A ZDNet story, Notre Dame probes hack of computer system, got me thinking about why a university is more susceptible than other institutions to this kind of vulnerability.
At Notre Dame, it was a list of donors -- along with social security numbers, credit card numbers and check images -- which were located on the compromised server. (It is important to note that there's no evidence as of yet that the data in question was actually stolen, or that it was even the object of the server compromise.) Similar incidents have been reported at U Conn and at Stanford, where breaches put student, faculty, and staff data at risk. The single most common cause of server vulnerability is an oversight on the part of a systems administrator. We have all become acutely aware of the damage that can be done if a thief knows your name and your Social Security number and, unfortunately, these instances are not isolated.
For years, colleges and universities have routinely used the SSN as a unique identifier for its students -- I remember looking through long lists of such numbers when I was in school in search of final grades. We didn't give it a second thought that our professors had, on their desks, those very same lists with our names printed on them. No one thought about the risk.
Today things are different. Those lists now reside on professors' personal computers, on the department's server, and in the institution's central database -- and all these computers are connected to the Internet, where an anonymous hacker can browse at his leisure through a compromised machine.
Fortunately, colleges and universities are now moving away from using SSN as a unique identifier for students -- but this doesn't help protect faculty and staff whose SSN is needed for tax purposes. Nor does it help those donors at Notre Dame whose personal information has been compromised.
People who hack into college and university systems are usually not looking to steal someone's identity. They are usually more interested in the challenge of the break in -- or they are looking for access to system resources which they can then use to harvest and store music, movies, games, or pornography.
While the enterprise has long been familiar with the need for robust security in order to protect customer information and trade secrets as well as other corporate assets, colleges and universities have enjoyed a tradition of "academic freedom" with free and open exchange to information. The idea of putting restrictions on access to information runs counter to the entire academic experience.
Only now are colleges and universities beginning to appreciate how vulnerable they really are -- and it is not just from malicious behavior.
Here are just a few of the issues the college or university IT department needs to examine as it addresses network security on campus:
Centralized control of sensitive data. As the mainframes of the 1980s gave way to distributed service models and dedicated servers, the control of sensitive data was turned over to the owners of that data. Departmental servers became the norm with redundant data appearing on servers in multiple departments. Whether distributed across multiple servers, or located on big iron, sensitive data needs to be in a central machine room behind a firewall. This also enables sharing of data among authorized units of the institution without need for redundancy -- or for this data to ever leave the machine room.
Qualified Systems Administrators. I found it interesting that a number of Talkback respondents immediately assumed the reported breach was due to a poor choice of operating systems. In my experience, no operating system is secure in its default configuration. This is especially true of servers -- no matter which OS they are running. Colleges and universities rely heavily on student employees. Often these employees are bright and talented, but they lack the experience one would find in the enterprise. In a decentralized IT environment, departments often become overly reliant upon their student employees. To make matters worse, student employees rarely have the opportunity to pass their experience on to their successors. The single most common cause of server vulnerability is an oversight on the part of a systems administrator.
Peer-to-Peer File Sharing. In recent years, college and university networks have been overwhelmed by their students' use of music sharing programs. Aside from the legal implications of wholesale copyright infringement on the institution's network, this activity is so pervasive that unless the institution takes precautions to control the volume of such traffic on its network, the institution's academic mission can be hindered by an overloaded network.
Spam and Spoofing. Spammers often target colleges campuses -- and sometimes pretend to have a campus address to add to their credibility. Such spoofed e-mail can get your institution blacklisted by other service providers. Providing spam filtering at your e-mail relays can dramatically reduce the volume of spam to hit your campus and it offers a superior solution than client-based spam filters.
Firewalls. Just as the machine room firewall can help prevent unauthorized access to sensitive data, a perimeter firewall around your network can help prevent unauthorized access to your mail relays. Requiring your users to connect to your e-mail servers from within your network (either directly or using VPN) helps keep intruders from spoofing your institution's e-mail identity.
User Authentication. Knowing who is using your campus network is an important front-line of defense from attack. Especially vulnerable are your wireless access points. Before allowing any user of your physical network to penetrate your perimeter firewall, assign them a username and password and, if they have no affiliation with the institution, require them to have an institutional sponsor who can vouch for them.
Policies and Procedures. Campus-wide IT policies and procedures provide all users of your network with a set of rights and responsibilities for use of your network. Requiring acknowledgement of the rights and responsibilities insures that policies are well understood and uniformly enforced.
Virus / Spyware Protection. Providing free virus protection and spyware detection for your students, faculty, and staff, and requiring them to use it is essential to reducing infections on your network.
This is by no means an exhaustive list but it is a start. No single solution will be sufficient but each one adds another level of protection again a compromised system.