A security challenge for academia

By Bill Brenner, News Writer 07 Sep 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

It's a day Chris Cramer would like to forget.

On the day students returned to campus last year, Cramer, an IT security officer at Duke University, found himself scrambling to lock down the institution's computer network. The Blaster attack had arrived with the moving vans.

"It was an interesting first day," he said. "There are 35,000 computers in Duke's network, including up to 6,000 laptops and PCs in the dorms, so there are a lot of avenues for problems to get through."

With students back for a new academic year, university IT managers are bracing for more trouble, but also confident they have the right measures in place to minimize whatever damage comes. At Duke University in Durham, N.C., Cramer said those measures include educating students and faculty on the threats they face when surfing the Web or exchange e-mail; and scanning every personal computer for infection before users are allowed to connect to the campus network.

"The first assumption we make is that the Internet is a hostile place and that the campus network is a hostile place," Cramer said. "The border firewall isn't going to protect you. In the end, it's the responsibility of individual computer users to maintain security on their machines. We're trying to educate people on viruses, worms and Trojan horses and the need to have individual firewalls."

Since it's impossible to keep tabs on every computer user, he said scanning and blocking technology is also in place. "In order to register your machine on the network, your computer is scanned. If a problem is found, you won't be allowed to connect," Cramer said. If a computer infection is found, he said the user is informed of the problem and advised on what patches need to be installed before network access is allowed.

Duke's security measures are similar to those adopted by other colleges and universities. Earlier this year Paul Schmehl, adjunct information security officer for the University of Texas at Dallas and a founding member of the Anti-Virus Information Exchange Network (AVIEN), said his university has a group policy mandating that individual machines have updated virus protection. The network also has an intrusion detection system that disconnects individual users and updates their security software when problems are found, he said.

Unlike the University of Texas, Duke has no such policy. "We feel that it's very difficult to enforce a policy on individual machines," Cramer said. "There are too many out there, and people have or don't have different programs on their computers for different reasons."

So far, he said this year is off to a more tranquil start. He saw a spike in the appearance of W32.Sdbot when students returned, but not much more. "Having students back certainly means more machines to infect, but I have yet to see a massive outbreak here," he said last week.

Still, antivirus experts believe academia faces a growing information security threat in the years to come.

"We see more and more trouble at universities," said Chris Novak, senior security consultant for Belgium-based security firm Ubizen. "The danger increases each year as more students start using laptops in their dorms, many of which aren't secure. Universities tend to operate in a reactive capacity. They need a more proactive approach."

Novak's advice to university IT managers is to maintain up-to-date perimeter defenses and conduct frequent vulnerability assessments. And despite the difficulty of enforcing a written policy, Novak said, "It's important to have clear policies for students and faculty to follow." His message to students and faculty: "You need to update your antivirus."

Tom Corn, vice president of business development for Cambridge, Mass.-based security firm Mazu Networks, agreed, and believes institutions are learning the lesson. "I'm seeing that educational institutions that had never cared about firewalls are now ordering them," he said. "They can also strengthen their defenses by restricting and getting rid of rogue e-mail and Web servers. Don't allow what you can't control."

Tags: Web Authentication and Access Control,  Password Management and Policy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Authentication and Access Control Group to shed light on secure identity management threats How to confirm the receipt of an email with security protocols Schneier-Ranum Face-Off: Is Perfect Access Control Possible? Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat Changing times for identity management How to use single sign-on for Web access control to prevent malware IBM USB banking device stops keyloggers, malware Can mutual authentication beat phishing or man-in-the-middle attacks? Could someone place a rootkit on an internal network through a router? Sun launches open source OpenSSO for identity management Password Management and Policy Two-factor authentication, vigilance foil password theft Group to shed light on secure identity management threats Brute force attacks target Yahoo email accounts Best Identity and Access Management Products Privileged account management critical to data security Making the case for enterprise IAM centralized access control How to prevent brute force webmail attacks Best practices for a privileged access policy to secure user accounts Mature SIMs do more than log aggregation and correlation PCI compliance requirement 2: Defaults

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary access log  (SearchSecurity.com) anonymous Web surfing  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) identity chaos  (SearchSecurity.com) knowledge-based authentication  (SearchSecurity.com) multifactor authentication (MFA)  (SearchSecurity.com) walled garden  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary