The .EDU Challenge
IT IS NO SECRET THAT EDUCATIONAL institutions are bearing the brunt of today's malicious software attacks. Bot-infected computers are rampant in the educational space, especially in colleges and universities where academic freedom often translates to unmanaged computers on a fairly wide-open network.
Recently, the landscape has been changing. Information technology workers at higher ed institutions have increasingly been able to convince decision makers that controls and restrictions must be put in place. Many IHEs are implementing a variety of security technologies, including antivirus software, network access or authentication control, quarantine systems, network segmentation, and other technologies to help secure their networks. The technologies have their place and go a long way toward mitigating the problem. However, technology is not the source of the problem and therefore won't be the ultimate solution.
Computer crimes-viruses, trojans, and other social engineering attacks-are a social problem. We have yet to find a technological cure for social problems. Without education, the efforts of technology are largely going unsupported.
From a motivational standpoint, the attacks we see today are virtually identical to crimes perpetrated when the slide rule (the mechanical analog computer) was king. The computer simply introduces automation and removal of personal contact. These two factors have dynamically changed our society, yet our educational system has not evolved to teach the skills required to live in this evolved society. Teaching technology is not the same as teaching the psychological underpinnings of a dramatically changed society.
Back when committing fraud involved personal contact, the perpetrator could see the victim. Often the heart won over the mind, and crimes of opportunity were abandoned because actually seeing a victim allowed the conscience to intervene.
In the internet age, the victim is an unseen, unknown, dehumanized entity. The scale of social attacks in the pre-internet days was relatively small enough that dedicated courses on social engineering attacks were not worth investing in. The attacks existed in a plethora of forms but were not as prevalent as they are today. Not enough people were victims to warrant society's investing in public education courses to protect against such menaces.
The internet has largely sidelined the conscience, especially in areas where extreme poverty results in higher levels of physical crime, which, with the decline in the costs of computers, can now be replaced with less risky cybercrime. The age of computers has exponentially raised the number of potential victims as well.
Today, social engineering is the primary facilitator of digital attacks, yet there is virtually no curriculum that teaches us to manage the risks that come with it. If we want secure networks, we need to begin teaching security-with a focus on social engineering-in elementary school.
Therein lays the catch-22. Who is to teach tomorrow's teachers if today's teachers have not been educated? The answer is not pretty. Educational institutions need to begin teaching both fundamental computer security as well as the conceptual basis of social engineering attacks to all students using the computers and the network. Each and every technological solution can and will be beaten by socially engineered attacks.
When colleges and universities graduate teachers equipped to teach life skills in the 21st century, then the next generation can begin to be protected and teach the skills required to protect against today's threats. Eventually someone must type out a curriculum!
There are naysayers to education. Fundamentally, their arguments can be reduced to an unrealistic requirement for perfection. Does everyone graduate from Harvard? From the local community college? From high school? Of course not. So do we quit all education based upon the fact that it is not 100 percent effective? Even technology is not 100 percent effective. Do you remove your firewalls, antivirus, NAC solutions, and stop patching?
The real security challenge we face in the cyberage is teaching the social skills to survive the evolved breed of attacks in the age of faceless social and economic interaction. In teaching these skills, colleges and universities will improve their security today and make substantial contributions to the improvement of digital security tomorrow.
There will not be perfection. Crime has existed for thousands of years and will continue to thrive. The battle is to manage risk, but the educational resistance has yet to amass a true army.
This isn't to say that technology does not have a place. Technology is an important part of the solution. The adoption of proactive technologies and solutions is essential for any administrator working to rein in a campus network.
Firewalls are old news; however, some antivirus products are able to incorporate scanning at the packet level into the firewall. Contrary to the media's popular belief, most antivirus products are no longer solely reliant on signatures. Most use some degree of heuristics to detect new threats before they have been discovered. The independent organization AV-Comparatives (www.av-comparatives.org) tests the heuristic abilities of malware (malicious software) scanners by "freezing" the scanners and then running them against new threats to see how effective the heuristics are. In addition to the heuristic results, false positives (wrongly identified threats) and speed are also considered when the full report is read.
Network Access Control (NAC) is another important technology, as is the ability to quarantine noncompliant PCs before they join a network. There are a variety of solutions to help IT administrators do this.
By all means, adopt technological solutions, but not to the exclusion of education. After all, if education didn't work, you wouldn't have a job.
Randy Abrams, a passionate security evangelist, is the director of technical education at the anti-virus software and security solutions firm ESET. His ThreatBlog can be found at www.eset.com/threat-center/blog.