Crash Course: Information Security at Universities

The sun is shining and the music’s blaring as hundreds of thousands of students all over the country plug these compromised systems into their schools’ dormitory networks.

And for good measure, around this time, Blaster, SoBig and Welchia all are hitting the Net.

In one day (Aug. 22, 2003) George Washington University’s e-mail filters sifted out some 177,000 viruses (compared with about 11,000 per month, on average), but that was just the tip of the iceberg. “Oh, it was a mess,” recalls George Washington University (GWU) CSO Krizi Trivisani. Trivisani recounts all this with the hard-earned cheerfulness of someone who’s faced her worst fears and lived to tell the tale. But surviving the storm required a tremendous amount of work from the GWU infosecurity staff. “Usually, with a virus or a worm, it’s a onesie-twosie situation, and we just disconnect that machine. Blaster and SoBig were so big, we had to create a whole process that was new to us,” Trivisani says. (See “Battling Blaster,” Page 42, for more on GWU’s labors.)

The phrase “back to school” takes on new significance when viewed through the lens of information security. But last fall’s confluence of security threats, according to Trivisani and infosecurity officers at other campuses around the country, turned out to be a pivotal event that gave them much needed clout to enhance the way computer security is handled on cam-pus. Increasingly, colleges keep residential networks isolated from research networks, shunt unpatched mobile systems onto virtual LANs until they are scanned and cleaned, and maintain detailed policies on how to respond to a virus outbreak. Perhaps more important, they also brainstorm continually for new methods and messages to educate the student population on keeping systems safe and secure. These are lessons worth considering for any company with a mobile user populationor indeed for any company that’ll be finding tomorrow’s employees on today’s campuses.Campus, ConnectedThis is not your father’s college campus, or yours either, for that matter. Today’s halls of higher learning are wired to the maxor unwired, as Wi-Fi takes hold. At minimum, most residential students have dorm-room access to a university network and the Internet. Most schools also maintain a fleet of public machines in libraries, study halls and research centers.

Syllabi, course work and student schedules often reside online; professors, teaching assistants and college sweethearts all communicate via e-mail and instant messaging. “I cannot imagine being a student nowadays without being connected to the Internet,” says Ariel Silverstone, CISO at Temple University.

Many universities keep the networks they offer residential students separate from the academic, research and staff networks, often by use of a firewall. That’s because the machines that connect to the residential networks in places like GWU, Duke University and Brown University are owned by students, not the university. For those networks, the college functions as a service provider, offering a broad range of services to an even broader range of computing customers. PCs and Macs, desktops and laptops, every flavor of Windows ever made and plenty of Linux: This great mishmash of machinery all arrives back on campus en masse after a summer off, creating what can politely be viewed as controlled chaos for university security officers.

Returning students generally fall into one of two categories, security specialists say. Kids who’ve had a grand old time all summer downloading files, swapping MP3s and IMinggenerally leaving their machines online and unprotected for three monthsrun the risk of having picked up worms, viruses and spyware. The other class is those who haven’t touched their machines since the last exam in May. They might have cleaner computers come fall, but they’re still vulnerable because their operating systems tend to be unpatched and their antivirus software out-of-date.

Connie Sadler, director of IT security at Brown University, says one of her biggest challenges is convincing students that their brand-new machines may already need several hours worth of updates. “It’s counterintuitive to a lot of students. But if that computer shipped from the manufacturer three months ago, it’s already vulnerable coming out of the box,” she says.Cajole and ControlThe fact that the schools generally don’t own the machines creates a particularly nettlesome wrinkle. “In the corporate environment, any patches and updates can be driven from a centralized server. In the college and university environment, it’s harder to lock down individually owned and operated computers,” says Rodney Petersen, project coordinator of the Computer and Network Security Task Force. (The task force is a joint venture sponsored by Educause, a higher-ed IT association, and Internet2, a consortium of universities that work in partnership with industry and government to develop and deploy advanced network applications and technologies.) Universities cajole, tempt, suggest, emphasize, educate, and push students to adopt tools and practices that promote safe computing, but many have to stop short of dictating what a student can or can’t have running on his personal computer.

“From the standpoint of the students in the dorms, we’re like an ISP, and you wouldn’t want your ISP telling you what applications to run,” says Christopher Cramer, information technology security officer at Duke University.

Many colleges and universities rely on a two-pronged approach that security officers say delivers surprisingly good results: First, an aggressive education campaign encourages voluntary compliance with stated computing policiesmost often the use of antivirus software, an updated operating system and perhaps a personal firewall. And second, they use network technologies to isolate and quarantine machines that are compromised or otherwise not in compliance.

The 5,500 or so residential students at Duke who enjoy 100-megabit connections to their dorm rooms have access to a wide range of security tools and technologiesincluding a site license for McAfee antivirus software, another for Kerio personal firewall, and links and instructions for automatically updating Microsoft’s various operating systems.

On the network, Duke runs an antivirus checker on the e-mail system and occasionally uses access-control lists on the routers to lock problem ports at the border. When students return in the fall, they’re automatically directed to a private address space on the network where their machines are scanned for operating system vulnerabilities. Last year, students were given information at that point on how to patch their operating systems. For 2004, Cramer has beefed that up to a requirement: Students won’t be allowed onto the university networkand from there onto the Internetwithout a properly patched system. As it stands now, the firewall, the antivirus software and any OS patches after the initial update in the fall are voluntary, Cramer confirmsthough the hope is that autoupdate features will take care of that last point for many students.

To skeptical corporate CISOs accustomed to a higher degree of control, Cramer says the system works just fine. “When Blaster hit, when Slammer hit, Duke survived better than many other corporations I’d heard of. The mixed environment (Macs, Microsoft, Linux, Unix), the collaborative environment, the education all work together to make this a valid approach. If it didn’t work, we wouldn’t do it.”

This “scan and block” policy is common in the college world says John Pescatore, who, as a vice president and research fellow at Gartner, has a roster of clients in academia. “They stop short of saying what you should have on your computer, but they’re not stopping short of saying what can run on their networks,” Pescatore emphasizes. Universities are some of the biggest buyers of intrusion detection and prevention software, he notes; in the past few years, higher education has jumped up dramatically in its purchase of firewallstraditionally somewhat of a sensitive topic in academia. “When the Internet age started, universities didn’t use firewalls. After Blaster and Slammer, now they’ve got the highest vertical industry growth rate,” he says.

Following last year’s assaults, Pescatore says he expects universities to tinker with their hands-off approach to student computers. For example, they still may not insist on a specific antivirus package, but may require that one of several choices be installed. Or they may still stop short of scanning content on student machines, but may require that students download a temporary, Active-X-type security agent for the duration of their online session.Pushing Patches and PezTemple University is ahead of the curve in moving toward more proactive security at the student computer level. Similar to Duke, Temple has a site license for antivirus software; maintains a separate website that scans, cleans and updates computers before they’re connected to the residential network; and uses standard networking tools such as integrity verification, intrusion sensors and antivirus scanners to monitor traffic.

But unlike many of his colleagues at other institutes, Temple CISO Silverstone requires (rather than suggests) certain security elements on the approximately 7,500 computers attached to the residential network. If you’re not running an updated version of Symantec’s Norton antivirus software, you don’t get on the network, period. Signature updates are delivered automatically, usually just once a weekbut as many as eight times a day during an attack like Blaster, Silverstone says. “The only way to avoid updates is to have your machine off or not connected to the network,” he says.

At Brown University, IT Security Director Sadler is emphatic in drawing a distinction between traffic and content on the residential network. “We’re very careful in terms of what we look at. We look at traffic, nothing on the machine,” says Sadler. “If we see one workstation in a dorm taking 80 percent or more of our available bandwidth, which has happened, we apply a filter and restrict that computer’s access,” Sadler explains. “Usually it’s a file-sharing issue.”

Temple’s Silverstone has another answer to that problem: Temple students who are found to have illegal file-sharing software on their machines can’t get help desk support for any computing issue until they remove the files and the application. Repeat offenders can even find their network access completely terminated.

If that makes Silverstone sound like a first-class hardnose, let it be known that he’s the same man who, to build students’ general awareness of security issues, signed off on the distribution of Pez dispensers shaped like bugs. That’s becausehis get-tough policies notwithstandingSilverstone is in complete agreement with his fellow security officers who say it’s education, not technology, that has the best chance over time of teaching students how to be responsible computing citizens.

Gartner’s Pescatore maintains that will be a tricky order; tomorrow’s employees likely face a different set of awareness issues than today’s. “In corporate America, we have 37-year-olds still clicking on attachments, where many college kids today came of age already knowing not to click on a virus. They’re used to spam, and they know not to trust e-mail addresses,” he observes. “On the other hand, they’ve grown up in an age where they don’t see file-sharing and intellectual property theft as a problem.”

During the back-to-school season, when already boisterous students are being instructed in all kinds of safety issuesincluding sex, drugs and alcohol, as well as physical safetyit can be doubly hard to get the digital safety message heard at all. So, university CISOs frequently find themselves acting more like party planners than security personnel, sponsoring everything from Ye Olde Computer Faires to fraternity and sorority lectures, from writing articles for the student paper to setting up the ever-reliable folding tables in dormitory entranceways.

At GWU, Trivisani has worked with Security Awareness, a vendor of awareness tools and products, to develop a monthly series of campuswide posters designed to capture students’ and faculty attention in an offbeat way. (One shows a toothbrush and asks, “Would you share this?” Another, on identity theft, comes with a built-in mirror.) At Brown, Sadler tries to utilize student workers to reach out to their peers whenever possible, and has been known to fall back on the timeless neon-colored flyer taped to the dormitory door, advertising the fact that the help desk is up and running.

In the waning dog days of August, there isn’t a security officer on a campus anywhere who isn’t fervently hoping to avoid a repeat of last year’s firestorm, but many say they’re wiser and more prepared for having weathered the storm, and anxious to kick off the new year “in something other than crisis mode,” as GWU’s Trivisani puts it.

“Our overarching goal is awareness,” she sums up. “These students will be moving on to corporate America someday, and we hope that when they do, they’re more aware of their responsibilities and know how to protect themselves.”