IT staff keeps tabs on Internet security

Until four years ago, there was no one on the Information Technology
department staff whose primary focus was server security, according to
Dr. Cynthia Rolfe, vice president of Information Technology.

“There was network security, but not server security,” she said.

Today, the department has three people who constantly watch for unusual
activity on the servers.

“They know what’s going on with each of their servers and if they see
something, that’ll raise a red flag and they’ll investigate,” she said.

“We are required by federal law to educate our employees about security
and privacy policies of the university,” she said.

The issue came to the forefront when an Oklahoma State University
parking server breach was disclosed on May 15 in The Daily O’Collegian,
which affected 70,000 students, faculty and staff who purchased a
parking pass between July 2002 and March 2008.

The illegal access was limited to the parking and transit server, which
housed a database that contained confidential information including
names, addresses and social security numbers of OSU students, faculty
and staff, according to the May 15 web story.

University officials said in a statement that they believe “the
intruder’s purpose and only action was to use the OSU server for storage
capacity and bandwidth to upload and distribute illegal and
inappropriate content,” but their investigators are unsure, the story
said.

In the 11 years since Rolfe has been at UCO there has not been a major
security breach involving personal information of students, faculty and
staff.

“The only issue since I’ve been here was by human action rather than
from a security breach,” she said.

Rolfe pointed out that “in today’s world of privacy and security and
confidentiality, most of your problems are still going to come from
human error.”

Rolfe described a case in which an employee who had high-level access
shared their password with a temporary employee. When the temporary
employee left, they didn’t change their password.

As a result, the temporary employee could get in and “do some things.”

“The way we combat that now is really through education. We use October,
which is National Cyber Security Awareness Month, to do our education,”
she said.

Rolfe said that for students who wonder about the safety of their
records, “your records are as safe as they can be.”

“I will never be one to say, 100 percent there’s no way, because that’s
just unrealistic. We take every precaution we can and we constantly
monitor the systems in an effort to keep all data safe and secure,” she
said.

The Gramm-Leach Bliley Act of 1999 is what requires this education of
employees, Rolfe said.

“The only truly secure computer is one that is not connected to a domain
or to the Internet or turned off,” Rolfe said.

“What you do in an IT department is, to the best of your ability, lock
down your servers to secure the system to keep your data private,” she
said.

There are a number of ways data is kept private, including using
applications that encrypt information that is considered confidential
and running logs on the server as a mitigating measure, Rolfe said.

“Every day, someone who is responsible for a particular system will
review the logs at least once during the day and determine if there is
any unusual activity,” Rolfe said.

The department uses firewalls and scans the server and network
frequently, she said.

“Relative to viruses, trojans and worms that are known, we do three
levels of error checking. We check at the firewall, at the server and
the desktop,” she said. “Most of that kind of activity is caught at one
of those levels.”

However, Rolfe said there are individuals who “sit in their rooms
somewhere and all day, figure out how to break into other systems.”

“The best we can do is put in our own preventative measures and then
watch for it. If we see unusual activity on the network or on the
server, then we’ll usually stop whatever we’re doing and investigate
that activity,” she said.

Rolfe mentioned an example of the department’s actions when a problem is
seen on a server.

“On our last internal scan, we found a server that appeared to have some
passwords that were in clear text. The server did not appear to be
compromised, but we still took it offline until we could investigate,”
she said.

“We don’t want to get into the situation if we can at all avoid it.”

She said the department spoke with the server’s administrator and worked
the situation out, cleaning that server.

“That’s our process. If we see something, we deal with it immediately.”

Rolfe said a number of times what seems to be an issue “is nothing. But
we don’t know that until we investigate.”

Regarding how long the university keeps parking records and other files,
the state of Oklahoma has a Records Retention Act.

“Each entity that owns data has to tell us to store the data for the
amount of time that the state involves,” she said. “And that’s different
in different cases.”

Even though the process of preventing breaches sounds simple, Rolfe said
there are many complications.

“There are so many different kinds of attacks that you could get, and
there are so many people attacking for different reasons,” she said.

The reasons for attacking a server include people who just want to see
if they can get in, for the challenge involved.

Rolfe mentioned the vulnerability of universities to programmers
interested in hacking.

“Universities are targeted at a higher level than other servers because
universities have more open systems just by the nature of our business,”
she said.

Students are on the campus to learn, so the systems are mostly open for
them to do coursework.

“However, in a corporate environment, everything would be locked down.
You wouldn’t be able to load things onto your own machine. You’d have to
make a request to load something,” she said.

“We don’t block the Internet like corporations do, so that makes us a
lot more vulnerable,” she said.

Rolfe said a lot of hackers and crackers will try to get on a university
system and just use the server to do other work, “because there’s a
higher bandwidth than a corporation server.”

She mentioned that “people need to understand that when you put
information out there, there’s always a risk.”

Previous Post

Leave a Reply

Your email address will not be published. Required fields are marked *