The Computer Security Battle

It’s a dichotomy that will never disappear: universities operate in a culture of openness and decentralization while their IT departments want to keep everything as closed as possible and run a very strong network layer.

The gap is beginning to attract ne'er-do-wells, as hackers of the world step up their games. Technological brains these days develop products like Cookie Monster to inject I frames into HTPS strains and redirect Internet seekers not for the glory, as they did in the past, but for a far more insidious reason: money. “People are breaking into machines to use them to send out spam and manipulate stock purchases for a profit,” said Ross Bollens, the director of IT security for UCLA. “They’re very good.”

And yet, in contrast to the government agencies where Bollens previously consulted, he cannot look at content. He cannot put anything on UCLA’s system that would monitor what someone is doing. At best, he can establish usage patters of how much data is flowing between different departments, but he cannot look at a packet.

He wasn’t completely helpless when someone breached the University’s system in December 2006, compromising private information on what was thought to be as many as 800,000 members of the campus community. It was labeled the largest breach in academic history at that time. The forensic reports a few months later revealed it wasn’t nearly as bad as officials first thought, and the incident did have a silver lining.

Departments, shaken by the sudden responsibility, began to question the need for social security numbers in their files, and scrubbed that entry in favor of unique — but more benign — university I.D. numbers. Departments that accumulated drivers’ license numbers decided to simply verify, and indicate that step with a check box in the database. Today, the sheer number of computers that could trigger California’s SB 1386 and AB 1298 privacy breach laws has been greatly reduced, according to Bollens.

Protecting Data
Today’s IT departments bear the responsibility of protecting an ever-growing number of computer files beyond simply a student’s social security number, including grades, financial aid packages, and health and psychological records. Faculty and staff data needs equal protection. At Quinnipiac University in Hamden, CT, one answer has been to establish separate intranets for students, faculty, and specific research labs so that a student can’t connect to his professors’ databases, and faculty can’t manipulate lab data.

“It’s becoming a fairly sophisticated security system that we worked out,” said Ramesh Subramanian, the Gabriel Ferrucci professor of computer information systems in Quinnipiac’s business school.

Bollens called UCLA’s strategy a layered one, with the medical area having the tightest security of all. Administrative areas that do still contain social security numbers have a few layers of network security, too. As for the rest of campus, “the philosophy we’ve taken is that the networks are open, but we’ve hardened and protected the computers themselves,” he explained. Antivirus systems — known as intrusion prevention, or IPS — internally watch each computer constantly to bar viruses and other unwanted poisons.

Quinnipiac also takes the precaution of splitting its daily backups into various sections and sending them to separate underground locations — one out of state.
“Unlike a big company, if there is a media studies program, it might be looking at sites that are borderline pornographic or illegal to study the social contents,” said Subramanian. “If I were IBM, I would say no, you just don’t access these types of sites.” Even private university status isn’t a boon, he said.

Reacting to Risk Assessments
In fact, private status makes things worse, in Mike Chapple’s experience. As the information security program manager at the University of Notre Dame in South Bend, IN, he can’t even fall back on state funding regulations to shore up his arguments for security. Like UCLA, Notre Dame weathered a security breach this decade. The incident launched a campus IT risk assessment that the University hired one of the big four consulting firms to conduct for it.

After a round of surveys and dozens of follow up interviews, administrators laid out a road map for addressing the issue. It started with a comprehensive information security program that spread 47 projects addressing everything from desktop security, server security, network security, and the entire security infrastructure over four years. Notre Dame is currently wrapping up the third of those years. The pushback so far, Chapple said, has been minimal, a fact Chapple credits in part to the University’s policy standards it hashed out around these changes.

Subramanian agreed that a strong policy belongs in the heart of any campus IT security department. “But I’ve actually done studies on two campuses, and we’ve discovered that even through the university may have fairly detailed policies, students are not necessarily prone to following them,” he noted. Considering that PC magazine dubbed Quinnipiac one of the top-10 wired universities in the country and the university issues a laptop to every student, he is in a position to know.

“One of the problems is that we have people using those resources, and people do stupid things,” Bollens agreed. “People are click happy, for example. All the spam and phishing campaigns… users will inadvertently or intentionally click something that affects their machine.” Failure to back up or change passwords are also high on the offenders’ list of mistakes.

Other times, the wrongdoing is intentional. As Subramanian pointed out, students come to campus knowing how to illegally snag the latest CD, DVD, or game. “I ask if they’ve downloaded it, and they say yes,” he added. Whether the student thought the activity was cool or a right, the campus is on the hot seat legally. Every year, in accordance with the Digital Millennium Copyright Act, university campuses receive notices from individual companies asking the users to cease and desist or face a lawsuit.

Private companies, of course, know this because they can log into the peer-to-peer networks to see which IP addresses are violating the law, a move campus IT folks can’t begin to make. In fact, they can’t even acknowledge whether a named user is a student at all. “There is a constant push and shove,” Bollens admitted.

Confronting the Problems
At both UCLA and Quinnipiac, the policy is to accept take-down notices from companies, and then privately deliver them to the party involved. “We don’t claim it’s real because with DCMA we don’t have to investigate,” Bollens added. “We just have to tell the student what has been detected to abide by the law, and ask him to take appropriate action.” If, however, an organization files a John Doe lawsuit against the university, administrators are legally obligated to honor the subpoena and release the student’s name.

Obviously, such legal and security stakes mean university IT departments are now in the education game themselves, communicating both the law and safe computer practices to the masses of clueless — or careless — students. At Notre Dame, Chapple took it one step farther, to include an awareness campaign for faculty and administrators who aren’t immune to mistakes that cause security breaches. To reinforce its message, Quinnipiac is poised to implement a forced password change every three months — users must create a new one unique from previous keys in order to continue using the campus system.

“Unfortunately, our dependence on computerized, digitally stored data increases — cell phones, laptops, iPods — they are everywhere,” he said. We are always going to be dealing with security. It’s not an issue that has a final solution.”