Friend or Foe?
Medieval castles were protected by moats, fortified walls, and small villages, yet enemies sometimes still snuck through using disguises.
A similar multilayered approach is needed to protect the modern campus IT infrastructure. Only this time the enemy is malware and viruses and the disguises are links on Facebook, Twitter, and other social media sites.
The viruses, malware, and phishing are the same ones users encounter through e-mail or general internet surfing, but the presentation is new. "Social media sites have become a concentrated location for the bad guys," says Marc Seybold, CIO of SUNY College at Old Westbury (N.Y.). In the past, hackers had to lure people to their infected sites. Now millions of computer users are congregating on Facebook. "I wouldn't say [social media has] increased the number or variety of attacks; it's just concentrated them," Seybold says.
Twitter is also regularly hit, with URLs linking to malicious websites. And YouTube videos have been altered. "At the end of the video is a link to a malicious URL. You copy that and visit it, and bang—you have a problem," says Tom Kelchner, research center manager at GFI Software.
No one solution can protect networks from the various threats users might encounter. Instead, experts advise combining solutions that provide visibility into and control over network traffic as the way to go. "There is no silver bullet," says Kurt Bertone, vice president of strategic alliances at Fidelis Security Systems. "You need firewalls, intrusion prevention, antivirus. They all solve part of the problem."
As anyone in the campus IT department can probably tell you, "Colleges are the epicenter of computer risks like California is for earthquakes," says Kelchner. Not only are a variety of users from all backgrounds and skill levels accessing the network, but they're doing it from a variety of devices.
"We have around 17,000 devices on our network," says Arthur Gloster III, vice president of information services at Bryant University (R.I.). "That poses a threat through sheer numbers." Seybold, who calls mobile devices moving targets, adds, "Everyone has the same problem about less trust in the end user device. The proliferation of devices opens up the possibility of attacks. In order to allow them, you have to relax your security standards."
Currently, few antivirus software vendors are creating it for mobile devices, says Rick Leclerc, founder and director of channel engineering at Bradford Networks. More people using more devices equals more opportunities for a virus to get onto a device over the phone network. Implementing network access control (NAC) allows the IT department to decide which parts of the campus network various devices can visit, limiting the damage that can be caused. "You are letting people on the porch so they are out of the rain, but they aren't in the living room," Leclerc explains.
With NAC solutions, colleges and universities are successfully segmenting the network and protecting the faculty research, while also allowing students to get online for the social aspect. Institutions that are failing haven't been able to provide that access and segmentation, he says. "Schools are doing what they can, but it costs money and takes time."
"We're embracing mobile devices," says Jonathan Domen, a Bryant IT network analyst. "Our students will be using these tools in the business world once they are off campus." He employs a multilayered approach, using Bradford to register the devices and confirm they're known, and keeping them on a separate network. "We provide internet and access to some parts of the network, but we have stringent controls on them to mitigate the risk." Since mobile devices are moving targets, continuing to monitor data flowing over the network is an important part of Bryant's security efforts, says Richard Siedzik, director of computer and telecommunications services.
"Even if you don't allow social media on campus they will do it at home, the malware will get into the device, and then onto your network" if protections aren't in place, notes Steve Shalita, vice president of marketing at NetScout Systems.
NAC also gives IT the ability to scan a computer for up-to-date virus protection before allowing it on the network, says David Kelleher, communications and research analyst at GFI Software. "You never know if the students have antivirus software or not." In addition to laptops and smartphones, users might connect USB drives and external hard drives to the network through computers in the library or in labs. NAC can monitor that activity and provide guidelines for copying files to the public desktop.
At Old Westbury, Seybold protects the perimeter through IDS traffic shaping and firewall devices. Users are required to authenticate with an ID and password, and each computer is scanned for virus protection before being allowed on the network. "We keep a sitewide license for an antivirus product that students are encouraged to use," he says. "If they want to get on the network they have no choice."
"I don't think any one solution will solve the problem. The more layers you can get on there, the better it is," agrees Domen. At Bryant, administrative computers are blocked from accessing select Facebook applications known to be prone to viruses and malware, but "on the student side we don't have that luxury."
Having NAC in place allows them to detect and isolate incidents much more quickly. "Before we had Bradford, we were hit by a virus and it took about three weeks to clean it," he shares. "Now I can catch it and clean it in about half a day, or at least get those machines off the network so it doesn't keep propagating."
Since it's more likely than not that a virus will slip through the perimeter defenses, being able to catch it quickly is the next line of defense. "It takes time for a disruptive attack to manifest. If it is meant to bring the network down it will take time to replicate," says Shalita. Solutions designed to detect an anomalous shift in network traffic can help the IT department locate problems. If a campus department with low bandwidth usage suddenly has a surge in consumption, IT staff can quickly determine if it is from new research, P2P file sharing, or a virus. Since many malicious programs phone home, "We have two chances to catch it, during the download or during the outcall," says Bertone.
Once an issue is resolved, these solutions can help with forensics in tracing the infection to its source. The sooner issues are caught, after all, the better off the network is.
Many data monitoring solutions are programmed to look for known malicious URLs, just like antivirus software has lists of known viruses, explains Bertone. "When we see people trying to download malware we can either alert you or block it," depending on the campus policy. Once again, layers of protection are important. "The primary technology is to have e-mail filtering for viruses and spam," says Kelleher at GFI Software. "The second level, which speaks to social media, is the capability to block certain sites and monitor the activity going on." If you can block students and other campus users from accessing sites that are more likely to have malware, such as P2P programs, it will limit your network exposure.
Institutions have leeway in deciding what types of devices users can use to access the network. But dictating what sites they can visit once logged in is a trickier proposition, Shalita says. "Do you really want to try to control what users do? That is a big question." Domen points out, "I think we'd have a mutiny if we tried to take Facebook away." The wholesale blocking of sites is also contrary to the collaborative environment most higher ed institutions foster. And it's flat out impractical. "There are countries trying to restrict access [to Twitter] and people can get around it," notes Kelchner.
Just consider the number of RIAA subpoenas colleges and universities have received and a clear picture of how difficult it is to control students' online activity emerges. But that doesn't mean IT administrators can't keep an eye on them.
"I'm proud to say we don't block sites. We try to educate and help people make good decisions," says Marty Peterman, an IT security analyst at the University of Virginia. "If you put in security controls that are just too harsh, users will just do an end run."
Also, with the rise in using social media for recruiting purposes, there are legitimate reasons to be on Facebook and Twitter during the work day. (While what they share is another matter, solutions are available to ensure no one is posting Social Security Numbers to public websites.) "Be selective about blocking or alerting," Bertone says.
"Our policies are technology agnostic. We don't try to enumerate new technologies that come into use. It would be an endless list. We just say, 'If you have sensitive data, this is where it must be secured,' " explains Peterman, who uses an Identity Finder solution for that purpose. Each department determines how frequently employees run the program based on how much sensitive data they store.
Higher ed administrators are good about being proactive and learning from peers' mistakes, says Todd Feinman, CEO at Identity Finder. Instead of just blocking social media sites campuswide, he's seeing institutions selectively blocking access on certain computers where the ability to tweet isn't necessary. Pushing out antivirus software to students protects the network and can save cleanup time and costs if a virus does break through.
"We find people aren't updating their machines and are getting hit by something patched last year," says Peterman—despite UVa providing antivirus software. "We figure that if you are a student at UVa you have the wherewithal to know you have to be up to date. We provide it but we don't push it. Our respect for privacy extends to what is installed on their computer."
As students are working to get around the network security measures meant to protect them so their devices have the best access possible, they'll still be first to complain if the network goes down. The pressure to maintain internet speed while students are pushing the envelope on capabilities is a big issue in higher ed, says Shalita.
"If things work out, our total bandwidth would be 400MB, and the bulk of that is being tied to what we're seeing from social media," especially video viewing, says Seybold at Old Westbury. "That is going to force policy issues. Are you going to keep throwing money at bandwidth or change policies?" Bandwidth was much more manageable and affordable before the proliferation of sites that encourage the distribution of video, he adds. He suggests providing users with a bucket of network access to use at will. The first time they use all their access for recreation and can't get their homework done, they'll be better about monitoring their usage, he says.
Getting users to self-monitor is that final layer of network protection. "There are conduct policies about not surfing to sites that would create a hostile environment," says Seybold.
Users are finally getting the message not to open e-mail attachments from people they don't know. The new message: Don't click on unknown links. But that doesn't apply to social media sites. "It's not working," says Seybold. "The bad guys go out of their way to make those links attractive." Bertone explains, "The nature of social media lends itself to social engineering. People are accustomed to divulging personal information and making new connections. Once you trust who you think they are your guard is down."
Another hacker tactic is embedding a virus in a fake site about a hot topic, says Feinman, who saw such sites when Michael Jackson died and when Tiger Woods' mistresses were in the media. "Facebook doesn't go through all links on the site checking for a virus."
So schools should continue to hammer home the safe computing message. "As a new student, you can't get on the network unless you've taken a cyber security tutorial," says Peterman. "If people would go ahead and hold to a few basic tenets of cyber security awareness, the vast majority of our issues would vanish." But the issue is a human nature question, not a matter of students having unsafe computer practices. "When I talk to people I point out that even I am one click away from making the same mistake," he says. Distraction can be as much of a danger as curiosity.
"But if they get a malware infection, that one time is definitive for changing their behavior," he adds.
"Define a policy, notify users, and have the teeth to enforce it," advises Leclerc, who points out that every campus should have an acceptable use policy in place and shouldn't worry about pushback. "We've seen it from faculty and staff as well; if you are doing legitimate research why would you care if someone sees what websites you're visiting?"
Reminding people to be careful is only a piece of the puzzle. "User education can only go so far," says Bertone. "You can't put all the onus on your users to not do anything dangerous."
"Any assumption that starts with the idea that a handful of IT people will be able to protect all these people is that it's impossible," says Seybold. "The truth is the technologists can do their best, but it's not as effective as people taking responsibility for their own actions.
"The two need to work together, but they are usually fighting," Seybold continues, adding that there is a silver lining. "The conversations are just beginning. The negative consequences are just getting bad enough that people are realizing we all have to work together."
And that teamwork will be another layer of protection keeping the campus network safe.