Security lesson

University net execs face variety of security challenges.

Just how seriously universities now take network security can be seen in one small, but telling incident: The CIO of Tulane University wouldn’t talk about the subject.

“I have made it a policy to not report publicly about security issues,” says John Lawson. One of the reasons for that is the potential divisiveness that security implementations can cause on campuses.

“Education has, at its core, a belief that information is meant to be shared and learned,” Lawson says. “So now we have this conflict between the need to protect information because of the increased need to secure the safety of our constituents and the institution [on the one hand] and a fundamental principle…of sharing information to the benefit of all.”

His comments reflect a big change in attitudes and actions about network security in academia.

Universities are increasingly aware of their vulnerabilities and the costs associated with successful attacks. A recent Emory University survey of 13 major U.S. universities found that 80% agreed that network security policies are very important, but only half of them are taking steps to combat the growing flood of security breaches. Staffing and budgeting were cited as the main obstacles.

A new worry is the legal liabilities created for a university when someone hijacks a school computer and uses it to launch attacks against networks and computers elsewhere on the Internet.

EDUCAUSE, a nonprofit group focused on advancing higher education through IT, now has a security task force that works with security experts and partners such as Internet2 to coordinate activities to improve information security throughout higher education. 

EDUCATION What else is hot? Higher ed’s higher IT budgets. A 2003 survey of 1,427 colleges and universities found the total budget for IT spending will increase this year by 5% compared with the 2001-2002 academic year, to more than $5.2 billion. But that’s less than the 14% jump in last year’s spending, fueled mainly by increased IT spending by administrative departments. The authors suggested the smaller increase might reflect a return to the historical pattern of higher IT spending by the academic groups. Enrollment Average budget ’02-’03 Under 2,500 $527,800 2,501-10,000 $1.1 million 10,001-25,000 $2.3 million over 25,000 $15.9 million Source: Chronicle of Higher Education; Market Data Retrieval Raising Arizona security. Arizona’s three state universities will publish in August the results of a joint, $100,000 review of their computer network security. The Board of Regents commissioned the study shortly after hackers seized more than 50,000 Social Security numbers from a University of Texas database. The University of Arizona, with more than 30,000 computers, estimates it is hit 200,000 times per day by people searching for weaknesses. University officials said most of these attacks are attempts to access hard drives, which can be used to attack a third party, or to stash copyrighted material.

Squeezed by an economy that’s cut into state funding and private donations, universities are improving network security by reallocating funds and shifting priorities, says Rodney Petersen, security task force coordinator for EDUCAUSE. A main priority is hiring IT security officers to pull together school-wide security master plans, Petersen says. Anecdotal evidence suggests that many universities create these key jobs by re-assigning existing staff or re-allocating a vacant job slot for security, he says.

Dangerous gaps

A security audit at Georgia State University found that one in five users have no antivirus software installed, and an additional three in five users have outdated antivirus programs. It also found some department servers and PCs still run FTP or Web server software, which provides an open door to the network for anonymous users. Another problem was passwords that were too easy to guess. The university has more than 25,000 students in six schools and colleges, and more than 10,000 network devices.

The preliminary results spurred the university to create and fill the position of university information security officer. The university also launched a project to craft an overall security plan, with participation by colleges and departments through newly named information security representatives.

The user vulnerabilities found at Georgia State are typical, according to Petersen, who says they are top issues currently facing the group’s members. “Desktops and laptops are not professionally administered,” he says. “The freedom to allow faculty, staff, and students to alter system configurations and install software make PCs particularly vulnerable.”

These vulnerabilities often are the basis of many of the attacks and disruptions that universities face. Most of these seem to originate outside the university community. Port scans, which are basically messages sent to each computer port as a first step in identifying specific weaknesses, are increasingly common, security officials say. Successful scans often are followed by attacks designed to exploit a specific weakness in Windows, Unix, Linux, sendmail, and other software components.

The most notorious recent example is the MS-Slammer worm attack  . At the University of Texas, network administrators, were alerted shortly before midnight on Friday, Jan. 24, by the school’s automatic network monitoring systems. Slammer exploited a weakness in some versions of the Microsoft SQL Server database that many systems administrators worldwide had left unpatched.

The university had 40 unpatched hosts on its network, says Dan Updegrove, vice president of IT, University of Texas at Austin. About 90 minutes later, all University of Texas hosts generating rogue traffic were blocked at the Internet gateway. But at 8 a.m., the worm surfaced one last time on a student’s laptop, which was infected when the student logged in from his dorm room.

To monitor their complex networks, universities now are doing more systematic and sophisticated “white hat” scanning: Network administrators run software programs to identify weaknesses. For example, the University of Texas performs several kinds of white-hat scans – scanning the entire network for one or a few specific vulnerabilities, or scanning specific subnets for known vulnerabilities. Sometimes, the administrators will scan new or reconfigured systems or recently patched systems.

There’s been a buying binge at universities of such basic security products as firewalls, VPNs, intrusion-detection systems and vulnerability scanning software, EDUCAUSE’s Petersen says.

Higher expectations

But university security managers also are demanding more from these vendors. One of the biggest security issues for Updegrove is “products delivered from vendors that are ‘insecure out of the box” – whose configurations and settings are tuned to minimize difficulty in installing and initial operation.” Open setting on Windows PCs and laptops, as well as on some Unix and Linux computers are good examples of bad examples.

What’s needed, he says, is a shift in vendor thinking, so that vendors ship computers, PDAs, network hardware and servers with secure initial settings.

Just as important as having new and better tools, is the growing acceptance of them, and of the more stringent security policies and practices that go with them, among university department heads, faculty members and students.