Imagine a world in which 3,000 end users showed up at work with their own PCs. Then imagine you were told you had no control over those desktops and laptops -- their brand, the applications on them, their histories -- but you better make sure both the end users and the company network remained secure.
For CIOs and security administrators in academia today, that's a fact of life. Competition for college applicants is fierce, and high-end technology, including bountiful wireless access, is a key selling point.
It doesn't take an advanced degree to realize the many security challenges posed by wireless technology. Hundreds, even thousands, of machines seek access to college networks each day. End users' roles and privileges vary widely, and unlike businesses, colleges are generally expected to provide at least some network access for all.
An Insider View: From Near Chaos to a Culture of Security at Dartmouth
True story: When I arrived at Dartmouth College a little more than 2 1/2 years ago, the college had just one protected subnet for critical business systems that was secured with a firewall. As at most colleges and universities, almost every other system was directly connected to the Internet and thus unprotected, unless its respective owners had the security savvy to protect it somehow.
Though there hadn't been any confirmed data thefts, the warning bell had sounded a couple of times. When the Welchia/Nachia worm hit, it managed to compromise at least 2,000 systems on our network, generated significant traffic, caused major network and application availability issues and took several months to clean up.
In another incident, we discovered some nefarious activity while doing routine network traffic analysis. Some outside attackers had co-opted two development servers and turned them into file-sharing nodes. At the peak, these servers were using 20-30 Mbps of our Internet link. We had recently purchased bigger pipes, which these systems quickly tried to consume.
Even worse, one of the co-opted file-sharing nodes had a trust relationship with several other systems containing sensitive data. While the intent of the attackers was clearly illicit file sharing, the possibility of data theft was a warning shot across the bow.
Dartmouth had tried to address campus-wide IT security several times over the years. Committees had been formed, and they produced many excellent recommendations. Unfortunately, these recommendations were applied on an ad hoc, department-by-department basis. It became clear that an organized, sustainable, campus-wide initiative was needed.
APPLYING CORPORATE TECHNIQUES
The Welchia/Nachia worm and the potential data breach had been blessings in disguise. They got everyone's attention and provided the incentive to take action. Still, it took us almost three months to agree that we should automatically and dynamically block misbehaving systems. That was our first major step forward.
Since then we've worked hard to implement our security proposal. We're pushing security out to the edge, directly in front of the host as much as possible. We've hardened clients and servers; moved scattered servers into a centrally controlled, physically secured area; installed host-based security agents; implemented several layers of firewalling, intrusion detection and prevention; and added encryption, VPNs, protected networks and private network addressing where appropriate.
We recommend that everyone run antivirus and antispyware tools on a regular basis. And in the future, we'll use security agents to limit access to critical networks and systems, rejecting access to systems that haven't run antivirus and anti-spyware tools regularly.
We have also enabled wireless access and security in all 200-plus buildings on campus. As of mid-summer, we had more than 800 of 1,500-plus access points installed, and we plan to have the rest completed soon. In the end, we will have full-rate A/B/G coverage in every building on campus with at least three tiers of authenticated and secured network access.
Our IT structure is decentralized. We have more than 80 people in IT, and almost everyone has some level of security awareness, with many people performing some security functions. We just got funding for three dedicated security positions. They will be part of the new security office we recommended as part of our comprehensive security proposal. They will focus on policy and compliance and work with the functional IT people to do security well and consistently across all groups. Our budget will be more than $1 million a year for the first few years.
We've come a long way. We have figured out much of the technology side, and now our new security office will build security into the culture. I'm really proud of what we have accomplished, though there is still plenty to do. n
-- Jason Jeffords is director of security services at Dartmouth College in Hanover, N.H. Write to him at InsiderView@ciodecisions.com.
Moreover, the egalitarian tradition of universities and colleges demands that institutions accept a variety of hardware platforms and software. "A lot of the machines [used to access college networks] aren't owned by the university," says Jack Suess, CIO at the University of Maryland, Baltimore County, and co-chair of the Security Task Force of Educause, a Boulder, Colo., nonprofit advocacy group for the strategic use of IT in higher education. "Essentially, we're not allowed to standardize."
In addition, the academic community has a strong tradition of wide-open information sharing, which is good for the educational process but hell on CIOs. "Students, researchers and faculty want to do whatever they want to do," says Nathan Hall, IT security administrator at the State University of New York (SUNY) College at Oneonta. "We need to be open but secure, and every week there's a new question" about how those demands can be reconciled.
Clearly, security is a hot topic on campus, and with good reason. In Educause's "2005 Current Issues Survey," university technology executives declared "security and identity management" their second most important long-term strategic issue (behind funding, the perennial winner). It was also at the very top of the list of issues with the "potential to become more significant." However, in a disconnect that may help explain why security is such a pressing problem, respondents ranked security only sixth on the list of issues they spend time on.
CIOs at midsized colleges are devoting the lion's share of their security attention to authentication. According to Educause, 73% of institutions have adopted multiple-use passwords, which are entered each time a user logs on. Many have also implemented a "quarantine" strategy that offers limited Internet access to virtually any user in the geographic area. This allows colleges and universities to meet public-service and openness expectations while protecting their networks.
One such institution is Seminole Community College in Sanford, Fla., which has several campuses as much as 22 miles apart. Any one of Seminole's 32,000 students and 175 faculty members can get basic Internet access, but they must establish an account using Novell NDS if they want to enjoy all network services.
Those simply seeking bare-bones Internet access are "connected to a separate VLAN [virtual local area network] that will only connect you to the Internet and meter your bandwidth," says Seminole CIO and Vice President Dick Hamann. If a hacker eschews registration and tries to attack the campus network, "I can't ID them," Hamann says, "but at least they're outside our firewall." Both SUNY Oneonta and Ohio Wesleyan University in Delaware, Ohio, use an appliance from Burlington, Mass.-based Bluesocket Inc. for authentication. The device sits between the data source and the campus' wired network and manages security via a single university-wide ID and password. Jason LaMar, IT director at Ohio Wesleyan, says this single login and the ability to easily add and drop users were the product's primary appeals.
Focus On: Higher Education
Top Business Challenge: Wooing tech-happy students while safeguarding data.
Solution: Securing wireless and wired networks via authentication and encryption.
How IT Can Help: Appliances and newer standards make a difference, but many colleges are slow to implement them.
Wireless Encryption Lags
While 88% of the colleges and universities in Educause's survey offer wireless technology, few secure data flow through encryption. In fact, only 32% of midsized colleges use encryption at all (see "Lagging Behind Industry"). That can be risky when a college admits wireless devices to its network. "We're not encrypting wireless traffic," SUNY Oneonta's Hall says. "We're assuming most of that traffic takes place over encrypted network connections." The college does encrypt hard-wired traffic.
With about 1,900 students, Ohio Wesleyan uses the 128-bit Wired Equivalent Privacy (WEP) protocol to ecrypt data transmissions between the school's Cisco 1200 wireless access points and users. LaMar says he understands that WEP isn't as sturdy as the up-and-coming Wi-Fi Protected Access (WPA) standard. "Lately people have been brute-force-cracking WEP," he concedes. "But you're always balancing what you'd like to do with what's feasible," given budgets, user acceptance and the maturity of standards.
According to Stamford, Conn.-based Gartner Inc. analyst Peter Firstbrook, universities ought to place a much heavier emphasis on encryption. "WEP is trivial to crack now," Firstbrook says. Though upgrading to WPA is "a significant rip-and-replace" that could cost a typical midsized college at least $100,000, Firstbrook says it's an important security upgrade that at the very least should be on the IT budget road map.
Colleges protected only by WEP may be sitting ducks for so-called evil twin attacks. Such assaults are expected to be popular in university environments, Firstbrook says, because they are "relatively intellectually stimulating for hackers." In an evil twin attack, a hacker uses a laptop, a wireless card and easily accessed software to create a bogus access point that imitates a legitimate one. While victims believe they are logging on to the campus network, they're actually falling for the attacker's trap. "Now the hacker is sitting in the middle and can do a bunch of things," Firstbrook says, such as steal personal information.
To defend against such attacks, colleges must actively search their airspace regularly for rogue access points. Products that perform this function are available from large networking vendors such as Cisco Systems Inc., and from specialists like Alpharetta, Ga.-based AirDefense Inc. But analysts say few college IT organizations are using these tools.
While security inevitably falls to CIOs and their IT organizations, "the clients have a responsibility too," notes Ken Dunham, a director at security-analysis firm iDEFENSE Inc. in Reston, Va. "Through policies, you've got to educate end users on basic wireless best practices, especially in a university." Indeed, as some recent identity-theft cases have made clear, institutions of higher learning possess an astonishing quantity of information on faculty, students and alums. Today, safeguarding that data is more important than ever -- and more difficult.
Steve Ulfelder was a senior features writer at CIO Decisions. To comment on this story, email firstname.lastname@example.org.