advertise here



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

September/October 2006 issue

Universities need lessons in IT security

Stefan Krempl

Hacking incidents mean university leaders have to secure their networks better. But they have to reconcile stricter security with an open computing environment and a user community that is formally required to test their environment to breaking point.

In May, Ohio University had to make a disturbing disclosure: data thieves had compromised at least three campus servers, and intruders had penetrated one for at least a year. Biographical details of more than 300,000 individuals, including the Social Security numbers of 137,000, were compromised.

The university became aware of the problem only after the FBI discovered someone had remotely taken control of one of the school's servers. The computer that housed an alumni database was supposed to be offline, but due to a shutdown failure, stayed online far too long without receiving security updates.

A year-long compromise is extraordinary. But security breaches in universities are reported frequently. In fact, since February 2005, 25 of 60 personal information breaches recorded by Privacy Rights Clearinghouse were at colleges and universities. In a 2004 survey of more than 500 colleges and universities conducted by The Chronicle of Higher Education and Gartner Inc, 41% reported that hackers had been able to penetrate their systems.

In June 2005, the University of Connecticut discovered that a data security mistake exposed the personal information of 72,000 students, faculty and staff. Michigan State University reported in Spring 2005 that the Social Security numbers of more than 27,000 students might have been compromised following an electronic assault on a server. In April, the US Attorney's Office in Los Angeles filed a criminal complaint against Eric McCarty, a network administrator, for allegedly exploiting vulnerability in a University of Southern California database.

The costs associated with these threats, manifested in downtime, lost productivity, legal liability and tarnished reputations, continue to mount.

Number two concern
Educause, a US non-profit organization that promotes technology use in higher education, produces an annual report on the top ten issues facing academic CIOs. It says security and identity management is the top challenge, second only to funding as a top-of-mind issue.

In Germany, Heiko Schultz, of the Centre for Communications and Information Processing in Teaching and Research (ZKI), sounded an alarm in a paper titled 'Infosecurity in Universities' in autumn 2005. He said, “The situation is worsening dramatically in the IT departments of universities. The number of incidents is growing. Eventually, that leads not only to internal controversies but also harms the image of higher education in the public. We have to take political and organizational responsibility for the security of the information technologies used by us.”

“Many universities need significant help to install the urgently-needed structures, mechanisms, and measures for the sustainable assurance of IT security," adds Manfred Seedig, chairman of the ZKI. His institution has written a paper that addresses the most important issues facing university IT departments and their managements. It aims to help academic institutions identify and secure their networks, and to install a transparent IT security process. The guide also provides an infosecurity check list published by the German Research Network (DFN).

Last year, the DFN-CERT (Computer Emergency Response Team) had to deal with about 30,000 security incidents in German universities. The number of attacked systems is said to be much higher because denial of service (DoS) and botnet attacks involve many institutions.

Perfect target
Universities are an ideal target for attackers because they have high bandwidth and open systems. “A university is not a high security area,” says Andreas Pfitzmann, professor for data security at the Technische Universität, Dresden. “We want to offer an open network and we must be able to experiment.”

Rather than establish a surveillance culture in academia, he counts on the students' sense of responsibility. Pfitzmann doesn't deny the conflict between openness and the possible abuse of computer resources. But he's certain that “a much bigger infosecurity problem is caused by the millions of PCs connected to the internet via high speed lines in private homes. Unlike servers at universities they often aren't administered at all.”

Academia still has to do better, claims Gene Schultz of Global Integrity Corporation. “Universities are doing far too little to protect their networks. For example, firewalls, one of the most basic measures, remain unpopular in university network environments because the restrictions they impose can interfere with research or can thwart access to information needed by students and faculty.”


Show me the money
Funding for universities' data security work is generally tight, says Schultz, who spent many years at the Unive-sity of California at Berkeley. “Consequently, important measures such as correctly configuring systems for security and patching them are generally very deficient. This leaves systems highly vulnerable to attackers that install bots that do any number of malicious things.”

On the other side, “intrusion detection is becoming increasingly popular at universities,” Schultz says. “But it is not done as proactive measure and cannot prevent attacks. Identity management systems in university environments are rare – there is usually little money for such systems and besides, users resist having to do much of anything to gain access to systems in the first place.”

But not all is dire. University departments that focus on computer science are leading the fight against attackers. “We've set up our own firewall in addition to the one implemented by the Centre for Data Processing,” says Marcus Proest of the Institute for Internet Security at the Fachhochschule in Gelsenkirchen. "We also have our own mail relay server with an additional spam filter and a backup server for our source code management system."

The Information Security Group (ISG) at Royal Holloway, University of London, is the home of anti-hacker research. It also felt that a special virtual shield might be useful. “The main firewall has lots of open ports,” says Kenny Paterson of the ISG.

That might work for most institutes at the university, but Paterson reckons the expert group might be a special target for hackers, so they tightened up a bit more. Occasionally, this causes problems. He recalls, “Mail from a student from Nigeria was put in the spam folder, because of all the scam letters from that country.” But students can discuss such obstacles with security staff easily since their office is “just a bit down the corridor”.

White hat trainers
Royal Holloway also experiments with new ways to teach infosecurity. “We try to train 'white hat' hackers who understand what can be done with the technology,” says Paterson. “The students have to get into the mindset of the criminal hackers.”

With help from industry, Royal Holloway has even built a new lab where the ISG can, for example, simulate denial of service attacks in a closed environment. The institute also runs another lab with a variety of Linux machines for penetration testing.

Iowa State University offers similar real world tests. Students on one course must secure systems that they have been charged with protecting. After they are done, professional system administrators and faculty, acting as 'white hats', go on the attack.

Another example comes from Waco, Texas. Baylor University is 'committed to implementing leading-edge technology solutions to support the institution's teaching, learning and decision-making functions'. But massive downloads and rogue servers had swamped the school's residence hall network, ResNet. The ResNet infrastructure served 3,200 students, and was a completely open environment.

To address these concerns, Baylor picked US-based Enterasys' User Personalized Network, a policy-based system that enables resource allocation based on individual users and their roles. This provides security, bandwidth management, access control and policy enforcement. For violators of the school's standard policy for residential student access, Baylor developed a 'penalty box'; this limited student access to academic-only resources.

The European School of Management and Technology (ESMT) and the Fachhochschule für Technik und Wirtschaft (FHTW) in Berlin, as well as the Technologische Gewerbemuseum (TGM) in Vienna have also bought security software and support from Enterasys, mainly to offer secure Voice over IP calls on campus.

The US company claims that the conventional or product-centric approach taken by many universities reflects a buying pattern based primarily upon solving an individual issue or the latest security problem. Less thought is been given to how products can be integrated within a campus-wide communications strategy.

Enterasys calls for an 'architectural approach'. This establishes the network infrastructure as the nucleus of the campus security strategy. It's supposed to embed security intelligence across the entire network. This lets it detect and respond to threats more effectively when and where they occur, and make it easier to integrate into an open standards framework, it claims.

Academia seems to be at a turning point in relation to infosecurity. The ZKI guide 'Infosecurity in Universities' states, "IT has become one of the most important tools in the modern academic process. Hence there's a high need for the stability and reliability of IT systems. To reach this goal, there have to be organizational changes to facilitate the introduction of functional, technical and infrastructural security components,".

Foundation stone
The document also calls for a unified policy for IT security which is observed over all the campus. It recommends the security measures should be built on the 'Grundschutzhandbuch' of the German Federal Office for Information Security (BSI). This is a de facto standard for infosecurity, and not only in Germany, the paper says.

The overall policy should outline methods, procedures and sanctions that have to be adjusted continually to the given requirements. These periodic updates could foster a real and stable IT security process. Information that needs to be disseminated regularly
during this process includes rules concerning the use of passwords, anti-malware products, PCs and secure communications with the help of encryption programs.

Back to features index



 

 
Search this Site:
Google Custom Search



Click here...