School of Secure Hard Knocks

It was a lot easier to manage higher education IT systems a generation ago.
Back then, a manager controlled a central computer and decided who could
access it and why. This is not the case today.

College networks are now exponentially larger and much more open, which makes them
more useful for students, faculty and staff. However, the downside is that they’re
more vulnerable to viral attacks of all kinds.

Other factors are complicating university IT, as well. New federal privacy regulations for
handling and storing sensitive financial and medical data have imposed new
burdens on IT departments. And emerging threats like peer-to-peer networking applications
present the dual danger of delivering viruses from malicious code writers
and lawsuits from copyright holders.

Given the increasing scale of the threat, and the consequences of not
handling it, colleges and universities have stepped up their security
efforts by boosting budgets, updating arcane policy and revamping their

Taming the Wild

Unlike their corporate counterparts, college IT managers don’t issue the
majority of PCs and laptops that tap into a campus network. So, the number
of laptops that roam the halls unprotected is hard to tally, which means there’s no guarantee
that their owners have installed the latest patches or virus-scanning software.

“There’s a flurry of new students coming in with laptops and operating
systems, and as they interact [with the network], they create a stability
issue,” Mark Townsend, a technical marketing manager at Enterasys Networks
, told

There are other routes into the network that need guarding, as well: campus
Wi-Fi access points; satellite campuses and labs; and remote
connections for e-learning students.

Another advantage that companies have over universities is that they experience
times of lower activity, which gives IT personnel a chance to maintain the systems.
With access available in dorms and professors’ offices,
users are always pounding on the networks, so to disable a network at any
given time is sure to inconvenience a number of people.

Gregory Travis, manager of network security initiatives at the Advance
Network management Lab at Indiana University, has noticed a spike in the
number of buffer overflow exploits and Denial-of-Service attacks.

“[This] is natural given that networks are getting faster and more and more people are getting
connected,” he said, adding, however, that colleges generally have better and larger security organizations
than their corporate cousins, because schools are less focused on ROI.

“Educational organizations, especially large universities, have different
market pressures, and those pressures more easily
justify putting resources on security,” Travis said. “When a big school
screws up security, it’s front page news. When a big corporation has an
incident, nobody outside the corporation knows about it.”

But others say the higher-education sector is too broad to generalize. School IT
departments differ in size, technical sophistication and recognition of the
threat. More importantly, the amount of resources they can devote to security vary. But
there are some steps that all schools can take to gird their systems.

Schooling Security

Stock Photography
Colleges need to approach the security problem from both organizational and
technical angles. Experts at Gartner recommend that institutions select a
CIO to understand federal data regulations and make sure their school is in

The CIO would also develop policies to protect personal information and
establish training so everyone understands what’s at stake and how to
prevent a breach.

Gartner analysts also recommended that institutions become more involved
with higher-education associations, so they can stay current on IT security
trends and exchange ideas.

Taking those suggestions a step further, vendors and IT pros see the
technical application of policy as key.

“There has to be role-mapping,”
Enterasys’ Townsend said, adding that the network should know whether a
student or professor or administrator is trying to gain access to an
internal network and grant or deny access based on their profile.

Other rules may include a limit on the volume of P2P traffic allowed in the
network. Enterasys spokesman Kevin Flanagan said IT personnel must contend with
enterprising scholars looking for ways to flow with the P2P traffic.

“We had examples of hackers who had taken a networked printer and set up a
P2P station,” Enterasys spokesman Kevin Flanagan said. “They chose a
printer because it has the (memory) resources and it was a low-radar

According to Townsend, a simple rule aimed at nipping potential P2P problems is that
clients can’t be servers.

Then there is network monitoring. Travis said the schools should use in-house and
third-party software to flag anomalies. Just last week, Arbor Networks
introduced several new higher-education customers for its Peakflow platform,
which can detect and mitigate DDoS attacks.

“When the picture looks wrong, something usually is wrong, and that’s when
you get down to finding out what,” Travis said. “What’s important is having
that 20,000-foot view, and for that we use a bunch of visualization tools.”

Travis said there are new automatic tools that have advanced to the point
where they can mitigate problems — software that will “pull the switch at 4
a.m. when you’re asleep.”

“In the past, the community has been reluctant to adopt ‘fire and forget’
technologies on the belief, usually justified, that the systems will false
alarm and, themselves, become a Denial-of-Service vector,” Travis said, noting
that the software has improved.

He also foresees the demise of e-mail attachments, which many networks simply
strip out because they are a popular source of viruses. Higher education
is simply different than enterprise, both in threats and how you can deal
with them, Travis said.

“Corporations can manage security by firing people,” Travis said, “which means you’re under
even more pressure to make sure they’re not able to inadvertently or
otherwise cause harm.”

News Around the Web