[ISN] IT staff keeps tabs on Internet security

From: InfoSec News (alerts@private)
Date: Mon Jun 09 2008 - 02:36:08 PDT


By Nelson Solomon
The Vista Online

Until four years ago, there was no one on the Information Technology 
department staff whose primary focus was server security, according to 
Dr. Cynthia Rolfe, vice president of Information Technology.

"There was network security, but not server security," she said.

Today, the department has three people who constantly watch for unusual 
activity on the servers.

"They know what's going on with each of their servers and if they see 
something, that'll raise a red flag and they'll investigate," she said.

"We are required by federal law to educate our employees about security 
and privacy policies of the university," she said.

The issue came to the forefront when an Oklahoma State University 
parking server breach was disclosed on May 15 in The Daily O'Collegian, 
which affected 70,000 students, faculty and staff who purchased a 
parking pass between July 2002 and March 2008.

The illegal access was limited to the parking and transit server, which 
housed a database that contained confidential information including 
names, addresses and social security numbers of OSU students, faculty 
and staff, according to the May 15 web story.

University officials said in a statement that they believe "the 
intruder's purpose and only action was to use the OSU server for storage 
capacity and bandwidth to upload and distribute illegal and 
inappropriate content," but their investigators are unsure, the story 

In the 11 years since Rolfe has been at UCO there has not been a major 
security breach involving personal information of students, faculty and 

"The only issue since I've been here was by human action rather than 
from a security breach," she said.

Rolfe pointed out that "in today's world of privacy and security and 
confidentiality, most of your problems are still going to come from 
human error."

Rolfe described a case in which an employee who had high-level access 
shared their password with a temporary employee. When the temporary 
employee left, they didn't change their password.

As a result, the temporary employee could get in and "do some things."

"The way we combat that now is really through education. We use October, 
which is National Cyber Security Awareness Month, to do our education," 
she said.

Rolfe said that for students who wonder about the safety of their 
records, "your records are as safe as they can be."

"I will never be one to say, 100 percent there's no way, because that's 
just unrealistic. We take every precaution we can and we constantly 
monitor the systems in an effort to keep all data safe and secure," she 

The Gramm-Leach Bliley Act of 1999 is what requires this education of 
employees, Rolfe said.

"The only truly secure computer is one that is not connected to a domain 
or to the Internet or turned off," Rolfe said.

"What you do in an IT department is, to the best of your ability, lock 
down your servers to secure the system to keep your data private," she 

There are a number of ways data is kept private, including using 
applications that encrypt information that is considered confidential 
and running logs on the server as a mitigating measure, Rolfe said.

"Every day, someone who is responsible for a particular system will 
review the logs at least once during the day and determine if there is 
any unusual activity," Rolfe said.

The department uses firewalls and scans the server and network 
frequently, she said.

"Relative to viruses, trojans and worms that are known, we do three 
levels of error checking. We check at the firewall, at the server and 
the desktop," she said. "Most of that kind of activity is caught at one 
of those levels."

However, Rolfe said there are individuals who "sit in their rooms 
somewhere and all day, figure out how to break into other systems."

"The best we can do is put in our own preventative measures and then 
watch for it. If we see unusual activity on the network or on the 
server, then we'll usually stop whatever we're doing and investigate 
that activity," she said.

Rolfe mentioned an example of the department's actions when a problem is 
seen on a server.

"On our last internal scan, we found a server that appeared to have some 
passwords that were in clear text. The server did not appear to be 
compromised, but we still took it offline until we could investigate," 
she said.

"We don't want to get into the situation if we can at all avoid it."

She said the department spoke with the server's administrator and worked 
the situation out, cleaning that server.

"That's our process. If we see something, we deal with it immediately."

Rolfe said a number of times what seems to be an issue "is nothing. But 
we don't know that until we investigate."

Regarding how long the university keeps parking records and other files, 
the state of Oklahoma has a Records Retention Act.

"Each entity that owns data has to tell us to store the data for the 
amount of time that the state involves," she said. "And that's different 
in different cases."

Even though the process of preventing breaches sounds simple, Rolfe said 
there are many complications.

"There are so many different kinds of attacks that you could get, and 
there are so many people attacking for different reasons," she said.

The reasons for attacking a server include people who just want to see 
if they can get in, for the challenge involved.

Rolfe mentioned the vulnerability of universities to programmers 
interested in hacking.

"Universities are targeted at a higher level than other servers because 
universities have more open systems just by the nature of our business," 
she said.

Students are on the campus to learn, so the systems are mostly open for 
them to do coursework.

"However, in a corporate environment, everything would be locked down. 
You wouldn't be able to load things onto your own machine. You'd have to 
make a request to load something," she said.

"We don't block the Internet like corporations do, so that makes us a 
lot more vulnerable," she said.

Rolfe said a lot of hackers and crackers will try to get on a university 
system and just use the server to do other work, "because there's a 
higher bandwidth than a corporation server."

She mentioned that "people need to understand that when you put 
information out there, there's always a risk."

Copyright 2008 The Vista

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon Jun 09 2008 - 02:41:02 PDT