The Threat Within Network Security

We've all heard the stories: A college laptop or flash drive containing student or faculty personal information is stolen, leaving thousands of people at risk for identity theft. A student plugs an unprotected laptop into the dorm or classroom connection and infects the entire network. A student downloads a song, or receives an e-mail infected with a virus or worm and brings the school network to a screeching halt.

The U.S. Department of Homeland Security estimates that one-quarter of all cyber-security breaches involve schools. In higher education institutions across the country, laptops, desktops, the Internet and digital audio and video are increasingly integrated into dorm and classroom life. Colleges and universities face a special challenge; their networks must allow students, faculty and staff members anytime access to servers to download and upload files and learning materials. At the same time, this anytime access can leave networks vulnerable to attacks.

The threat from within

Plugging in a laptop or illegally downloading music or videos may lead to unintentional security breaches, but what happens when the school is attacked by one of its own? At Henrico County Public Schools in Virginia, a group of students simultaneously hit the F5 key on their computers to refresh a Web page. This devoured the school's bandwidth and broke the filter, allowing students to view inappropriate Web sites. While a K-12 example, instances of internal hacking can be found in higher education institutions across the nation.

In July 2008, a Georgia Highlands College student used a math professor's identity to hack into the school's computer system to change his grades and steal passwords from other users. While on the network, the student had access to the private information of other users connected to the network.

Similarly, two California State University students were arrested for hacking into their professor's computer to change their grades and those of 300 other students. They gained access to the professor's account by answering a routine security question and changing the password.

These internal attacks are more common than one might think. The SANS (SysAdmin, Audit, Network, Security) Institute -- an organization that offers information security training and research -- ranks insider attacks sixth on its "Top 10 Cyber Security Menaces for 2008." Tracy Schroeder, vice president of IT at the University of San Francisco, told EDUCAUSE that her school sees thousands of attack attempts each day, with the most significant hacking coming from the inside -- students who want to "test" the university. The above examples bring to the forefront the stark reality of how easy it can be to access school networks. Answer a simple question, change the password and -- boom -- you're in. It shouldn't be so easy, and most colleges realize that basic antivirus software just won't cut it anymore.

The threats are getting worse

Researchers at the SANS Institute say hackers are increasingly using institutions' Web sites to distribute malware and steal private information. The hackers use insecure Web sites to infect visitors' browsers with viruses, Trojans and keyloggers -- software that invisibly tracks a user's keystrokes. These malicious programs use browser components to install themselves in the browser. As institutions improve their defenses, savvy hackers are turning to new avenues of attack. According to TippingPoint, an intrusion prevention company, the situation is worsened by the shrinking time between the discovery of vulnerabilities and the development of ways to exploit them.

Martin McKeay, network security expert and host of the "Network Security Blog" and "Network Security Podcast," sees virtualization as a potential security threat to all institutions -- including education.

"We don't fully understand all of the security issues that come with virtual computing," he said. "You're taking a process that may not be secure in the first place and adding another layer of vulnerabilities. It's going to be something we really have to worry about."

What schools can do

According to EDUCAUSE's 2008 Current Issues Survey, network security is a "central and acute concern of all IT organizations, no matter their institutions' sizes and missions." The survey says college and university personnel "have a daunting task to ensure the security of information resources while operating within a culture of openness and decentralization. In addition, the changing nature of the threats continues to challenge IT organizations."

Colleges and universities must be sure not to monitor students' Web use or impose unreasonable restrictions on their access. The Internet can be an extraordinary tool for enhancing education, but at the same time, schools are charged with ensuring that their resources are not involved in malicious attacks or other harmful activities and that their confidential school records remain protected.

McKeay said the main thing schools can do to keep their networks and computers safe is to educate the users themselves.

"These users don't understand that these measures are being put into place to protect them," he said. "The main focus should be about educating the users because they're your biggest vulnerability."

Higher education institutions must create the proper blend of policy and tools, beginning with an acceptable-use policy and up-to-date antivirus and anti-spyware software. Colleges and universities need robust and flexible technologies to ensure the security of their networks and private data. According to McKeay, virtualization and data loss (or leak) protection are on the horizon for network security. For now, security solutions should include:

• Antivirus: computer programs that attempt to identify, neutralize or eliminate malicious software. Most modern antivirus software is now designed to combat a wide range of threats, including worms, phishing attacks, rootkits and trojan horses, often collectively described as "malware."
• Anti-spyware: products designed to remove or block spyware.
• Firewall: a device or set of devices configured to permit, deny, encrypt, decrypt or proxy computer traffic between different security domains based upon a set of rules and other criteria.
• Intrusion detection and prevention: detecting and preventing actions that attempt to compromise the confidentiality, integrity or availability of a resource.
• Device control: enables network administrators to centrally control uploading and downloading activity through local computer devices, specifically plug-and-play devices such as USB and flash drives, PDAs and smartphones.
• Network access control: ensures endpoints comply with the institution's security policy before access to the network is allowed.
• Incident management: to restore normal service operations as quickly as possible and to minimize the impact on business operations. The process of incident management includes incident detection and recording, investigation and diagnosis and resolution and recovery.

While no school can avoid hacking attempts, by utilizing reliable security and incident management solutions, as well as safeguards that keep data from being altered, destroyed or accessed by unauthorized users, IT staff can proactively protect their campus networks.

*This story is from Converge magazine's Mixed & Mashed 2008 special issue.