Infosecurity in Academia

By Scott Cherkin

Unlike commercial or governmental organizations where strict IT policies can be mandated, the culture of higher education is deeply rooted in the free exchange of ideas and information. As such, academic institutions face unique information security threats involving compromised private data, financial losses, and attacks on critical infrastructure -- all of which have significant ramifications for public safety and security. With incidents increasing in severity over time, academia's CIOs have been challenged to establish a delicate balance between maintaining openness for their particular culture and ensuring the security and privacy of sensitive information and networks.

This article will explore four challenges to information security faced by academic institutions: balancing an open culture with security; diverse users and appropriate access methods; the sensitive nature of academic information; and high-risk activities on academia's networks.

Culture-clash: openness vs. security The first challenge academic CIOs face concerns the philosophical and ideological environment of the campus:  CIOs cannot disregard the spirit of academic culture that is built upon free access to information and the open exchange of ideas. At the same time, they can't forgo security and privacy around sensitive and personally identifiable information, government-sponsored research and development (R&D), or raw computing power. As such, efforts to secure the academic network are often limited by the academic philosophy as well as budget constraints. In some cases, even firewalls have not been deployed - widely enough because of a campus belief in open experimentation and collaboration. There comes a point when the open culture of academia needs to protect itself from the onslaught of attacks that are increasing in both number and -severity.

Diverse users and access methods The academic computing environment hosts several types of users with different roles, rights, and responsibilities, including students, faculty, staff, and visitors. Public universities also host the public, as their libraries are open to this group, too. In all cases, turnover is a major element, as each year brings a new freshman class and transferring students. Most students arrive at the university with their own laptops possibly already infected with viruses, spyware, and other malicious code -- and then plug them into the network. In fact, the University of North Texas in Denton found that 4,000 of the school's 5,700 resident students reporting for the fall semester brought computers infected with some sort of virus. An identity management dilemma has arisen as a result of the need to maintain the open exchange of information while keeping tabs on these various user constituencies.

Sensitive nature of information Academic institutions are unique in the amount and -type of sensitive data residing on their networks, such as Social Security numbers, dates of birth, driver's license numbers, tuition account details, payment information, billing information, health records, grades, and coursework. With distance or e-learning increasing in popularity, a university's core intellectual property is made available on Web servers -- creating another area of risk. In addition, academic institutions often host highly sensitive information involved in government-sponsored research and development via grants that topped $36 billion in 2002, according to the National Science Foundation's May 2004 report. Gaps in academic IT policy and procedures endanger the security of this sensitive, and sometimes classified, information.

High-risk activities on academia's networks Increasing academia's risk to emerging threats are pervasive, high-risk activities such as peer-to-peer networking and instant messaging. Such activities can open networks up to serious exposure: A House of Representatives Committee on Government Reform report from May 2003 found that users who surfed through peer-to-peer networking site Kazaa could also access private information residing on users' computers, such as completed 1040s, military records, living wills, and personal in-boxes. These innovations in information sharing have an additional dark side: they provide malicious threats (i.e., worms, viruses and Trojans) an entry point to otherwise secure networks.

While the unique information security issues facing academic institutions are significant and evolving at a rapid pace, they can be addressed by developing and implementing a variety of remediation strategies. Examples of strategies that are relatively easy to implement yet have substantial impact are as follows:

#1: Strengthen your university's information security policy

• Obtain endorsement from senior administrators.
• Formalize a policy to address key issues you are currently encountering and believe you will need to address in the future.
• Ensure students, faculty, and staff are presented with your information security policy.  If nothing else, they will be aware of the policy and any unauthorized activities.
• Require written agreement to your university's information security policy from students, faculty, and staff. This will greatly enhance enforcement capabilities.

#2: Educate and train end-users

• Train end-users on their rights, on how fair-use is defined, and their role in safeguarding the network.
• Make training mandatory and test various methods over time, including in-person, e-learning, periodic email notifications, and the like.  Learn what your end-users' preferences are and leverage them.
• Provide refresher courses and emergency update training.
• Explore an "infosecurity training" credential or certificate that can be used on student resumes, and faculty and staff reviews.
• Consider follow-up training with social engineering tests to monitor your group's effectiveness at curbing risky behavior.

#3: Tighten your countermeasures

• Make sure antivirus, intrusion detection/prevention, and operating system/application patches are up-to-date.
• Use firewalls to filter executables out of mail, and close ports, like IRC ports 6666 and 6667, that pose significant threats. 
• Watch for how botnet traffic evolves, including via peer-to-peer networks, and adapt to guard against their malicious behavior.
• Explore better identity management solutions to secure critical assets inside the network.
• Monitor evolving threats -- watch for patterns of interactions in network traffic and stay up-to-date with emerging, blended threats.

It is clear that information security efforts are under-funded and threats may not be fully understood by university management and boards of directors. CIOs must make the case for more funding and resources to help protect public safety and secure critical infrastructure.   

Scott Cherkin is a Director for a National Institute of Justice-funded information security research project exploring the unique attributes of academia and their ramifications for public safety and security.  For more information, go to the Information Security in Academic Institutions Web site.