Information Security – Everyone is responsible!

Summer is winding down and we have already begun seeing increased activity in the College, preparations are underway for the orientation for students and new faculty. Several of us have been in conversations with some of the new faculty. They are some of the most technologically savvy and need computing power beyond the usual laptops. It is encouraging to see that there is no longer a discipline dependency to high end technology requirement. Faculty from all disciplines seem to need them.

In a shameless self promotion, please watch my participation in a discussion about MOOCs with the Chairman of edX Anant Agarwal on NECN CEO Corner.

I am sure you that many of read this in NY Times -“Universities Face a Rising Barrage of Cyberattacks“. If you haven’t, you must read this. In the early stages of internet, the technologies were also evolving and all of us faced attacks, our networks were penetrated and were used for activities such as storing and sharing large image and video files. Warez was one such common activity. I distinctly remember watching a perpetrator’s every keystroke when we were trying to track down what was going on. It was from Australia and I called the ISP who basically told me that they are helpless to do anything but temporarily suspend the account. Of course, in the heat of the moment, I was asking a lot more of them! As soon as I put the phone down, the keystrokes disappeared!

These problems have gotten much worse and far more serious than stealing file storage. Trying to guard information has become expensive. But most importantly, IT professionals alone cannot be responsible for information security.

Typical techniques for invading a network involves scanning for the existence of known vulnerabilities and exploiting one or more of these to gain access to the network. Once this step is completed, significant damage is done. With limited resources, we try to do the best we can to protect our networks. However, as I have written before, we rely on a whole lot of other products – ranging from network operating systems to multitude of hardware and software. Even for a small College like Wellesley, you will be surprised by the portfolio of products we have to support. We rely on the vendors to detect and plug the vulnerabilities. There are also many others who, when they detect a vulnerability, inform the vendor. Then there are security firms who have dedicated teams looking for vulnerabilities and inform the vendors silently to resolve them. eEye used to do this much more early on and you can see what they discovered here.

This method of invasion still continues except, it is much more automated. With increasing computing power and network speeds, using a set of automated tools referred to as Bots, one can easily find the vulnerable sites. There are various communities of hackers who then share the information found to typically take collective action. As you can see in the Wikipedia article  there are classifications of hackers (such as white hat, black hat, grey hat etc.) based on their intent. Some law enforcement agencies monitor the channels where the hackers discuss vulnerabilities and if it is found to be damaging, they contact the organization to inform of the chatter. Here is a link to some of the known hacker groups, though there are many that no one knows about. You all have heard of WikiLeaks where the source of information is anonymous and many of which are the results from compromised networks.

It is impossible to cover the landscape of the threat facing us, but I have just quickly highlighted a few things that came to mind. EDUCAUSE Cybersecurity Initiative, Internet2 resources on best practices while traveling abroad, and CERT at Carnegie Mellon University are some of the excellent resources for those interested in learning about this topic further. These are resources that are for the higher ed community and therefore more relevant.

In this well connected networked world, needing access to information from wherever and whenever has become the norm. We respect the convenience factor and also realize that this increases productivity. However, when information, especially some of the sensitive ones, is accessed this way, those who have access to such information have tremendous responsibilities and are our partners in trying to protect the information as well as access to our networks. Of course, not everyone is tech savvy, so we need to make sure we explain these best practices in simple terms. But the challenge is that this is a fast changing landscape. Users sometime complain that they have to unlearn what they just learned and do things differently. Unfortunately, in many cases this is true and believe me, this is not because this is how we want to do business. It is a necessity.

First off, no one will argue that security best practices help everyone. Who wants to have a vulnerable home network through which a hacker can access their personal information? Well, sometimes I am shocked to hear “I don’t care, what information do I have that they care about?” Unfortunately, it is no longer one’s own information that a hacker may or may not care about! As a member of the community, any compromised device of one person is a pathway to accessing data belonging to others. This point is not obvious to many and we need to keep stressing this.

We have a strong program on security best practices and I encourage you all to inquire about it and take it. Simple steps such as having a strong password (I know that you are tired of hearing it), never sharing work related passwords with friends, family and coworkers, making sure you apply all the operating system, virus and malware protection updates,  getting advice from a professional to make sure that your home network is adequately protected and above all not to share passwords with ANYONE who is asking for it through a phishing email or over the phone will go a long way. 

So, please, partner with us to help in trying to protect both your information and the community members’. Understand that this is really not us wanting to make your life harder than it needs to be.

 

Leave a Reply