Home » Data Protection » Network Security

Crash Course: Information Security at Universities

How do universities cope each fall when students stream back to campus with infected, unpatched PCs? CISOs say it's (almost) all about the education.

Syllabi, course work and student schedules often reside online; professors, teaching assistants and college sweethearts all communicate via e-mail and instant messaging. "I cannot imagine being a student nowadays without being connected to the Internet," says Ariel Silverstone, CISO at Temple University.

Many universities keep the networks they offer residential students separate from the academic, research and staff networks, often by use of a firewall. That's because the machines that connect to the residential networks in places like GWU, Duke University and Brown University are owned by students, not the university. For those networks, the college functions as a service provider, offering a broad range of services to an even broader range of computing customers. PCs and Macs, desktops and laptops, every flavor of Windows ever made and plenty of Linux: This great mishmash of machinery all arrives back on campus en masse after a summer off, creating what can politely be viewed as controlled chaos for university security officers.

Returning students generally fall into one of two categories, security specialists say. Kids who've had a grand old time all summer downloading files, swapping MP3s and IMinggenerally leaving their machines online and unprotected for three monthsrun the risk of having picked up worms, viruses and spyware. The other class is those who haven't touched their machines since the last exam in May. They might have cleaner computers come fall, but they're still vulnerable because their operating systems tend to be unpatched and their antivirus software out-of-date.

Connie Sadler, director of IT security at Brown University, says one of her biggest challenges is convincing students that their brand-new machines may already need several hours worth of updates. "It's counterintuitive to a lot of students. But if that computer shipped from the manufacturer three months ago, it's already vulnerable coming out of the box," she says.Cajole and ControlThe fact that the schools generally don't own the machines creates a particularly nettlesome wrinkle. "In the corporate environment, any patches and updates can be driven from a centralized server. In the college and university environment, it's harder to lock down individually owned and operated computers," says Rodney Petersen, project coordinator of the Computer and Network Security Task Force. (The task force is a joint venture sponsored by Educause, a higher-ed IT association, and Internet2, a consortium of universities that work in partnership with industry and government to develop and deploy advanced network applications and technologies.) Universities cajole, tempt, suggest, emphasize, educate, and push students to adopt tools and practices that promote safe computing, but many have to stop short of dictating what a student can or can't have running on his personal computer.