How secure are you? University CIOs are leveraging new people, policies, and professional tools to ensure network security.Douglas Boudreau is the type of student universities fear most. Boudreau is serving five years probation for identity fraud, intercepting wire communications, larceny larceny, in law, the unlawful taking and carrying away of the property of another, with intent to deprive the owner of its use or to appropriate it to the use of the perpetrator or of someone else. , and unauthorized access to a computer. These are crimes he committed while a student at Boston College Boston College, main campus at Chestnut Hill, Mass.; coeducational; Jesuit; est. and opened 1863. Actually a university, the school's Chestnut Hill campus comprises colleges of arts and sciences and business administration, the graduate school, and schools of nursing , where in 2002 he installed so-called "key-logging" software on more than 100 campus systems. The software recorded students' keystrokes, allowing Boudreau to gather names and passwords to networked systems. Boudreau pleaded guilty to multiple charges in mid-2003, and was sentenced in April of that year to five years' probation. Though the culprit wasn't behind bars, college officials breathed a qualified sigh of relief--after all, they knew other BC hackers could be in the making. But it was "good old detective work and audit trails" that allowed the college to catch Boudreau, says David Escalante, director of Computer Policy and Security at BC. "Boudreau went from computer hacking to stealing by altering student ID cards," says the security chief. "His misuse of these cards was detected, investigated, and determined to be fraudulent. The misuse of the computer systems," he adds, "became apparent in the course of the investigation of the misuse of the cards." Although Boston College nabbed their hacker, other universities and businesses aren't ordinarily as fortunate. On a typical day, the famed Computer Emergency Response Team (CERT) at Carnegie Mellon University Carnegie Mellon University, at Pittsburgh, Pa.; est. 1967 through the merger of the Carnegie Institute of Technology (founded 1900, opened 1905) and the Mellon Institute of Industrial Research (founded 1913). (PA) documents 400 Internet-related security incidents around the globe (see "Security Alert," next page). The incidents range from minor attacks that probe individual Web sites, to major strikes that rattle thousands of systems. January's MyDoom virus, for instance, was a single incident that clogged the Internet with some 100 million infected emails in its first 36 hours, prompting the FBI to launch an investigation, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the news services. But even smaller outbreaks can wreak havoc. The Blaster virus epidemic of mid2003, for instance, was a single incident that infected more than 500,000 computers, including hundreds of systems at Temple University (PA). "While Temple's network did not go down, network degradation ... reached critical levels, making total loss of the network a definite possibility," wrote Temple Chief Information Officer Ariel Silverstone, in a memo to staff, faculty, and students during the outbreak. Still--although there's no silver bullet No Silver Bullet - essence and accidents of software engineering is a well-known paper on software engineering written by Fred Brooks in 1986. Brooks argues that there will be no more technologies or practices that will serve as "silver bullets" and create a twofold for IT security--there are measures that can be taken to protect any institution, say the pros. Savvy universities, like many institutions in the corporate sector, are taking these three steps to protect their networks: * Recruiting and training dedicated IT security professionals * Devising, communicating, enforcing, and updating security policies * Implementing/maintaining the latest security technologies, e.g., personal firewalls and (previously abandoned) smart cards Example of widely used contactless smart cards are Hong Kong's Octopus card, Paris' Calypso/Navigo card and Lisbon' LisboaViva card, which predate the ISO/IEC 14443 standard. The following tables list smart cards used for public transportation and other electronic purse applications. Who's in Charge? Enter the CSO (Chief Security Officer) The person in charge of all staff members who are responsible for promulgating, enforcing and administering security policies for all systems within an enterprise or division. . Within most universities, CIOs, chief technology officers (CTOs), of chief financial officers (CFOs) typically oversee IT security. But that's changing as more and more universities hire the dedicated chief security officer (CSO). Even three years ago, however, CSOs were a rare breed on university campuses. Then anywhere, anytime computing came on the scene, and triggered heightened security needs. Wireless Internet access See how to access the Internet. , online registration, distance learning, Web-based tuition payment, and other applications have forced many universities to buttress their CIOs with fulltime CSOs who live and breathe security. Boston College, for instance, hired Escalante shortly after the Boudreau incident. "Assigning security to the CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. , CFO See Chief Financial Officer. , registrar, of someone else is perfectly legitimate," says Escalante. "But over time, I suspect these already busy people won't be able to deal with all the nitty-gritty details of security and will feel more comfortable delegating this responsibility." Escalante is dead on target. At Johns Hopkins University Johns Hopkins University, mainly at Baltimore, Md. Johns Hopkins in 1867 had a group of his associates incorporated as the trustees of a university and a hospital, endowing each with $3.5 million. Daniel C. (MD), for instance, CSO Darren Lacey now reports directly to CIO and Vice Provost/Vice President Stephanie L. Reed. "Darren's a talented attorney with a vast array of credentials that make him extraordinarily well suited for this position," says Reed. And in fact, Lacey moved into the CSO slot in mid-2003 after serving as executive director of Johns Hopkins' Information Security Institute (ISI ISI International Sensitivity Index, see there ), a nationally acclaimed research center. Lacey's top priorities now include working with the Johns Hopkins Noun 1. Johns Hopkins - United States financier and philanthropist who left money to found the university and hospital that bear his name in Baltimore (1795-1873) Hopkins 2. HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, office. (HIPAA--the Health Insurance Portability and Accountability Act--requires healthcare organizations to comply with various security standards when handling patients' printed and electronic medical records.) And the university's IT department also has designated experts who manage network security, application security, access and authentication, and physical data center security. Though more and more universities are hiring CSOs, not all institutions can afford another C-level executive. A typical CSO earns a base salary of $100,000 to $350,000, depending on an organization's size, according to CSO magazine. Factor in budget crunches, enrollment challenges, and reduced government aid, and hiring a CSO often becomes prohibitive. Sticking to the traditional. "I'd estimate that less than 10 to 15 percent of universities have dedicated CSOs," says Chris Meaney, director of Secure Network Solutions for Siemens AG's Information and Communication Networks (ICN ICN International Council of Nurses. ) division. "Most appear to still have traditional CIO and CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. functions where security architectures are defined." In many cases, however, network security is a shared responsibility. Such is the case at Delaware State University Delaware State University (DSU), the second-largest university in the state of Delaware, is a historically black university. Over the last 116 years, it has evolved into a fully accredited, comprehensive university with a main campus located in Dover, Delaware and two satellite , where Network Manager Hank Classe oversees IT security with close assistance from three peers: a database administrator and two IT experts from Academic Computing. (The foursome reports to the CTO and assistant provost for Technology & Information Systems.) As far as administrators at Delaware State are concerned, the more security pros on board, the better--after all, the university is situated near Dover Air Force Base Dover Air Force Base or Dover AFB (IATA: DOV, ICAO: KDOV, FAA LID: DOV) is a base of the United States Air Force in the state of Delaware. The base is located two miles south of the city of Dover — the capital of Delaware. , one of the largest U.S. military bases, and DSU's science department has conducted classified research for the federal government. Hacker schooling for IT folk. Some universities, eager to polish their security skills, are sending their IT managers to hacker school Security vendor Foundstone Inc. (www.foundstone.com) offers a popular four-day course entitled "Ultimate Hacking: Hands On." The course, which typically costs $7,000, teaches security students to use hacking doors like AntiSniff and Big Brother. After each session, students apply their knowledge by trying to break into computers in the rear of the classroom. (Never fear: Foundstone monitors each classroom system to make sure students aren't attempting to hack outside networks as well.) David Raikow, a lawyer and IT security expert in San Francisco San Francisco (săn frănsĭs`kō), city (1990 pop. 723,959), coextensive with San Francisco co., W Calif., on the tip of a peninsula between the Pacific Ocean and San Francisco Bay, which are connected by the strait known as the Golden , has completed Foundstone's course. "Generally speaking, university managers who complete the class are better equipped to find security holes within their own networks," he says. Technology companies such as Cisco Systems “Cisco” redirects here. For other uses, see Cisco (disambiguation). Cisco System,Inc. (NASDAQ: CSCO, HKSE: 4333 ) is an American multinational corporation with 54,000 employees and annual revenue of US $28.48 billion as of 2006. Inc. (www.cisco.com) also offer security certification A certification issued by competent authority to indicate that a person has been investigated and is eligible for access to classified matter to the extent stated in the certification. , but most universities prefer technology managers who have hands-on experience locking down operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. , network hardware, and online applications. Put it in Writing Defining policy. Once a university has security experts in place, it's time It's Time was a successful political campaign run by the Australian Labor Party (ALP) under Gough Whitlam at the 1972 election in Australia. Campaigning on the perceived need for change after 23 years of conservative (Liberal Party of Australia) government, Labor put forward a to define security policies for all staff, faculty, students, and campus visitors. At many universities, the policies are updated and communicated regularly (via e-mail and printed memos), typically on a quarterly basis. In addition, more and more universities are requiring students to sign policies stating that they use antivirus software See antivirus program. (tool) antivirus software - Programs to detect and remove computer viruses. The simplest kind scans executable files and boot blocks for a list of known viruses. . At Temple University, notes CIO Silverstone, students and faculty members are frequently directed to the university's Information Security Web site (www.temple.edu/cs/security). The site includes security alerts, the university's security policy, how-to information for novice computer users, and simple instructions for reporting security incidents. Delaware State University, as well, takes similar steps to enforce security. All faculty, staff, and students sign a security policy before receiving user names and passwords to approved network services. DSU 1. (communications) DSU - Data Service Unit. 2. DSU - Disk Subsystem Unit (Artecon). 3. (humour) DSU - Dwarf Storage Unit. posts the policy in all campus computer laboratories and on the campus Web site (www.desu.edu/it/acc/security_policy.pdf). The university also e-mails the policy to all users several times during the academic year. Despite their value, however, security policies place many universities in a technology paradox: Even as universities strive to provide anywhere, anytime information access, they must fiercely patrol every network resource. That's a tricky balancing act, notes Johns Hopkins' Reed. "Research universities need to drive innovation, create new knowledge and explore uncharted territories," she says. "But those priorities require a degree of autonomy and creativity that sometimes conflict with structure, discipline, and boundaries." Sharing breakdown information. Interestingly, where businesses (particularly publicly held companies) rarely disclose network security breakdowns, fearing negative publicity, the opposite is true of many institutions of higher education higher education Study beyond the level of secondary education. Institutions of higher education include not only colleges and universities but also professional schools in such fields as law, theology, medicine, business, music, and art. . Progressive universities disclose security problems as soon as possible in a quest to protect students, faculty members, and partners from digital harm. Silverstone stands among those who promote information sharing See data conferencing. . In mid-2003, he dispatched several electronic memos to all Temple network users, warning them that the Blaster/loveSAN worm had infected hundreds of university systems. The memos also provided detailed, easy-to-follow instructions for combating the virus. Know Your Network Personalization. At John's Hopkins, Reed's recipe for security success includes firewalls, antivirus software, intrusion detection See IDS and IPS. tools, and close monitoring of internal and external network environments (see "10 Steps to Security," right). But she is coy when asked about new security tools at Johns Hopkins. On the other hand, there are universities eager to show their hand. At DSU, for instance, every student and faculty member now carries a personalized "smart card" (from Siemens, www.siemens.com) that provides entry to approved buildings and network services. And the cards are truly multipurpose mul·ti·pur·pose adj. Designed or used for several purposes: a multipurpose room; multipurpose software. multipurpose Adjective : A magnetic stripe A small length of magnetic tape adhered to credit cards, badges, permits, passes and tokens. The tape is read by magnetic stripe readers incorporated into ATMs, identification readers and payment terminals. on the card also allows students to make bookstore and food service purchases; a barcode reader See bar code reader. connects students to legacy library applications, and an embedded chip See embedded processor. manages user identification when accessing DSU's enterprise resource planning See ERP. (application, business) Enterprise Resource Planning - (ERP) Any software system designed to support and automate the business processes of medium and large businesses. application. (All new PCs purchased by the university now include readers.) Via personalization, the CFO's smart card, for instance, permits access to financial systems that student smart cards can't access. And in most installations, the cards authenticate to network directory services--such as Microsoft's Active Directory or Novell Directory Services See NDS. . This provides users with seamless access to approved printers and applications on the university's network. Smart cards come back. Since their advent in the mid- to late '90s, smart chip card implementations have encountered some serious roadblocks on U.S. campuses, not the least of which have been high cost issues. And in truth, most universities have yet to deploy smart cards. But given the current specter of security dangers, that's changing, insist security pros. "Smart cards are relatively young," concedes Meaney of Siemens, which assists DSU's security efforts. Although smart cards have a rocky history in the higher education sector, Meaney points to growing adoption rates in public usage in general, and states, "They're definitely moving into the mainstream." And if higher ed is looking to mainstream America to gauge the growing importance of smart cards, they might just look to Dell Inc. (www.dell.com). In November 2003, the PC giant introduced smart cards for its corporate notebooks, desktops, and workstations (all of which come with readers). As a general rule, Dell only enters markets that generate massive unit sales unit sales Sales measured in terms of physical units rather than dollars. Unit sales data are often used by financial analysts when evaluating the health of a company. and immediate profits. The Dell smart cards, which are designed by Axalto (www.axalto.com; formerly known as Schlumberger Smart Cards & Terminals), allow IT managers to track users as they attempt to access network services. The cards cost about $50 each, but volume discounts are typically available. Schools can absorb the cost, of pass it on to the students. Users can be specific campus groups or subsets (such as students who need to access a specific, secure lab), or, for smaller schools providing laptops to all incoming freshmen (for instance), cards could be offered to all recipients of new reader-equipped computers. Mobile Protection Universities also are exploring new ways to protect mobile systems, such as notebook computers. Although firewalls and antivirus software for e-mail servers shield university PCs and workstations from external threats, those security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security don't defend notebook computers that move outside of the university network. According to Charles D. Fletcher Jr., CTO and assistant provost for Technology & Information Systems at Delaware State, "The growth of e-business applications and online services has pushed security to the mobile user and home user." As a result, universities are now deploying so-called "personal firewall" software on individual notebook computers. Much like a roadside security checkpoint, the software inspects inbound and outbound data as it attempts to move onto a notebook or out to remote servers. Nefarious code is blocked before in can launch attacks against more systems. Best of all, personal firewalls ($50 of less per system) protect notebooks regardless of their physical location--on campus, at borne, on the road, or within a public wireless (Wi-Fi) network, notes Craig Plunkett, managing principal of technology consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a CEDX Corp. (www.cedx.com). What's more, companies such as Symantec Corp. (www.symantec.com) and Network Associates Inc. (www.networkassociates.com) design their personal firewall software to work alongside their respective antivirus applications, delivering a powerful one-two punch one-two punch n. 1. A combination of two blows delivered in rapid succession in boxing, especially a left lead followed by a right cross. 2. Informal An especially forceful or effective combination or sequence of two things. that can knock out worms before they infect systems. Generally speaking, universities are increasingly preinstalling the firewalls on notebooks before they are issued to staff, much in the way that antivirus software comes preinstalled on notebooks. In the case of students, schools typically direct them to a specific antivirus/firewall provider Web site, so that they can purchase and activate the security software. Looking Ahead Sending in the scouts. Most recent Internet attacks have involved annoying software worms and viruses that choke PCs, servers, and networks. But experts fear that these attacks are merely "test strikes" that allow hackers to identify and exploit weak points in the Internet's armor. In the future, they say, hackers could use the information they gather to launch more aggressive attacks that shut down entire power grids and transportation systems, or steal personal information of a highly sensitive or classified nature--even on a mammoth scale. During a National Security Cyber Summit in November, Department of Homeland Security Noun 1. Department of Homeland Security - the federal department that administers all matters relating to homeland security Homeland Security executive department - a federal department in the executive branch of the government of the United States Secretary Tom Ridge offered an ominous warning to attendees: "Terrorists know that a few lines of code The statements and instructions that a programmer writes when creating a program. One line of this "source code" may generate one machine instruction or several depending on the programming language. A line of code in assembly language is typically turned into one machine instruction. could, ultimately, wreak as much havoc as bombs. The enemies of freedom use the same techniques as hackers do. We must be as diligent and determined as hackers are." Certainly, college and university CIOs are aware of the risks, and more than aware of their mandate to face them, head on. According to DSU's Fletcher, "The world of technology is continuing to grow more innovative, creative, invasive--and threatening. But as a technology innovator and user, I wouldn't want it any other way." Translation: Bring on the hackers. 10 Steps to IT Security Designate a senior administrator (CIO, CTO, or CSO) to oversee all IT security. Consider training your IT staff with the latest security certifications from Cisco Systems Inc.(www.cisco.com) and other technology providers. Or send IT managers to legitimate hacker-training courses, such as those offered by Foundstone Inc (www.foundstone.com). Take a complete inventory of the university's network infrastructure. This can be performed internally or by an outside firm (e.g., IBM Global Services IBM Global Services is the world's largest business and technology services provider. It is the fastest growing part of IBM, with over 190,000 professionals serving customers in more than 160 countries. ; www-1.ibm (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) .com/services) that will attempt to find security holes and penetrate your network. Define, communicate, update, and enforce university-wide security policies. Use Web sites, e-mail, and written memos to maintain adherence to the policies. Have all network users sign a policy stating that they agree to use antivirus software. Evaluate smart cards and biometric technology (fingerprint scanners, for instance) to track all users who attempt to access networked systems and campus buildings. Include security considerations in every IT project. Monitor alerts from hardware and software providers, as well as from the Computer Emergency Response Team (CERT) at Carnegie Mellon University (PA). Determine a proper strategy to apply software patches and security fixes in a timely, automated manner. Options including using Microsoft's Systems Management Server. Educate all users about "social engineering," a term that describes how hackers use casual phone talk, e-mails, campus meetings, and other events to gather user names and passwords from unsuspecting users. Joseph C. Panettieri is editorial director at New York Institute of Technology The function of higher education was highly debated at the time. There was growing concern that American schools and colleges were failing to meet critical national demands, particularly the need for scientists, engineers, and high-level technicians. . He has covered Silicon Valley since 1992. He can be reached at joe_pan5@yahoo.com. Security Alert Annual security incidents * reported (in thousands) 1999 9.8 2000 21.7 2001 52.6 2002 82.0 2003 137.5 * An incident may involved one site, hundreds, or thousands; some incidents may involve ongoing activity. Source: CERT Note: Table made from bar graph. RELATED ARTICLE: Can Microsoft lock windows? BILL BATES AND STEVE BALLMEFI WANT TO EARN YOUR CONFIDENCE. In fact, Microsoft Corp.'s top two executives have spent recent months circling the globe, assuring customers and partners that the company is serious about computer security. "Security continues to be a top priority for Microsoft," said Chairman and Chief Software Architect Gates during a recent presentation to customers in Las Vegas. "We are totally focused on creating more secure software, and providing tools and technologies that can be easily and quickly deployed to help win the war against malicious cede." CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. Ballmer delivered a similar message to thousands of Microsoft partners during an event in New Orleans in October--and it's no wonder: Both sets of comments come at a critical time. Many recent Internet attacks, including the notorious Blaster worm, targeted PCs and servers running Windows, Outlook, and other Microsoft applications. It's because of this that Microsoft has opted for a proactive stance, releasing more than 100 security patches for Windows XP since early 2002. But as it turns out, the flood of patches, coupled with recent hacker efforts, have forced some universities to rethink how they apply software updates. That's because, unfortunately, hackers now frequently distribute worms and viruses that masquerade as Microsoft patches. "Hackers are trying to exploit what appears to be a trusted source," says Charles D. Fletcher Jr., assistant provost for Technology & Information Systems and CTO of Delaware State University. "Toss in the fact that some patches are damaging institutional software applications and procedures, and it's easy to understand why universities need to reevaluate how patches are pushed out to campus machines." And according to Stephanie L. Reed, vice provost/VP and CIO of Johns Hopkins University (MD), "Automated security patches have helped us in most areas. However, some high-end scientific equipment may not tolerate some patches and fixes, so they have also created challenges for us." Microsoft is aware of the challenges. To compensate, the company has launched a new version of Systems Management Server (SMS (1) (Storage Management System) Software used to routinely back up and archive files. See HSM. (2) (Systems Management Server) Systems management software from Microsoft that runs on Windows NT Server. ), a software package that assists customers with network management chores. The latest version allows universities to automatically update PCs and servers with approved Microsoft patches. SMS also allows universities to determine which PCs require updates and which don't. "This is a product that's about making sure you know exactly what software you have in your environment," said Bates during his speech to customers in Las Vegas. "SMS can really transform your ability to see what's going on What's Going On is a record by American soul singer Marvin Gaye. Released on May 21, 1971 (see 1971 in music), What's Going On reflected the beginning of a new trend in soul music. in the network, to know what's going on Verb 1. know what's going on - be well-informed be on the ball, be with it, know the score, know what's what know - know how to do or perform something; "She knows how to knit"; "Does your husband know how to cook?" with the operating system and all the different applications." Early adopters include the University el Houston (TX), which piloted SMS across 100 client systems prior to the software's general release in late 2003. The technology consultants Kommar Solutions (www.kommarsolutions.com) assisted the rollout.--JCP |
|
||||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion