Educause Security Discussion mailing list archives
Re: SECURITY Listserv Instructions and ParticipationGuidelines
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Wed, 3 Jul 2002 14:25:38 -0400
The following appeared in the Network World Fusion Security Newsletter today and can only reinforce in the mind of the public that 'Universities are the worst-secured component of the American economy' which I don't believe is entirely true (there are plenty of companies of different sizes with poor IT security as well as many individuals -- such as a large number of high speed Cable/DSL Internet users). - H. Morrow Long University Information Security Officer Yale Univ., ITS, Dir. InfoSec Office Today's focus: White House's call to universities By M.E. Kabay Last time, I started to relay the recent comments of Dick Clarke, special advisor to the president on cyberspace security. In his lecture at the Sixth National Colloquium on Information Systems Security Education, he talked about the role of academia in security. Clarke said: "The national infrastructure protection plan is being written not by bureaucrats but rather by the people in the private sector, universities and state and local governments who are experts in their section of the critical infrastructure. We have asked higher education to participate in this effort. First, help us design the research projects. We inherited the Internet, which does not incorporate security features. We don't have to accept it as it is; we can rebuild it. We need secure operating systems; Bill Gates says he will devote the resources of this enormous corporation to developing a security operating system. We need redesigned routers. In a billion-node Internet, do we still want to use TCP/IP? Today's wireless protocols? So one of the elements of the national plan is a research agenda. "The second thing we need from the academic sector is to teach. We have an entire generation of computer users who, in the absence of security education, will continue to make their parents' mistakes. We will have about 450 cybercorps scholarship recipients next year; we need 10 times that number. We need evidence that the program is effective. We're looking forward to approval of the Congress for $19 billion in increased scholarships." Finally, Clarke called for a radical improvement in university computer security: "The third element is securing the universities' own networks, which are the major source of hack attacks today - probably three-quarters of the total number of attacks. The attacks may not originate there, but most of them jump through them. Perhaps because of a distorted sense of academic freedom, universities do not in general apply strong security measures to their own systems. These enormous networks will continue to be hosts for attacks by hackers and, perhaps, terrorists. Those of you teaching security in universities need to champion security in your own organizations. If the university is a launching pad for attacks, it may cause hundreds of millions of dollars of damage to the national economy." Clarke announced that his office has supported setting up an association of university presidents and that he thinks that spending on university security is only 10% of what it should be. He said, "We need to change universities so that they are no longer the worst-secured component of the American economy." * * * As a university professor, I can affirm that academics are often among the worst violators of what one would think were common-sense rules for protecting information. In a number of institutions, I have seen professors repeatedly leave their office doors open and their laptop computers logged on without any kind of protection - sometimes for hours at a time. Honor code or not, the temptation to students to modify their own grades (and, as camouflage, the grades of some of their peers) must be intense. It's clear that universities, like any other organizations wishing to be good Internet participants, should implement at least the following principles for their networks: * Firewalls should be configured for egress filtering that prevents all TCP/IP packets with forged origination addresses from leaving the system. * Firewalls should forbid entry of all packets with forged origination addresses within the university's own IP address space. * All SMTP servers should be configured to prevent spam relays through those points. * Some specific individual(s) should be explicitly responsible for monitoring appropriate resources (e.g., CERT/CC alerts or the ICAT Metabase/Common Vulnerabilities and Exposures database) and patching critical vulnerabilities as appropriate. As for monitoring and controlling staff, student and faculty use of university computers (university property, after all), discussion groups abound with what seems to me to be denial of the problems caused by irresponsible use of the Internet. Preventing or punishing users for trafficking in stolen music and software, downloading or uploading pornography, or writing scurrilous postings to Usenet groups using their university- assigned e-mail identities are perceived by some in the university community as unacceptable limitations on speech. But this topic is so vast that I will reserve a detailed exploration for a possible later series of articles. ______________________________________________________________ To contact M. E. Kabay: Check out the new "Computer Security Handbook, 4th Edition" edited by Seymour Bosworth and Michel E. Kabay; Wiley (New York), ISBN 0-4714-1258-9. Available now at your technical bookstore or visit Amazon at: http://www.amazon.com/exec/obidos/ASIN/0471412589/tag=fusion0e M. E. Kabay, Ph.D., CISSP is Associate Professor of Information Assurance in the Department of Computer Information Systems at Norwich University in Northfield, Vt. Mich can be reached by e-mail at mailto:mkabay () compuserve com He invites inquiries about his information security and operations management courses and consulting services. Visit his Web site for papers and course materials on information technology, security and management: http://www2.norwich.edu/mkabay/index.htm _______________________________________________________________ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/cg.html.
Current thread:
- Re: SECURITY Listserv Instructions and ParticipationGuidelines H. Morrow Long (Jul 03)
- <Possible follow-ups>
- Re: SECURITY Listserv Instructions and ParticipationGuidelines Wayne Wilson (Jul 03)
- Re: SECURITY Listserv Instructions and ParticipationGuidelines Rodney Petersen (Jul 07)
- Re: SECURITY Listserv Instructions and ParticipationGuidelines Randy Marchany (Jul 08)
- Re: SECURITY Listserv Instructions and ParticipationGuidelines Gene Spafford (Jul 08)