Cyber Security

For someone not in the security field, who simply glances at computer security issues as they pass in the news, it is easy to get the impression that, yes, hackers are clever, but not that clever. The good guys might have to struggle to stay a step ahead of the bad guys, but, with an occasional lapse or so, they manage to do so. The bad guys eventually get caught, and computer systems, with ever-improving technology, become gradually more secure.

Upon closer examination, however, it appears that this assumption is porous. It then becomes easy to reach a totally opposite conclusion, that confidential information was much more secure before the arrival of computers when it was locked in file cabinets behind locked doors.

“Schools have a very difficult time with cyber security,” says Ken Pappas, vice president/marketing, Top Layer Networks, West-borough. “They face the question of how to make their networks open but secure, and struggle with this all of the time.” Pappas explains that higher education, through its emphasis on shared knowledge, has an even greater problem in this respect than do secondary schools. On the other hand, colleges and universities typically have security experts on their staff. K-12 schools do not, so have to rely on outside consultants, which can be expensive.

On one hand, the sheer volume of cyber traffic can be difficult to monitor. “My son is attending the Berkely School of Music, where 3500 students all share their music files over the network, this on top of ordinary email and applications,” says Pappas. “This takes up a lot of bandwidth.”

What can happen if these networks are accessed for wrongful purposes? “There are a whole host of problems,” says Dominic Wilde, vice president/marketing, Nevis Networks, Inc., Mountain View, CA, “from students cheating on exams to stealing confidential infor­mation. UCLA had the social security numbers taken from 800,000 of its alumni.”

But there are a lot of other problems you may not readily suspect. “There’s a lot of social networking going with computers, especially in K-12,” says Wilde. “There have been a number of instances of bullying by peers. In one instance, a girl tragically committed suicide. Actually, this type of cyber bullying is a very common problem in school environments.”

Yet, this type of activity is not even limited to a particular school. “When I was growing up, a serious prank could be defined as a student throwing a cherry bomb in a toilet. But today, I’m seeing students attacking students in other schools,” Pappas says. “In Florida, students have attacked entire schools, stealing information, seeing how much disruption they can cause. I couldn’t believe it.”

This raises another issue, says Wilde. “Our school customers are very concerned about protecting children and the liability of their organization,” he says. “The school has a responsibility to protect its students. If an incident occurs and the school can’t show it has done everything possible to put the necessary technology into place, then they have a financial liability.”

Mischief is not limited to the use of the computers on campus. What started in colleges and is now taking place in high schools, is students using their lap tops as Webservers to sell their services to other students, says Pappas. He adds that foodservice often accept credit or debit cards, another potential for abuse, not to mention personal information stored due to healthcare and records in financial and other departments.

One of the solutions, Pappas continues, is to have a documented policy. However, he adds, “I’ve seen institutions put together policies that assume students understand what they are reading. This isn’t necessarily so. Students cannot be held account­able for what they don’t understand. You have to also communicate verbally and make sure they understand.” But, he adds, this will only work if people are honest. “Traffic management rules are broken all of the time.”

Therefore, Pappas maintains, the only real solution is tech­nology. Pappas says there are services that provide prevention systems, custom applications, and access control in three main areas — the perimeter alongside the firewall, data center applications with mission critical information, and the LANs segment itself. “They offer a multi-layered approach,” he says. “There’s not one size that fits all.”

As an illustrative example, Pappas says that that if a virus should enter the system, either from the outside or from the inside, on, say, a student’s laptop, the system monitors the traffic inbound and outbound. “When the system spots the virus it immediately sets up an alert,” Pappas says. “The IT staff then knows it needs to check one classroom, with 20 users, rather than try to track 2,000.”

When asked how much that type of system costs, Pappas says the cost varies so much in terms of size and the number of protective layers. “Look at it this way,” he says. “If you have insufficient protection for a virus, it can easily get to the point where nothing is useable, all the data can be lost, and you may need to individually clean every single device before you get the system back up.”

Wilde says some services take a different approach. “Actually, there are two main issues, the first is perimeter security from hackers trying to get in from the outside. Most schools have this pretty much under control. What they focus on is the damage that can be done from the inside.”

Although computer systems typically have some identification password to allow a person onto a system, Wilde maintains this doesn’t work very well because people within a facility can easily learn some­one else’s password. Furthermore, even a person limited to his own password is, if he has the knowledge, able to range the entire system. “At the lowest level is the physical wire. On top of that, are the network addresses, applications, the data­base, and everything else is on top of that,” says Wilde. “A smart 12-year-old can get down to the physical wire, and go wherever he wants, with nothing to authenticate himself.” In other words, you are authenticated if you follow the rules the computer tells you too. But you can outsmart the computer.

“The key concept to our approach,” Wilde explains, “is identity. There is a three step process.” The first authenticates identity in the more or less conventional manner. But your identity is checked beyond the location of the computer. Second, you are allowed onto certain applications, but you’re monitored throughout. And third, whatever you do on the computer is tracked and traced. “If a student does bully another student on the computer, we can actually trace it back to the person, the computer he used, and the date and time,” Wilde says. “Instead of trying to defend the entire network, you stay close to the user himself, so you catch the abuse. Once he knows he will be caught, his abuse will stop.”

Wilde says the costs ranges from $35,000 to $45,000 for 1,000 to 3,000 users. With educational discounts the amount ranges from $15 to $35 per user.

Often computer projects are first utilized in the commercial marketplace and then work down to education. But Nevis Networks is a new company, started in April, 2006. “We started in financial and high tech corporations, where there is a lot of intellectual property or data to protect, but we also quickly followed in the educational field as well,” Wilde says.

Their approach is to confront the issue of the virtual LANs, Wilde says. Using that concept, you put together the people in the same organization, all of whom will be allowed to access some portion of the data. The typical way has been to divide applications so that the financial staff has access to some, management to other data, administrators to their portions, and students to theirs.

The concept of tracking a user’s identity from the moment he logs on to the moment he logs off is not a new one, Wilde says. It has been around a long time, but in practice it has become unwieldy. For instance, the CIO is a member of the IT staff, but is also an officer. So an exception is made. The problem is that the system soon becomes filled with exceptions. The larger the organization, the more exceptions, and the larger, more complex, and expensive the system, the more possibilities for abuse.

Moreover, says Wilde, “in the traditional network world, if a visitor from the outside — an engineer, or a student — walks into the principal’s office, he can plug his laptop into the principal’s database, and the computer will think that it is the principal. In our new world of identity, the system is not going to let you onto the computer unless it knows who you are, and you’re not going to be able to access anything unless it says you can. No matter what you do, it will track it.”

In other words, Big Brother will be watching over you. Maybe, in some cases, that’s the way it needs to be.