Higher ed cybervigilance: now more than ever. (Special Section: Security).Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth College Dartmouth College, at Hanover, N.H.; coeducational; chartered 1769, opened 1770, the ninth colonial college (see Wheelock, Eleazar). Originally a men's college, Dartmouth began admitting women in 1972. , recently spoke with University Business about the urgent need for colleges and universities to be more vigilant in protecting network systems to prevent their exploitation in cyberattacks and their vulnerability to destruction. University Business: Why ore university networks especially susceptible to outside cyberattacks? Vatis: First, they are large, broad-based systems designed to allow access to people located in a widely dispersed area, as well as in other countries. The second reason is a cultural one: Universities are purposely open; they are designed to promote the free exchange of ideas. Security policies that are perceived to impose any kind of constraint on the free exchange of information have been frowned upon by the academic community. That has helped to create a situation where university networks tend to have relatively tow levels of security. UB: How con universities balance this openness with security? Vatis: It's a matter of being witting wit·ting adj. 1. Aware or conscious of something. 2. Done intentionally or with premeditation; deliberate. v. Present participle of wit2. n. Chiefly British 1. to implement and enforce certain policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental that ensure security, such as having password access to the network, and having decent firewalls in place. These measures may cause a slight inconvenience but, given the potential consequences of poor security, it's something the people who use the networks should be witting to bear. UB: Should schools be rethinking who has access to their systems? Vatis: Those things should be looked at. I'm not suggesting an appropriate set of users, but I think universities should look hard at art aspects of their security, including what protections are built in to limit inappropriate access. UB: You have said that some protections, such as egress filtering In computer networking, egress filtering is a method of filtering electronic traffic that contributes to the security of a network and therefore makes it less prone to attacks from crackers. , are simple but not widely used. Why? Vatis: With all technologies there are several factors at play when you speak of lack of security layers. One is insufficient attention to security as a general matter. Another factor is cost: Companies, universities, and government agencies typically regard security as a cost without foreseeable payback, and, ordinarily, they don't want to focus on it until they are forced to. Egress See ingress. tittering tit·ter intr.v. tit·tered, tit·ter·ing, tit·ters To laugh in a restrained, nervous way; giggle. n. A nervous giggle. [Probably imitative. , for instance, prevents packets with "spoofed" addresses from leaving one system and attacking another. That doesn't have the same immediacy in people's minds as protecting their own systems. Firewalls and intrusion detection systems, which protect one's own system from attack, probably get priority attention from most people. UB: Is a university liable if its network is used to launch a distributed denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. (DDoS) attack that crashes the victim's server by sending a flood of false information requests? Vatis: It definitely can be. Some basic principles of tort taw suggest that liability is a distinct possibility, and there is certainly discussion in the legal community about that fact. UB: The infamous "Mafia Boy" DDoS that knocked out eBay, Yahoo, and other commercial sites a few years ago was launched through a university network. Let's turn the tables--what can a university do to protect itself against being attacked in a similar way? Vatis: You can't prevent an attack from happening in the first place, but you can have a plan ready to implement immediately when an attack starts, minimizing the duration of a DDoS attack and the damage it can do to your system. Once the attack has begun, you can divert packets that are coming in from the zombie A computer that has been covertly taken over in order to perform some nefarious task. It is estimated that millions of PCs around the world have been compromised and, under the control of a third party, routinely transmit messages unbeknownst to the user. systems with firewalls and packet-filtering software. UB: Except for the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when , which protects the privacy of health records, and the Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition , aimed at protecting financial in-formation, the government seems to have left network security in the hands of the schools. Wile that change in the current climate? Vatis: The more immediate worry is liability lawsuits from people who are harmed by a university's tax security. But I think regulation is a real possibility if we see more significant incidents of harm caused by poor network security. On the other hand, there is a draft proposal being circulated by the SANS Institute The SANS Institute (SysAdmin, Audit, Networking, and Security) is a trade name owned by the for-profit Escal Institute of Advanced Technologies. SANS provides computer security training, professional certification, and a research archive. that would require universities that receive federal research money to implement certain security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security . If adopted, that would be one way that the government could have a significant impact on university security, short of direct regulation. Many universities receive federal research money, and if their networks have to adhere to certain security requirements to receive that money, it could be a significant driver of change in security. |
|
Printer friendly
Cite/link
Email
Feedback
Reader Opinion