RealTime IT News

School of Secure Hard Knocks

It was a lot easier to manage higher education IT systems a generation ago. Back then, a manager controlled a central computer and decided who could access it and why. This is not the case today.

College networks are now exponentially larger and much more open, which makes them more useful for students, faculty and staff. However, the downside is that they're more vulnerable to viral attacks of all kinds.

Other factors are complicating university IT, as well. New federal privacy regulations for handling and storing sensitive financial and medical data have imposed new burdens on IT departments. And emerging threats like peer-to-peer networking applications present the dual danger of delivering viruses from malicious code writers and lawsuits from copyright holders.

Given the increasing scale of the threat, and the consequences of not handling it, colleges and universities have stepped up their security efforts by boosting budgets, updating arcane policy and revamping their organizations.

Taming the Wild

Unlike their corporate counterparts, college IT managers don't issue the majority of PCs and laptops that tap into a campus network. So, the number of laptops that roam the halls unprotected is hard to tally, which means there's no guarantee that their owners have installed the latest patches or virus-scanning software.

"There's a flurry of new students coming in with laptops and operating systems, and as they interact [with the network], they create a stability issue," Mark Townsend, a technical marketing manager at Enterasys Networks , told internetnews.com.

There are other routes into the network that need guarding, as well: campus Wi-Fi access points; satellite campuses and labs; and remote connections for e-learning students.

Another advantage that companies have over universities is that they experience times of lower activity, which gives IT personnel a chance to maintain the systems. With access available in dorms and professors' offices, users are always pounding on the networks, so to disable a network at any given time is sure to inconvenience a number of people.

Gregory Travis, manager of network security initiatives at the Advance Network management Lab at Indiana University, has noticed a spike in the number of buffer overflow exploits and Denial-of-Service attacks.

"[This] is natural given that networks are getting faster and more and more people are getting connected," he said, adding, however, that colleges generally have better and larger security organizations than their corporate cousins, because schools are less focused on ROI.

"Educational organizations, especially large universities, have different market pressures, and those pressures more easily justify putting resources on security," Travis said. "When a big school screws up security, it's front page news. When a big corporation has an incident, nobody outside the corporation knows about it."

But others say the higher-education sector is too broad to generalize. School IT departments differ in size, technical sophistication and recognition of the threat. More importantly, the amount of resources they can devote to security vary. But there are some steps that all schools can take to gird their systems.

Schooling Security

Stock Photography Colleges need to approach the security problem from both organizational and technical angles. Experts at Gartner recommend that institutions select a CIO to understand federal data regulations and make sure their school is in compliance.

The CIO would also develop policies to protect personal information and establish training so everyone understands what's at stake and how to prevent a breach.

Gartner analysts also recommended that institutions become more involved with higher-education associations, so they can stay current on IT security trends and exchange ideas.

Taking those suggestions a step further, vendors and IT pros see the technical application of policy as key.

"There has to be role-mapping," Enterasys' Townsend said, adding that the network should know whether a student or professor or administrator is trying to gain access to an internal network and grant or deny access based on their profile.

Other rules may include a limit on the volume of P2P traffic allowed in the network. Enterasys spokesman Kevin Flanagan said IT personnel must contend with enterprising scholars looking for ways to flow with the P2P traffic.

"We had examples of hackers who had taken a networked printer and set up a P2P station," Enterasys spokesman Kevin Flanagan said. "They chose a printer because it has the (memory) resources and it was a low-radar target."

According to Townsend, a simple rule aimed at nipping potential P2P problems is that clients can't be servers.

Then there is network monitoring. Travis said the schools should use in-house and third-party software to flag anomalies. Just last week, Arbor Networks introduced several new higher-education customers for its Peakflow platform, which can detect and mitigate DDoS attacks.

"When the picture looks wrong, something usually is wrong, and that's when you get down to finding out what," Travis said. "What's important is having that 20,000-foot view, and for that we use a bunch of visualization tools."

Travis said there are new automatic tools that have advanced to the point where they can mitigate problems -- software that will "pull the switch at 4 a.m. when you're asleep."

"In the past, the community has been reluctant to adopt 'fire and forget' technologies on the belief, usually justified, that the systems will false alarm and, themselves, become a Denial-of-Service vector," Travis said, noting that the software has improved.

He also foresees the demise of e-mail attachments, which many networks simply strip out because they are a popular source of viruses. Higher education is simply different than enterprise, both in threats and how you can deal with them, Travis said.

"Corporations can manage security by firing people," Travis said, "which means you're under even more pressure to make sure they're not able to inadvertently or otherwise cause harm."