedom represented by open information access (read no restricted content filtering), and the other foot rooted to protecting confidential information assets. Segmentation of networks is one method of protecting information. With student workers, and staff who are student’s risk of infection is still rampant as media and people move through the university resources including from protected to unprotected assets.

As we replicate the medieval metaphor of castles and walls within academia in attempts to protect information assets we appear to forget that model failed with each attempt. Castles were breached by the catapult, and battle ships (floating castles) were sunk by the invisible submarine. Bigger firewalls, better intrusion detection systems, virus protection are all great after the fact technologies. Academia should take a lead in developing protection methods that are proactive. Before academia can do that they have to clean house and at least implement the current protection processes and technologies.

A new risk for academia is litigation. You have to worry about being sued by students whose records are stolen or released. You have to worry about data or intellectual property being compromised. You have to now worry about your network being used as a tool of criminal enterprise. http://www.theregister.co.uk/2004/04/30/spam_biz/ contains a story about possible criminal utilization for profit. If that was the case and you were some mega-dollar business wouldn’t you want to swat the gnats that allowed their networks to be used for nefarious purposes? Especially if you found out they had been audited and did nothing to protect/fix their network?

The castle approach to security was appropriate for a time. Unfortunately while the inhabitants were walled up the fields of information went fallow, the ideas became stagnant, and new breaching techniques were developed. The approach to information assurance at the university must keep ahead of the techniques being used to compromise it. Unfortunately from the evidence provided in the colloquium here it appears that given a detailed set of problems and a set of requirements to fix universities are having trouble adapting or implementing.

[%sig%]

[Sam McCool, UNLV]

The article suggests that universities and colleges are balancing the tradition of academic freedom with a modern need to protect electronic information. I agree that academic freedom may in part be a concern as schools turn their attention, somewhat slowly, to the urgency of protecting what they've traditionally were supposed to protect on paper, the confidentiality of university records and research data. But, isn't another tradition of academe one of the causes--perennial underfunding of operations?

Doesn't unwise frugality play a role in this matter? I have observed over the decades that universities and colleges were always trying to save money by running computer networks on a "shoe-string" budget, usually employing students on part-time, temporary basis to do highly skilled, highly sensitive jobs related to information management, computing, etc. FERPA, for instance, is a wonderful legal concept but in practice, is violated repeatedly because most of the offices responsible for handling students records employ part-time students to manage those records and "transfer" confidential records via unsecured campus mail and electronic networks. Because schools don't fund their information management units appropriately, they have to cut corners, bend the rules, etc.  

This is a long tradition, not much discussed obviously, and most schools have survived because the victims -- students and faculty -- are too poor or passive, usually, to sue. Indeed, public schools in general have managed relatively well (compared to business) in avoiding large lawsuits, despite numerous infractions. I am hoping the the Chronicle might look into this cause as well. I'd like to know how much of the security problem is due to higher education's traditional underfunding and consequent undermanagement of its business side.

[%sig%]

[Betty Clarkson, UConn]

I'm not sure who comes up with these stupid questions, but the chronicle must really be scraping the bottom of the barrel.

"Can colleges make their networks more secure without jeopardizing their culture of openess and collaboration?"  You can't be serious.

First of all openess (something which can be debated considering the PC policies running rampant on colleges today) has absolutely nothing to do with security.  Would the chronicle consider colleges to "jeopardize their culture of openess" if they locked the buildings late at night?  If they secured the college motor pool?  

Network security is common sense.  It is no different than precautions taken to protect buildings, equipment, and other material paid for by taxpayers (at least in the case of public instititutions).  Network security protects information and privacy.

What in the world does that have to do with a "culture of openess"?

I have not been the only one who has noticed a serious decline in the quality of issues raised in the Chronicle Colloquy.  I am seriously considering not participating anymore.

[Rodney Petersen, EDUCAUSE]

I do not take issue with many of the observations brought to light by the article that resulted from an investigation into the audits of campus computer systems.  Cyber security is a serious issue for our nation, and colleges and universities must do their part to improve the security of campus networks and information systems.  I am disappointed, however, that there is little acknowledgement of the steps being taken to improve the situation.  While serious concerns remain, there are impressive efforts underway at many institutions, and the efforts of the EDUCAUSE/Internet2 Computer and Network Security Task Force (www.educause.edu/security) are also notable.

First, education and awareness is an important ingredient and needs to be a priority.  The Security Task Force has a working group on Education and Awareness that encourages colleges and universities to adopt best practices (http://www.educause.edu/security/resources/awareness.asp) and has urged them to participate in the next Cyber Security Day in October (see press release at http://www.educause.edu/news/news_item.asp?Year=2004&ID=032604).  The 2nd annual EDUCAUSE/Internet2 Security Professionals Conference (http://www.educause.edu/conference/security/2004) will be held in Washington, D.C., on May 16-18, and provides an excellent professional development opportunity for security professionals in higher education.   Recent testimony by EDUCAUSE before a committee in the House of Representatives also stressed the importance of cyber security awareness (http://www.educause.edu/ir/library/pdf/SEC0407.pdf) to an overall security program for schools and institutions of higher education.

Second, risk assessment is an effective means for identifying cyber security risks and developing mitigation measures to address problems.   The Security Task Force has a working group on Risk Assessment Methods and Tools that includes auditors, risk managers, legal counsel, CFO's, CIO's, CSO's, and others.  A letter to all college and university presidents (http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm) urged presidents to ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution and recommended that they manage these risks in the context of institutional planning and budgeting.
Additionally, the Effective Security Practices Guide (www.educause.edu/security/guide), issued in January 2004, contains step-by-step instructions under "Where to Begin" that describes "Preliminary Risk Assessments", "Risk Analysis of Critical Areas and Processes," and "Institution-Wide Risk Assessment."  The Security Task Force also participated in the development and release of a recent report on "Information Security Governance" (www.cyberpartnership.org) that contains more information about the role of risk assessment as part of an information security program.

Finally, there are numerous tools and resources that can be used to improve the security of college and university networks and computers.  The Effective Security Practices Guide (www.educause.edu/security/guide) contains instructions as well as case studies about how to implement security in higher education environments on topics that range from network and host vulnerability assessments to incident handling and response.  Many of the "effective practices and solutions" described in the Guide will be featured in the Security Professionals Conference and are frequently discussed on the Security Discussion Group (http://www.educause.edu/cg/security.asp).  

While much work remains to be done, significant progress is being made.  I encourage individuals to check out the resources available from the EDUCAUSE/Internet2 Computer and Network Security Task Force (www.educause.edu/security).  I invite questions or contributions from others in the higher education community so we can all become part of the solution to some of the problems reported in this article.

Rodney Petersen
Security Task Force Coordinator, EDUCAUSE

[Karl Bridges]

In reply to Betty Clarkson:  It does have to do with being open -- or more to the point, creativity.  In the early years of the Internet (1985-1993 more or less) there was very little security.  This was a problem obviously, but also an opportunity as it allowed individuals to develop innovative and creative solutions.  In the present environment, where the need for security is the prime concern, this creativity is curtailed.  Instead of being able to just do something and experiment we have to jump through heaps of red tape only to be told "Well, for security reasons we aren't going to be unblocking any ports so your project won't be allowed."  In essence, what we are allowing is for computer security operations to dictate the course of academic research.  It's really no different than deciding that you want to do research on medieval Spain and having the library tell you "Sorry, we've restricted access to all the books on that topic.  If you want to fill out a form and wait some non-academic will review your request and see if you will be allowed to research that."  This is further compounded by all this post 911 hysteria that sees a terrorist under every bed (or more properly put -- by a government that sees a risk in every person, Arab or otherwise, who wants to check out a library book)
I don't dispute the need for secured networks -- there are evil people out there wanting to do harm -- what I object to is knee-jerk reactions that impose security restrictions that unnecessarily restrict the ability of scholars and researchers to do their work.  The reality is that, if the World Wide Web was being invented today  Tim Berners-Lee would have never gotten his idea for a world wide web past his computer security department -- "You want to develop an application to allow people anywhere to connect to our systems?  No way."

[Karin Steinbrenner, CIO, UNC C]

I agree with Rodney. Despite lack of funding, many IT departments have been proactive in combatting the security risks.

The UNC system established  baseline network security requirements for its sixteen campuses. At UNC Charlotte, we reallocated TC positions and hired a certified security officer over a year ago. Now we have three staff working in security.

Thanks to their work we have not experienced any outage resulting from the virus or worm of the day. Additionally, any abnormality on the network is quickly identified and dealt with.

Following a presentation to our chancellor and senior staff that outlined a security plan including costs, the chancellor determined that this is the cost of doing business.

We are by no means where we should be. But I don't think that we are alone and most institutions are doing a very good job with the resources given to them.

[Karin Steinbrenner, CIO, UNC C]

Normally I don't participate in these discussions but I do agree with Betty that the Chronicle of Higher Ed does not do a good job of covering technology.

Unfortunately this is often the only IT source for non IT HE administrators.

[Glenn Larratt]

I don't disagree with Sam Lile's contention that "[the castle wall] model failed with each attempt".

I would hasten to point out, however, that the bulk of the newsmaking issues are not the metaphorical equivalents of catapults, nor battering rams, nor even ladders. Sasser, Blaster, Sapphire, Nimda (in at least one of its vectors), and sadmind are all the technological equivalent of Visigoths running around: they exploited well-known, well-known-to-be-insecure, documented-as-security-hole, appropriate-for-local-use-only services which should not have been allowed across a network perimeter in the first place.

I would have to say it's at best disingenuous to argue that "castle walls are outdated" when, in many university networks, there isn't even a wall, just a decorative row of paving stones to mark the "perimeter" - and naked barbarians destroying the huts and looting all the women and livestock.

Whether as a result, as Sam McCool has noted, of lack of fiscal wisdom, or of the lack of common sense reported by Betty Clarkson, many universities are, perhaps even unwittingly, waiting for "something to go wrong" before looking at network security. Borrowing again from Betty, it's late to be putting up lights and gates *after* there's been a carjacking, a rape, or a murder on your campus. Such things - both in the network and the physical security realms - have happened on my campus, and we were late to react. In the physical security realm, things are better; in the network security realm, we need to make them so.

[%sig%]

[Dave Edmondson/TCU]

In today's environment, there can be choices made to allow for research to be done by your faculty without comprimising the security of the university network resources.  The choices have to be made and there has to be give and take from both sides.  It is no longer a world where the faculty can ignore the issues of security.  It can be done and has been done at this institution.  But it does take communication and support from everyone involved.

[Taz Daughtrey, James Madison U]

I found the article quite timely because it arrived the day before I spoke to the College and University Auditors of Virginia at their annual conference yesterday. I read them some of the highlights and, as I was waving the article in front of the group, exclaimed, "Auditors are the heroes of this story." I won them over right away!  I had plenty of tough material to share, but it did set the stage for me to address issues such as risk assessment and the need for more insightful auditing.

[%sig%]

[Corky]

It would appear that much this new found IT security emphasis involves the patching and installation of defence tools that relate to the on-going vulnerabilities of the Microsoft operating system(s).  One sees very little effort directed towards building infrastructures founded on more robust operating systems (Unix, Linux and even MacOS),  thin Client computing, timeshare systems and  Citrix farms.

How can people discuss approaches that will restrict academic freedom when they haven't even explored alternative IT infrastructures that are both secure and permissive to the academic mission!

[%sig%]

[Sam McCool/UNLV]

Rodney,
Does Educause have any data on how many HE schools are indeed engaged in protecting their computing networks beyond installing NAV on client workstations? I've been using the security guidelines that Educause has posted on the web, but beyond policy, what is really happening among HE schools? I think what worries most of us, those who care anyway, about the "gaps" in security is that there's a lot of talk but not much actually done to protect systems and networks.

Here's a case in point (to protect the innocent, I won't name the school): Some of the main servers and network on campus are protected but all wireless access points are open and unencrypted; many servers are are installed and attached to the campus network without proper security or even notice to the IT division. Mobile units are permitted to move off campus and return without screening. All updates, patches, virus detection, etc., while provided free to student, faculty and staff, are nevertheless installed and updated voluntarily. They are not pushed out to the client machines. The school routinely loses one or more of its instructional servers every month for as long as 24 hours at times.

Is that typical?

[James Francisco]

You are taking a very parochial view of the security situation. Security breaches were a problem for academic, government, and commercial networks long before Microsoft rolled out networking products. If you look at older books on network and internet security, they are all UNIX/Linux based. When a company is the big fish in the pond, it becomes the biggest target of critics and others who just like to see people embarrassed.  Before painting one system with the tarred brush you should consider other security holes such as the stories listed here.

Cicso- http://www.computerworld.com/securitytopics/security/holes/story/0,10801,92555,00.html
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,92015,00.html?from=story_kc

Mac OS X -
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,92130,00.html
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,90263,00.html

RealNetworks-
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,89930,00.html

Linux -
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,90359,00.html

Linux and the Mac OS have survived by being the stealth options so far. As they gain popularity and market share, the attacks against it will rise.

[%sig%]

[corky]

James, you are in line with the typical arguments made by Microsoft groupies. Yes there have been some hacks of Unix systems... but compared to...perhaps the hundreds if not thousands of Microsoft hacks may not one of the best argument for NOT learning another operating system...

Remember, the PC stands for Personal Computer and Unix was built upon client server computing.... So far the process of trying to make a PC operating system like Microsoft a client server environment has fallen substantially short...  It would seem the best approach to a computing infrastructure would be to take advantage of a proven client server environment like Solaris, AIX, HP-UX and now Linux, and hang the Personal Computers off of the system. Also, Implementation of cost effective technologies like thin clients and citrix would go far in such an environment.

[%sig%]