More than two months after a computer hacker infiltrated George Mason University’s (GMU’s) massive network infrastructure and made off with sensitive data belonging to 32,000 students, faculty, and staff, administrators at Virginia’s largest university are still searching for the perpetrator.
Whoever the hacker was, officials say, he or she simply vanished without a trace.
Administrators at the University of California at Berkeley know the feeling. Network technicians were left scratching their heads after falling victim to a similar invasion in late 2004–one that compromised the names and Social Security numbers of more than half a million individuals who provide and receive in-home health care across the state. The database was in use by a visiting professor when it was hacked, though authorities still have no idea who did it. The same can be said for similar attacks at the University of Texas at Austin and the University of Georgia, among other recent victims.
Welcome to every Chief Information Officer’s latest nightmare: What once was thought to be secure personal information, locked away in a digital database and password-protected for only privileged eyes to see, is now all too often finding its way into the public domain, forcing frustrated school IT staff to rethink how their institutions approach network security.
Industry experts and victims alike say cyber criminals are getting smarter–and their threats are becoming more real. Not only are students and faculty members enticing targets for malicious bank defrauders and identity thieves, but–emboldened by their successes, experts contend–hackers these days will sneak into systems just to sow their cyber oats.
That appears to have been the case at both GMU and Berkeley, where so far none of the information compromised during the attacks appears to have been misused in any way, university officials told eSchool News.
Left to contemplate the disaster that might have been, administrators from both schools have resolved to shore up their networks in anticipation of future assaults.
After discovering the breach in January, GMU administrators shut down the hacked server and called in the FBI to investigate whether any of the information in question had, in fact, been stolen. Federal officials still have not made an arrest in the case, and university spokesman Daniel Walsch says GMU has no idea whether the attack was leveled by a student–or by someone else hacking into the network from an unregistered machine.
Though the university is still investigating, Walsch said administrators have already begun taking steps to batten down the hatches. Mainly, he said, GMU has sought to centralize its network operations base, bringing its security infrastructure–formerly housed in several buildings across campus–together under a single roof.
But that alone won’t be enough, Walsch acknowledged. The fact that sensitive student data could be stolen at all, he noted, is evidence of a changing landscape in network security–one that will require schools at all levels to reevaluate their strategies to maintain open and productive, but inherently safe, online communities.
“It’s a whole new territory for all of us,” Walsch said. “It’s not a problem we had to worry about all that long ago.”
Nearly six months after its own digital break-in, Berkeley has proposed a series of new protocols that includes the mandatory installation of security patches across its network, the integration of campus-wide virus protection software, an inventory of all network computers that store sensitive data, an updated security policy, and increased security awareness training for teachers, students, and university technicians, among other protective measures.
Rodney Petersen–security task force coordinator for Educause, a higher education consortium specializing in network security–attributes the recent deluge of attacks on school and university networks to the evolving nature of online threats.
Whereas schools used to rely on virus protection software and firewalls, among other security measures, he said, the emergence of increasingly malicious and creative assaults–coupled with the proliferation of online pests such as spyware and adware–dictates the need for a more comprehensive strategy. “There is no single, one-size-fits-all solution to network security,” Petersen said.
That’s especially true in higher education, where university IT staff are charged with protecting networks that, by their very nature, invite outsiders in. In contrast to the business world, academia often encourages students and faculty members to bring their own personal computers online. Though intentions are inherently good, Petersen said, the presence of so many foreign machines creates some vexing problems for network administrators.
Without checking each and every computer individually, he explained, it’s difficult to know for sure whether a machine is harboring malicious code or somehow exposing a hole in the network.
More often than not, he said, schools are forced into a reactionary role, where administrators respond to the attacks only after they occur, as was the case at GMU and Berkley. Unfortunately, as Petersen pointed out, “patching doesn’t always work.” These days, he said, rogue programs are capable of burrowing so deep as to avoid detection.
Instead of relying on firewalls and security patches to fortify their networks, Petersen suggested that schools take a “blended approach” to security–one that includes a combination of off-the-shelf virus protection software, customizable open-source solutions, and the promotion of better user awareness, among other safeguards.
Petersen recommends implementing a centralized management solution that enables school IT staff to monitor the health of every machine, giving staff members the ability to scan for viruses and other security holes before the machine is admitted onto the network.
CleanMachines is one such product. From Perfigo Inc., whose parent company, Cisco Systems, is a leading provider of network servers and solutions to schools and businesses, CleanMachines is part of Cisco’s Network Admission Control program. The software allows network administrators to manage the security of individual machines remotely, applying fixes and updating policies from a single, centralized location.
The nonprofit Educause also recommends the use of other off-the-shelf software solutions–some of which can be downloaded at no charge from the internet, Petersen said. Among these are Spybot Search and Destroy, a free program that helps users detect, quarantine, and eliminate the presence of dangerous spyware on their machines, and AD-AWARE Personal, Lavasoft’s free program designed to cleanse hard drives of adware and other nefarious data-tracking applications picked up online.
In the case of AD-AWARE, the personal edition is free, but schools and universities that intend to deploy the software system-wide are asked to contact the company to discuss licensing options.
Glenn Taylor, director for state and local government and academic programs for security firm Symantec Corp., which sells virus protection and other security software solutions to schools, said schools face a daunting task when it comes to keeping their networks secure.
Unlike most corporations, where equipment is standardized and security policies are involuntarily enacted across the entire network, schools are accessible to a wide range of users, which means the chance of an infection or breach is significantly higher.
To bolster security without shutting down any of the network’s capabilities or services, Taylor suggested that schools invest in all-inclusive technology solutions that can be deployed across the entire network. This approach is somewhat different from what the company has recommended in the past, he said. It used to be that schools and other customers were encouraged to buy security products piecemeal–that is, a separate product for virus protection, a separate product for maintenance, and so on.
Now, with the increased sophistication of online threats, Symantec recommends that schools invest in a single, scalable solution equipped to handle a wide range of threats and problems. This way, Taylor said, the product is guaranteed to work seamlessly, and school IT staff needn’t worry about whether the different products will “play nice with one another” across the network.
Still, while software is important, Taylor admits it’s not a panacea. “No technology is going to protect you 100-percent,” he said.
Petersen agrees. The best way for a school to protect itself against future intrusions, he said, is to help users–students and faculty members alike–avoid these pitfalls ahead of time.
“There is a lot of awareness that needs to occur,” Petersen said. Aside from training IT staff to respond to the problems, he said, schools should consider investing heavily in awareness programs for students and faculty members. By explaining the consequences and identifying the threats beforehand, Petersen believes schools can put a stop to potential breaches before they become a reality.
And awareness doesn’t have to wait until college. A number of organizations–including the nonprofit Consortium for School Networking and CyberSmart, a maker of curricula for teaching safe and responsible web use to K-8 students–recently have launched initiatives targeted at creating awareness in the younger grades.
In February, Microsoft Corp. partnered with CyberSmart and chip maker AMD to sponsor the Web Watchers program, an internet safety and security initiative meant to help students understand the dangers of the internet while empowering them to better protect their identities online. As part of the program, participating schools in nearly 13,000 districts nationwide will be eligible to win grants of up to $5,000 for the purchase of new computer hardware and software.
According to Jim Teicher, executive director of the CyberSmart School Program, the idea is to reach children at an early age, so that by the time they get to college, their senses are already attuned to the dangers.
Today’s students are more tech-savvy than ever before, he said, but most of them still lack the wisdom and maturity required to understand the significance of these threats–and it’s something they need to learn early on.
“Education makes a difference,” said Teicher, “as much or more so than all of the technology we throw at security.”
For its part, Congress has sought to make the job easier on overburdened IT staff, introducing legislation that would ban adware and spyware and subject violators to fines of up to $3 million per incident. But legislators have yet to vote on the bill, known as H.R. 29; and until they do, school technology leaders will be forced to deal with the problem by downloading patches, installing new software, and closing holes–wherever they can.
The examples of GMU, Berkeley, and other schools are “a reminder that you never can be too careful,” said GMU’s Walsch.
George Mason University
University of California at Berkeley