http://www.thevistaonline.com/news/2008/06/05/News/It.Staff.Keeps.Tabs.On.Internet.Security-3379106.shtml By Nelson Solomon The Vista Online 6/5/08 Until four years ago, there was no one on the Information Technology department staff whose primary focus was server security, according to Dr. Cynthia Rolfe, vice president of Information Technology. "There was network security, but not server security," she said. Today, the department has three people who constantly watch for unusual activity on the servers. "They know what's going on with each of their servers and if they see something, that'll raise a red flag and they'll investigate," she said. "We are required by federal law to educate our employees about security and privacy policies of the university," she said. The issue came to the forefront when an Oklahoma State University parking server breach was disclosed on May 15 in The Daily O'Collegian, which affected 70,000 students, faculty and staff who purchased a parking pass between July 2002 and March 2008. The illegal access was limited to the parking and transit server, which housed a database that contained confidential information including names, addresses and social security numbers of OSU students, faculty and staff, according to the May 15 web story. University officials said in a statement that they believe "the intruder's purpose and only action was to use the OSU server for storage capacity and bandwidth to upload and distribute illegal and inappropriate content," but their investigators are unsure, the story said. In the 11 years since Rolfe has been at UCO there has not been a major security breach involving personal information of students, faculty and staff. "The only issue since I've been here was by human action rather than from a security breach," she said. Rolfe pointed out that "in today's world of privacy and security and confidentiality, most of your problems are still going to come from human error." Rolfe described a case in which an employee who had high-level access shared their password with a temporary employee. When the temporary employee left, they didn't change their password. As a result, the temporary employee could get in and "do some things." "The way we combat that now is really through education. We use October, which is National Cyber Security Awareness Month, to do our education," she said. Rolfe said that for students who wonder about the safety of their records, "your records are as safe as they can be." "I will never be one to say, 100 percent there's no way, because that's just unrealistic. We take every precaution we can and we constantly monitor the systems in an effort to keep all data safe and secure," she said. The Gramm-Leach Bliley Act of 1999 is what requires this education of employees, Rolfe said. "The only truly secure computer is one that is not connected to a domain or to the Internet or turned off," Rolfe said. "What you do in an IT department is, to the best of your ability, lock down your servers to secure the system to keep your data private," she said. There are a number of ways data is kept private, including using applications that encrypt information that is considered confidential and running logs on the server as a mitigating measure, Rolfe said. "Every day, someone who is responsible for a particular system will review the logs at least once during the day and determine if there is any unusual activity," Rolfe said. The department uses firewalls and scans the server and network frequently, she said. "Relative to viruses, trojans and worms that are known, we do three levels of error checking. We check at the firewall, at the server and the desktop," she said. "Most of that kind of activity is caught at one of those levels." However, Rolfe said there are individuals who "sit in their rooms somewhere and all day, figure out how to break into other systems." "The best we can do is put in our own preventative measures and then watch for it. If we see unusual activity on the network or on the server, then we'll usually stop whatever we're doing and investigate that activity," she said. Rolfe mentioned an example of the department's actions when a problem is seen on a server. "On our last internal scan, we found a server that appeared to have some passwords that were in clear text. The server did not appear to be compromised, but we still took it offline until we could investigate," she said. "We don't want to get into the situation if we can at all avoid it." She said the department spoke with the server's administrator and worked the situation out, cleaning that server. "That's our process. If we see something, we deal with it immediately." Rolfe said a number of times what seems to be an issue "is nothing. But we don't know that until we investigate." Regarding how long the university keeps parking records and other files, the state of Oklahoma has a Records Retention Act. "Each entity that owns data has to tell us to store the data for the amount of time that the state involves," she said. "And that's different in different cases." Even though the process of preventing breaches sounds simple, Rolfe said there are many complications. "There are so many different kinds of attacks that you could get, and there are so many people attacking for different reasons," she said. The reasons for attacking a server include people who just want to see if they can get in, for the challenge involved. Rolfe mentioned the vulnerability of universities to programmers interested in hacking. "Universities are targeted at a higher level than other servers because universities have more open systems just by the nature of our business," she said. Students are on the campus to learn, so the systems are mostly open for them to do coursework. "However, in a corporate environment, everything would be locked down. You wouldn't be able to load things onto your own machine. You'd have to make a request to load something," she said. "We don't block the Internet like corporations do, so that makes us a lot more vulnerable," she said. Rolfe said a lot of hackers and crackers will try to get on a university system and just use the server to do other work, "because there's a higher bandwidth than a corporation server." She mentioned that "people need to understand that when you put information out there, there's always a risk." Copyright 2008 The Vista _______________________________________________ Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jun 09 2008 - 02:41:02 PDT