Campus network security is more than fighting spam
By Sharita Forrest, Assistant Editor 217-244-1072; slforres@illinois.edu Dick Mintel, assistant dean for instructional technologies in the College of Medicine and chair of the Chancellor’s Committee on Cybersecurity and the Faculty, says he used to be skeptical about the need for a computer security program on campus, even after completing a study on the issue and submitting it to the chancellor in October 2003. “I’d never had a computer virus,” Mintel said.
CITES sponsors Computer Security Day 10 a.m. - 3 p.m., Oct. 25 Rooms A, B and C, Illini Union Free to Faculty, Staff and students More info | | |
But immediately after he submitted the report, Mintel became a believer when his impulsive decision to access a wireless Internet service in the Denver airport for a $9.95 fee brought him something unexpected. “Within one minute after I had fired up my browser, I got this popup window that said ‘Warning: Windows is shutting down because of a remote procedure call error.’ And I thought, uh-oh,” Mintel said. Mintel had just become one of the millions of users whose computers were paralyzed by the Sasser worm, an Internet virus that exploited a vulnerability in Windows systems. The virus was so prolific and disruptive to computer activity worldwide that a multinational manhunt was launched by law-enforcement agencies to ferret out its creator. Like Mintel, many users don’t realize how vulnerable their systems really are, said Mike Corn, director of security services and information privacy, Campus Information Technologies and Educational Services. Quoting a statistic from SANS, a computer security training and Internet monitoring organization that tracks and investigates potential threats, Corn said that the average IP address is attacked within 16 minutes of going online. “When you talk with network administrators on campus, they’ll tell you that they can install an operating system, plug it into the network, go into the next room to get the disk to patch its known vulnerabilities and by the time they get back in the room, the machine’s been compromised,” Corn said.
Security resources Information on protecting computers and data as well as free antivirus software are available on CITES’ Web site . To arrange a presentation about cybersecurity for your faculty group or campus unit, contact Mike Corn, 265-0588. | | |
Corn estimates that 96 to 98 percent of the problems CITES encounters are virus-related. To help faculty and staff members and students become savvy computer users and protect their course work, research and personal resources, CITES is sponsoring its first fall Computer Security Day on Oct. 25 at the Illini Union (see box for details). Visitors will learn about computer security, anti-virus programs and other CITES services and listen to presentations by representatives from Microsoft and McAfee, creator of the antiviral software VirusScan that CITES distributes free to campus users. However, the focal point of Computer Security Day will be faculty members’ role in computer security, and Mintel will lead a roundtable discussion on that topic at 12:30 p.m. in Illini Union Room A. In addition to Computer Security Day activities, the Chancellor’s Committee on Cybersecurity and the Faculty is surveying faculty members for comments about computer security issues; the committee will be submitting its report to Interim Chancellor Richard Herman soon. “We want faculty (members) to be more conscious about issues of computer security and understand that they have a major responsibility to the university community in helping protect it,” Mintel said. “Computer security is everybody’s job, it’s not just CITES’ job, and we all have to realize that our actions are potentially hurting somebody else and putting their data in jeopardy.” The UI’s Urbana campus is the first among universities in the Committee on Institutional Cooperation to have a faculty cybersecurity committee, Mintel said, and “it’s the faculty who have the most at stake because it’s their scholarship that can be compromised.” “When you think about how much money is invested in this campus in federal grants, I’d like to think that we’re providing leadership in making sure that data are protected and secure,” Corn said. In addition, every virus incident may total several hundred dollars in lost productivity for the victims, their information technology person, a network engineer and CITES security and help-desk personnel, if they become involved. With approximately 50,000 – 55,000 computers on the campus’s networks, every virus incident can become costly. While viruses such as Sasser can be an expensive nuisance, a more worrisome possibility is that a future attack could come from a malicious intruder that alters data – a scenario that is often referred to as the “third decimal point problem,” a situation where an intruder subtly alters data and thus invisibly influences the outcome of research, Corn said. “This gets at the heart of the real risk to an academic institution because we’re about scholarship, and our research data must be secure. We want to exchange data with people elsewhere and we want remote access to our own files, and accessibility and security are inversely related,” Mintel said. While mobile computing is convenient for users, it is a “huge security problem” because users may unwittingly transport viruses from other systems to campus networks, Corn said. To help address this problem, CITES is updating its Web page with tips and instructions for mobile-computer users. The important thing for other users to learn from his experience with the Sasser virus, Mintel said, is that he didn’t bring his infected computer back to campus and hook it up to the network where it could spread the infection to other users. Before bringing the computer back to campus, Mintel reinstalled the operating system and all the software from scratch, using the recovery disk. “It took me two and a half hours – I know because I timed myself,” Mintel said. Mintel’s time spent fixing the problem was a little less than the average of about three hours, Corn said. While operating system vendors and antivirus program manufacturers are more expeditious about providing patches and virus-detection updates than in the past, users should not view those as a panacea because there is still some lag time between the discovery of a vulnerability and the availability of defenses such as patches and antivirus updates, Mintel said. “Even if you’re relying on good technology, people still have to become savvy computer users,” Corn said. “The human is always the weak link in the chain.”
CITES sponsors Computer Security Day 10 a.m. - 3 p.m., Oct. 25 Rooms A, B and C, Illini Union Free to Faculty, Staff and students
As part of National Cybersecurity Awareness Month, CITES is sponsoring its first fall Computer Security Day, which will teach how to keep hardware and data safe, demonstrate easy and effective anti-spam and anti-virus techniques, and offer security presentations of special interest to faculty members as well as training opportunities for technical support staff. CITES also will introduce Password Vault, a free, secure tool for storing usernames, passwords, PINs and other sensitive data. Activities include:
- Information booths on password security, anti-virus solutions and other CITES services.
- A computer “first-aid” station for diagnosis and repair of viruses and removal of spyware.
- A keynote address on “Personal Privacy in the Information Age,” by Phil Zimmermann, creator of the e-mail encryption software package Pretty Good Privacy and a fellow at the Stanford Law School’s Center for Internet and Society, at 7 p.m. in the Beckman auditorium.
- Raffles for USB Flash Keys and an Apple iPod.
Back to Index