next »

[corky]

James, you are in line with the typical arguments made by Microsoft groupies. Yes there have been some hacks of Unix systems... but compared to...perhaps the hundreds if not thousands of Microsoft hacks may not one of the best argument for NOT learning another operating system...

Remember, the PC stands for Personal Computer and Unix was built upon client server computing.... So far the process of trying to make a PC operating system like Microsoft a client server environment has fallen substantially short...  It would seem the best approach to a computing infrastructure would be to take advantage of a proven client server environment like Solaris, AIX, HP-UX and now Linux, and hang the Personal Computers off of the system. Also, Implementation of cost effective technologies like thin clients and citrix would go far in such an environment.

[%sig%]

[anonymous]

Can some explain why Microsoft keeps getting away with putting out these products full of holes and defects?  If a car maker put out a vehicle with as many flaws they would be quickly sued out of existence?  Why isn't Microsoft sued for all these holes and other problems?

[Rodney Petersen, EDUCAUSE]

Let me briefly respond to the two questions posed to me in this post:

1.  Does EDUCAUSE have any data on how many institutions of higher education are engaged in protecting their computing networks?

The best data available about security in higher education is in the ECAR study ("Information Technology Security: Governance, Strategy, and Practice in Higher Education") available at http://www.educause.edu/asp/doclib/abstract.asp?ID=ERS0305 or the EDUCAUSE Core Data Survey available at http://www.educause.edu/coredata/

I don't think there is any doubt that EVERY college and university is "engaged" - you can't avoid it or afford not to be given the current threats and vulnerabilities.  Clearly, some institutions are more engaged than others.  One indication of how engaged an institution has become is whether or not they have a person devoted to security as part of their job responsibilities.  The ECAR study showed that only 22.4% of institutions had a chief IT security officer or equivalent (as of April 2003).  There is a clear, steady pattern of growth for the creation of IT security officer positions in higher education beginning in 1994.  Another sign of engagement is efforts to provide security awareness to the community and yet only one-third of our institutions have a formal awareness program for students, faculty, or staff according to the ECAR survey.  Finally, only 30% of the institutions surveyed have undertaken a risk assessment to determine their IT assets’ value and the risk to those assets according to the survey.

So, while many of our institutions are engaged and devoting more and more resources, there is much room for improvement.

2.  Is [the described case in point] typical?

I think what your scenario describes is not unusual and depicts why it is important to approach security from the standpoint of addressing priority needs and using layered defenses.  The fact that an institution has taken steps to protect its main servers is a good indication that they have recognized the importance of securing data and ensuring the integrity and availability of critical resources.  However, open and unencrypted wireless access points as well as inattention to host security, especially for mobile devices, must be addressed, too.   I think you will find the matrix on the bottom of the Effective Security Practices Guide (http://www.educause.edu/security/guide/) to provide a nice overview of the relative effectiveness of each security practice in that resource. The numbers in this matrix are rankings based on the estimated probability of a major positive impact on the institution if the practice is used. The values are simply a starting point for debate based on discussions with information security experts in higher education institutions.

[%sig%]