This article was published in CAUSE/EFFECT journal, Volume 22 Number 2 1999. Copyright EDUCAUSE. See http://www.educause.edu/copyright for additional copyright information.
Readers Respond
Question:
What are some of the tools, techniques, processes, and policy mechanisms your organization is using to address the challenge of securing your campus network resources? Please include information about incident response mechanisms and how you have staffed this function, and provide URLs for any campus documents or Web sites describing your activities or policies that you think would be helpful to your colleagues.Your readers may enjoy the analysis of computer security at Concordia University in Montreal, Quebec, Canada, which is on the Web at http://alcor.concordia.ca/~anne/security-report/.
Anne Bennett
Senior Analyst, IITS
[email protected]
Information technology (IT) security is a hot topic at the University of Michigan. We have a diverse computing environment, managed by many different campus organizations, each with different needs and security requirements. Hence, a �one size fits all� solution is not appropriate for our environment. However, a recent initiative by Dr. Jose Marie-Griffiths, University of Michigan�s chief information officer, has created an IT federation, with representation from the major IT stakeholders, to coordinate cooperative efforts and work together on common issues, including security.
A key value that we hold as an institution is that academic computing must support the academic mission of the university. Thus, our academic networks need to be open and fairly unrestricted. We don�t deploy network security mechanisms like firewalls but instead concentrate our efforts on host security, which secures individual computers as users log on. Three of the major IT providers on campus--including the Information Technology Division (ITD), the College of Engineering�s Computer-Aided Engineering Network (CAEN), and the College of Literature, Sciences and the Arts (LS&A)--all support UNIX computing environments for use by faculty, students, and staff. We use the AFS distributed file system. With AFS, an individual must be verified as an eligible user before access is granted. AFS is tightly integrated with Kerberos security for authentication. Although we have integrated Kerberos into our own applications (for example, Directory Service clients), we still suffer from the lack of Kerberos support in vendor software products. We encourage the use of encrypted telnet and SSH and SSL (programs similar to telnet with encrypted security) to reduce the use of clear-text passwords on the network. We are beginning to recommend only client software that uses encrypted passwords. Our UNIX servers typically use TCP wrappers (software that limits and logs inbound connections) and software that records the servers� activity and accounting data to a secure central host. Many of these machines are configured using a software distribution tool that automatically updates all system software nightly, allowing us to make improvements by centrally installing patches, which are then pushed to each local machine. Several campus IT providers are also evaluating the Network Flight Recorder (NFR) intrusion-detection system for monitoring network traffic to detect possible break-in attempts.
Administrative computing (payroll, grades, medical records, and so forth) can and does take a more corporate approach to IT security. Sensitive data repositories are less likely to be directly connected to the network, but when they are connected, they are typically integrated with commercial off-the-shelf firewalls, intrusion-detection systems, and authentication systems.
An important part of our security plan is to establish policy that defines acceptable use of computing resources. The Office of Policy Development and Education (OPDE), within the Office of the Chief Information Officer of the university, has been leading this effort for several years. OPDE has been instrumental in developing policies that address the proper use of computing resources, privacy of e-mail, and password security (see http://www.umich.edu/~policies/). Efforts currently under way include policies on logging and monitoring networks, authenticated access to networks, and encryption and use of digital signatures.
OPDE also coordinates a host scanning service using the ISS Internet scanner. This service offers scanning of college and departmental networks; identification of low-, medium-, and high-risk vulnerabilities; and specification of the needed fixes. The service provides one-to-one consultation with system administrators about security matters and the scan results. This scanning service has been well received by campus system administrators. They have responded to the information provided by the scans and have effectively achieved an 84 percent reduction in high-risk vulnerability.
At the University of Michigan, we employ an Information Technology User Advocate group that coordinates, investigates, and responds to the majority of the IT-related incidents on campus (see http://www.umich.edu/~itua/). The User Advocates are the liaisons for policy issues and violations. In addition, we�ve established a Security Round Table that involves system administrators, law enforcement officers, attorneys, and Secret Service and FBI agents. It is important that we openly communicate with each other to prevent barriers to good management of the increasingly difficult security incidents at colleges and universities.
With the direction of the Information Technology Security Education and Coordinated University Response (ITSECUR) team (a group established to look at security at the university), OPDE has developed and widely disseminated educational efforts to help raise awareness of password security issues and of electronic communications �netiquette� issues.
Finally, the university community receives anti-virus advice and software through the Virus Busters (see http://www.itd.umich.edu/virusbusters/), a group dedicated to helping provide an environment secure from computer virus attacks.
Lee Pearson
Senior Technologist
Product Development and Deployment
Information Technology Division
[email protected]Virginia Rezmierski
Director
Office of Policy Development and Education
[email protected]In April, 1999, I took a position as a security analyst in the department of information technology planning at James Madison University. My first project has been to design and implement a security awareness program for the entire campus. The first section of the program was a web-based educational piece that had to be in place before the beginning of freshmen orientation on July 1. More than 3,700 users of the system have already been through the training. The site can be viewed by selecting the "Activate or Change your Electronic ID password" option at http://www.jmu.edu/accounts/.
We developed this site under the university mandate and under intense pressure to finish under deadline and, while we have been pleased to receive generally very favorable feedback, we were working without any knowledge of what other universities are implementing in security awareness, what is working well and what is not. I am hoping that you will entertain a Reader Response question in CAUSE/EFFECT to initiate a conversation about security awareness intitiatives and their effectiveness.
Lori Dixon
Information Security Analyst
[email protected]