How Secure Are You?
Douglas Boudreau is the type of student universities fear most. Boudreau is serving five years probation for identity fraud, intercepting wire communications, larceny, and unauthorized access to a computer. These are crimes he committed while a student at Boston College, where in 2002 he installed so-called "key-logging" software on more than 100 campus systems. The software recorded students' keystrokes, allowing Boudreau to gather names and passwords to networked systems. Boudreau pleaded guilty to multiple charges in mid-2003, and was sentenced in April of that year to five years' probation. Though the culprit wasn't behind bars, college officials breathed a qualified sigh of relief--after all, they knew other BC hackers could be in the making.
But it was "good old detective work and audit trails" that allowed the college to catch Boudreau, says David Escalante, director of Computer Policy and Security at BC. "Boudreau went from computer hacking to stealing by altering student ID cards," says the security chief. "His misuse of these cards was detected, investigated, and determined to be fraudulent. The misuse of the computer systems," he adds, "became apparent in the course of the investigation of the misuse of the cards."
Although Boston College nabbed their hacker, other universities and businesses aren't ordinarily as fortunate. On a typical day, the famed Computer Emergency Response Team (CERT) at Carnegie Mellon University (PA) documents 400 Internet-related security incidents around the globe (see "Security Alert"). The incidents range from minor attacks that probe individual Web sites, to major strikes that rattle thousands of systems.
January's MyDoom virus, for instance, was a single incident that clogged the Internet with some 100 million infected e-mails in its first 36 hours, prompting the FBI to launch an investigation, according to the news services. But even smaller outbreaks can wreak havoc. The Blaster virus epidemic of mid-2003, for instance, was a single incident that infected more than 500,000 computers, including hundreds of systems at Temple University (PA). "While Temple's network did not go down, network degradation...reached critical levels, making total loss of the network a definite possibility," wrote Temple Chief Information Officer Ariel Silverstone, in a memo to staff, faculty, and students during the outbreak.
Still--although there's no silver bullet for IT security--there are measures that can be taken to protect any institution, say the pros. Savvy universities, like many institutions in the corporate sector, are taking these three steps to protect their networks:
Recruiting and training dedicated IT security professionals
Devising, communicating, enforcing, and updating security policies
Implementing/maintaining the latest security technologies, e.g., personal firewalls and (previously abandoned) smart cards
Enter the CSO. Within most universities, CIOs, chief technology officers (CTOs), or chief financial officers (CFOs) typically oversee IT security. But that's changing as more and more universities hire the dedicated chief security officer (CSO).
Even three years ago, however, CSOs were a rare breed on university campuses. Then anywhere, anytime computing came on the scene, and triggered heightened security needs. Wireless Internet access, online registration, distance learning, Web-based tuition payment, and other applications have forced many universities to buttress their CIOs with fulltime CSOs who live and breathe security.
Boston College, for instance, hired Escalante shortly after the Boudreau incident. "Assigning security to the CIO, CFO, registrar, or someone else is perfectly legitimate," says Escalante. "But over time, I suspect these already busy people won't be able to deal with all the nitty-gritty details of security and will feel more comfortable delegating this responsibility."
Escalante is dead on target. At Johns Hopkins University (MD), for instance, CSO Darren Lacey now reports directly to CIO and Vice Provost/Vice President Stephanie L. Reed. "Darren's a talented attorney with a vast array of credentials that make him extraordinarily well suited for this position," says Reed. And in fact, Lacey moved into the CSO slot in mid-2003 after serving as executive director of Johns Hopkins' Information Security Institute (ISI), a nationally acclaimed research center. Lacey's top priorities now include working with the Johns Hopkins HIPAA office. (HIPAA--the Health Insurance Portability and Accountability Act--requires healthcare organizations to comply with various security standards when handling patients' printed and electronic medical records.) And the university's IT department also has designated experts who manage network security, application security, access and authentication, and physical data center security.
Though more and more universities are hiring CSOs, not all institutions can afford another C-level executive. A typical CSO earns a base salary of $100,000 to $350,000, depending on an organization's size, according to CSO magazine. Factor in budget crunches, enrollment challenges, and reduced government aid, and hiring a CSO often becomes prohibitive.
Sticking to the traditional. "I'd estimate that less than 10 to 15 percent of universities have dedicated CSOs," says Chris Meaney, director of Secure Network Solutions for Siemens AG's Information and Communication Networks (ICN) division. "Most appear to still have traditional CIO and CTO functions where security architectures are defined."
In many cases, however, network security is a shared responsibility. Such is the case at Delaware State University, where Network Manager Hank Classe oversees IT security with close assistance from three peers: a database administrator and two IT experts from Academic Computing. (The foursome reports to the CTO and assistant provost for Technology & Information Systems.) As far as administrators at Delaware State are concerned, the more security pros on board, the better--after all, the university is situated near Dover Air Force Base, one of the largest U.S. military bases, and DSU's science department has conducted classified research for the federal government.
Hacker schooling for IT folk. Some universities, eager to polish their security skills, are sending their IT managers to hacker school. Security vendor Foundstone Inc. (www.foundstone.com) offers a popular four-day course entitled "Ultimate Hacking: Hands On." The course, which typically costs $7,000, teaches security students to use hacking tools like AntiSniff and Big Brother. After each session, students apply their knowledge by trying to break into computers in the rear of the classroom. (Never fear: Foundstone monitors each classroom system to make sure students aren't attempting to hack outside networks as well.)
David Raikow, a lawyer and IT security expert in San Francisco, has completed Foundstone's course. "Generally speaking, university managers who complete the class are better equipped to find security holes within their own networks," he says.
Technology companies such as Cisco Systems Inc. (www.cisco.com) also offer security certification, but most universities prefer technology managers who have hands-on experience locking down operating systems, network hardware, and online applications.
Defining policy. Once a university has security experts in place, it's time to define security policies for all staff, faculty, students, and campus visitors. At many universities, the policies are updated and communicated regularly (via e-mail and printed memos), typically on a quarterly basis. In addition, more and more universities are requiring students to sign policies stating that they use antivirus software. At Temple University, notes CIO Silverstone, students and faculty members are frequently directed to the university's Information Security Web site (www.temple.edu/cs/security). The site includes security alerts, the university's security policy, how-to information for novice computer users, and simple instructions for reporting security incidents.
Delaware State University, as well, takes similar steps to enforce security. All faculty, staff, and students sign a security policy before receiving user names and passwords to approved network services. DSU posts the policy in all campus computer laboratories and on the campus Web site (www.desu.edu/it/acc/security_policy.pdf). The university also e-mails the policy to all users several times during the academic year.
Despite their value, however, security policies place many universities in a technology paradox: Even as universities strive to provide anywhere, anytime information access, they must fiercely patrol every network resource. That's a tricky balancing act, notes Johns Hopkins' Reed.
"Research universities need to drive innovation, create new knowledge and explore uncharted territories," she says. "But those priorities require a degree of autonomy and creativity that sometimes conflict with structure, discipline, and boundaries."
Sharing breakdown information. Interestingly, where businesses (particularly publicly held companies) rarely disclose network security breakdowns, fearing negative publicity, the opposite is true of many institutions of higher education. Progressive universities disclose security problems as soon as possible in a quest to protect students, faculty members, and partners from digital harm.
Silverstone stands among those who promote information sharing. In mid-2003, he dispatched several electronic memos to all Temple network users, warning them that the Blaster/LoveSAN worm had infected hundreds of university systems. The memos also provided detailed, easy-to-follow instructions for combating the virus.
Personalization. At John's Hopkins, Reed's recipe for security success includes firewalls, antivirus software, intrusion detection tools, and close monitoring of internal and external network environments (see "10 Steps to Security," right). But she is coy when asked about new security tools at Johns Hopkins. On the other hand, there are universities eager to show their hand. At DSU, for instance, every student and faculty member now carries a personalized "smart card" (from Siemens; www.siemens.com) that provides entry to approved buildings and network services. And the cards are truly multipurpose: A magnetic stripe on the card also allows students to make bookstore and food service purchases; a barcode reader connects students to legacy library applications; and an embedded chip manages user identification when accessing DSU's enterprise resource planning application. (All new PCs purchased by the university now include readers.) Via personalization, the CFO's smart card, for instance, permits access to financial systems that student smart cards can't access. And in most installations, the cards authenticate to network directory services--such as Microsoft's Active Directory or Novell Directory Services. This provides users with seamless access to approved printers and applications on the university's network.
Smart cards come back. Since their advent in the mid- to late '90s, smart chip card implementations have encountered some serious roadblocks on U.S. campuses, not the least of which have been high cost issues. And in truth, most universities have yet to deploy smart cards. But given the current specter of security dangers, that's changing, insist security pros.
"Smart cards are relatively young," concedes Meaney of Siemens, which assists DSU's security efforts. Although smart cards have a rocky history in the higher education sector, Meaney points to growing adoption rates in public usage in general, and states, "They're definitely moving into the mainstream."
And if higher ed is looking to mainstream America to gauge the growing importance of smart cards, they might just look to Dell Inc. (www.dell.com). In November 2003, the PC giant introduced smart cards for its corporate notebooks, desktops, and workstations (all of which come with readers). As a general rule, Dell only enters markets that generate massive unit sales and immediate profits. The Dell smart cards, which are designed by Axalto (www.axalto.com; formerly known as Schlumberger Smart Cards & Terminals), allow IT managers to track users as they attempt to access network services. The cards cost about $50 each, but volume discounts are typically available. Schools can absorb the cost, or pass it on to the students. Users can be specific campus groups or subsets (such as students who need to access a specific, secure lab), or, for smaller schools providing laptops to all incoming freshmen (for instance), cards could be offered to all recipients of new reader-equipped computers.
Universities also are exploring new ways to protect mobile systems, such as notebook computers. Although firewalls and antivirus software for e-mail servers shield university PCs and workstations from external threats, those security measures don't defend notebook computers that move outside of the university network.
According to Charles D. Fletcher Jr., CTO and assistant provost for Technology & Information Systems at Delaware State, "The growth of e-business applications and online services has pushed security to the mobile user and home user." As a result, universities are now deploying so-called "personal firewall" software on individual notebook computers. Much like a roadside security checkpoint, the software inspects inbound and outbound data as it attempts to move onto a notebook or out to remote servers. Nefarious code is blocked before it can launch attacks against more systems. Best of all, personal firewalls ($50 or less per system) protect notebooks regardless of their physical location--on campus, at home, on the road, or within a public wireless (Wi-Fi) network, notes Craig Plunkett, managing principal of technology consulting firm CEDX Corp. (www.cedx.com). What's more, companies such as Symantec Corp. (www.symantec.com) and Network Associates Inc. (www.networkassociates.com) design their personal firewall software to work alongside their respective antivirus applications, delivering a powerful one-two punch that can knock out worms before they infect systems. Generally speaking, universities are increasingly preinstalling the firewalls on notebooks before they are issued to staff, much in the way that antivirus software comes preinstalled on notebooks. In the case of students, schools typically direct them to a specific antivirus/firewall provider Web site, so that they can purchase and activate the security software.
Sending in the scouts. Most recent Internet attacks have involved annoying software worms and viruses that choke PCs, servers, and networks. But experts fear that these attacks are merely "test strikes" that allow hackers to identify and exploit weak points in the Internet's armor. In the future, they say, hackers could use the information they gather to launch more aggressive attacks that shut down entire power grids and transportation systems, or steal personal information of a highly sensitive or classified nature--even on a mammoth scale.
During a National Security Cyber Summit in November, Department of Homeland Security Secretary Tom Ridge offered an ominous warning to attendees: "Terrorists know that a few lines of code could, ultimately, wreak as much havoc as bombs. The enemies of freedom use the same techniques as hackers do. We must be as diligent and determined as hackers are."
Certainly, college and university CIOs are aware of the risks, and more than aware of their mandate to face them, head on. According to DSU's Fletcher, "The world of technology is continuing to grow more innovative, creative, invasive--and threatening. But as a technology innovator and user, I wouldn't want it any other way." Translation: Bring on the hackers.
Joseph C. Panettieri is editorial director at New York Institute of Technology. He has covered Silicon Valley since 1992. He can be reached at firstname.lastname@example.org.