Well Schooled and Secure

In the freedom-loving world of higher education, how can CIOs bar the doors against cyber-attacks?

by / August 11, 2004
"The IT environment in a college or university, especially at a reasonably complex research university, is absolutely the most challenging IT environment on the planet," said Gordon Wishon, CIO, associate vice president and associate provost at the University of Notre Dame.

One major challenge in any IT environment, of course, is security. At a college or university, with its emphasis on academic freedom and individual choice, information security poses an especially knotty problem. Large numbers of privately owned computers operate on campus networks; administrators must support a wide variety of systems and applications, each with its own security quirks; and researchers need to use the Internet, without impediment, to collaborate with peers at other institutions. All this makes the job of cyber-security administration harder in higher education than it is in the corporate or government world.

"We have 4,000 computers on our network that we don't own," said Jack Suess, CIO of the University of Maryland, Baltimore County (UMBC). Larger schools must deal with thousands more on-campus machines that IT officers haven't chosen or configured, and whose Internet activities they don't control.

A student might arrive on campus with a computer whose operating system is six months out of date and want to plug that machine into the network, said Rodney Petersen, Security Task Force project coordinator at EDUCAUSE, a Washington, D.C.-based association focused on information technology in higher education. But computers without the latest security patches and virus definitions are vulnerable to attack and so are machines students use to open questionable e-mails or download files from unreliable sources.

A firewall may protect the rest of campus from a virus-infected machine in a dorm. But many students carry laptop computers outside the firewall, connecting to the campus network via public wired ports or wireless hotspots. "The question is, where has that laptop been?" asked Dan Updegrove, vice president for information technology at the University of Texas (UT) at Austin. "Is it properly configured and secured? Is it virus-ridden? Worm-infested? What will it do to your network as soon as it connects?"

Faculty and off-campus students who access the network from home computers, especially via DSL or cable modems, create another vulnerability point. "People by definition don't realize the challenges for security when you're on an always-on connection," said Suess.

The less control the university exerts over a computer, the harder it is to ensure it stays current with the latest security tools, said Mark Bruhn, chief IT security and policy officer for the eight campuses of Indiana University. "Getting people to maintain their own machine may be impossible. I think there's a lot of discussion now about whether this is something we can continue to rely on."

No Imposed Standards
Although IT officers can better control computers the school installs for faculty and staff, those machines present other problems. Unlike their peers in corporations or government agencies, campus administrators can't impose hardware or software standards on all users. "We have legitimate needs to maintain support for Macintosh computers, for UNIX computers in a variety of variants, as well as for Windows systems," said Wishon. And when it comes to applications, certain disciplines march to a different drummer. For instance, he said, the legal profession favors the WordPerfect suite, and Notre Dame's law school must follow that example even though most of the university uses Microsoft Office.

With such variety under their care, administrators must step carefully as they implement security solutions. "The deployment of a firewall, for example, may break a service used by an application, or may prevent it from working the way it was intended," Wishon said. "Our security architecture has to be sensitive to diversity in the application environment as well as the operating system environment. That introduces additional complexity and potential cost."

Academic culture also complicates the mission. Many researchers collaborate with colleagues at other higher-learning institutions. To get their work done, they require open pathways among their information systems. "It's quite common, for example, for UT researchers to have accounts and passwords on computers at Stanford and vice versa because they're routinely exchanging data and programs," said Updegrove. "It's harder to have the sense that all the bad stuff is on the outside and we're safe on the inside because inside and outside are much more amorphous categories."

Another challenge, Updegrove said, is that academic departments constrained by tight budgets often manage their own computer systems, rather than pay for professional services. But departmental IT administrators -- often graduate students -- are hard pressed to keep up with security issues while also pursuing their research. Warnings from Sun, Microsoft or other vendors to plug a newly found vulnerability in their operating systems may slip by administrators. "The likelihood that they will notice a patch that has just been published, we suspect, is lower than in some other environments," he said.

While cyber-security poses a challenge at large research universities, the problem is even harder to manage at the smaller two- and four-year colleges that make up most of the higher-education community, Wishon said. "Many institutions in those categories may have IT staff that number fewer than five in total, so often they can't afford to hire a dedicated security professional to deal with these kinds of issues on their campuses."

Safety Scans
Faced with assorted cyber-security challenges, IT administrators in higher education launched equally diverse initiatives to fend off attacks. One common tactic is to automatically scan privately owned computers for viruses and vulnerabilities when they connect to the campus network. In some cases, these scans include computers that connect from off campus. Schools also encourage students to make better use of anti-virus software.

A scan may compel students to fix security gaps. "If there are deficiencies in their operating system or anti-virus software, they're forced to upgrade it before they get on the network," Petersen said.

At UMBC, the campus network scans each student's computer at every log on. Starting this fall, "we're expanding the list of things we're looking for," Suess said. The school will probably also require all students to install the brand of anti-virus software the university has site-licensed, rather than any programs they choose. "With our version, we know we can push out updates when a new virus comes out and quickly get it distributed to the faculty and staff. We really need to control that for students as well.

"A year ago, we would have said we try to give people as much choice as they can have," Suess continued. "But we're coming to the realization that their choices are really impacting our network."

Although it doesn't scan as often as UMBC, Indiana University is also implementing more aggressive security measures for students' computers. At the start of a semester, resident students must run a CD the university provides to configure their machines. "It turns the firewall on, checks for certain flaws on the computer, applies patches -- it does all sorts of things." Bruhn said. Several computer-savvy students are assigned to each to provide peer-to-peer technical support, including help with configuring security software.

Those machines undergo a scan when students register them on the network at the start of each semester. In the past, whenever the campus was hit with a cyber-attack, the network canceled those registrations, requiring students to sign on again and have their computers freshly scanned. "But obviously you don't want to do that too often, because it does become an extreme inconvenience," Bruhn said. Instead, administrators are devising a way to scan residents' computers periodically, in a manner that stays transparent to the student unless the scan detects a problem.

Meet, Greet, Educate
IT administrators also work to educate the campus community about safe computing. At Notre Dame, for example, members of the IT security office greet each freshman class with information and tools to help them guard against cyber-attacks. Among those tools is an anti-virus program covered by a campuswide site license. Students are not required to use the program, said Wishon, but almost 100 percent do. Also, more than 90 percent of incoming students sign up for an optional cyber-security course during the first week of classes, he said. This course has also proven popular among faculty and staff.

Along with formal educational programs, widespread publicity about cyber-attacks in the past few years has helped build support for security initiatives among faculty, department chairs and deans, Wishon said. Such support makes it easier to implement security measures, even when they affect researchers' work. "They recognize that not only is the research material the researcher may have worked on for years at risk, but so are the computing assets themselves," he said. "Certainly the awareness of the risk has increased, and it has changed the nature of the conversation at many universities today."

UT Austin's cyber-security education program includes training for tech support within academic departments, Updegrove said. His staff also encourages departments to let information technology experts care for their specialized computer systems. This, they say, will keep their systems safe, and free up physics professors and grad students, for example, to concentrate on physics. "We have secure, locked data centers, and we can provide racks to mount the high-energy physics computer, and we can have our technical staff configure, operate and back them up," Updegrove said. "Some think it's a terrific idea. Others are not so sure they want to give up that much control or pay for that."

Firewall Flexibility
To ensure the open pathways researchers need, while better protecting all computers on campus, security specialists at UMBC may soon revamp security architecture. The plan is to protect the network with restrictive firewall policies, and allow faculty and departments that need fewer restrictions to remain outside the firewall, Suess said. If 400 computers need freer access to the outside world, it's better to carefully monitor traffic to and from that group than put 4,000 computers at risk with open pathways their users don't require, he said.

Indiana University also works to balance the need for tight security and collaboration. The university system will soon implement a firewall on its network's perimeter for the first time, Bruhn said. Security staff meet with faculty from every department to learn their requirements, to make sure the firewall they design does not impede anyone's research.

Some departments might have to change certain procedures and protocols to accommodate new security measures, Bruhn said, but changes may be impossible. "Obviously we'll have to take that into account. But if there's a different way to do it so we don't have to adjust the rules just for that particular case, that's probably going to happen."

Intrusion detection systems, which monitor the network for unusual traffic patterns, offer another layer of defense against cyber-attacks. They are just as useful for finding compromised computers within the campus network as they are for identifying attacks from the outside, said Updegrove. "In many cases, the first and best indication that a computer is in trouble is that it is emitting or attracting a lot more traffic than it should." The network can then alert users to the problem and tell them to get help.

Four Goals
Suess and Wishon co-chair the EDUCAUSE Security Task Force, to which Updegrove and Bruhn also belong. To help colleges and universities across the country better meet cyber-security challenges, they and their fellow members pursue four broad goals, Petersen said. One is promoting education and awareness, especially among senior executives on campus. "We're trying to bring to the attention of higher-education administrators the urgency and importance of cyber-security. It's not something they've needed to think much about before."

The second goal is to help educational institutions develop, promote and enforce policies that lead to better security. The third is to help schools reorganize their information infrastructures to make them safer, and help them implement better cyber-security tools. Finally the task force tries to organize cyber-security professionals in higher education to share information. One recent initiative in that area was the Security Professionals Workshop EDUCAUSE sponsored in May 2003 in Washington, D.C., which proved so popular, it sold out a month in advance, Petersen said.

How Schools Share
Many colleges and universities already share information about cyber-security among themselves, as well as with government organizations. For example, EDUCAUSE and other groups maintain online mailing lists where security officers in higher education share information in real time about unusual activity on their networks, said Suess.

The Security Task Force works with Indiana University to establish the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), one of a series of ISACs formed in different industries to spread warnings about cyber-attacks. Indiana University is well positioned to run the REN-ISAC, Petersen said, because it operates Abilene, the network that supports the Internet2 research and development consortium. More than 200 research universities belong to Internet2, and staff who operate Abilene can monitor their traffic across that network for unusual behavior.

Different campuses in a state university system often share information about best practices and new security threats. Cyber-security officers from the University System of Maryland meet monthly, Suess said. They also use an Internet mailing list to discuss issues that apply to all of their campuses, such as how to comply with state cyber-security policies.

Information security officers from the UT's nine campuses and six health institutions meet four times a year to share best practices, Updegrove said. They also share warnings and queries about unusual behavior on campus networks via a mailing list.

Notre Dame is a private university, but its security officials work with other educational institutions in Indiana, especially Indiana University and Purdue, Wishon said. Earlier this year, Indiana University sponsored a statewide higher-education security summit, he said.

"We also had conversations with the CIO of Indiana [Laura Larimer] about ways to improve collaboration between the state and higher education in communicating about security issues, and in developing recommendations for state government as well," Wishon added.

Like their counterparts at Notre Dame, security officials at Indiana University also recently started talking with Indiana's CIO. "We're going to have more communications with her," Bruhn said. "We've communicated with a couple of the technical staff in the Information Technology Department of the state of Indiana, and they've shared some materials they wanted us to look at to improve their antivirus situation, but not extensively. I think that's a mistake, and I think we're going to fix that."

At UT Austin, Updegrove said, a statute requires the university to provide the state Department of Information Resources with monthly reports. The flow of useful cyber-security information doesn't run in both directions, he added. "I don't have a sense that we learn too much from the agencies because, to oversimplify, the agencies are running rather plain vanilla IT organizations from 8 to 5. And we are running a much more heterogeneous environment 24/7. So we are much more likely to see problems first, and have responded to them and reported the results before the public agencies are back at the office the next morning."
Merrill Douglas Contributing Writer