Penn State Intercom......March 27, 2003

University works to
combat cyber crime

By Heather Herzog and John Dixon
Information Technology Services

Editor's note: This is the first article in a two-part series that focuses on computer and network security in higher education.  

One week after the terrorist attacks on Sept. 11, 2001, a less-physically destructive but economically significant cyber attack struck leading financial service institutions a few blocks away from the World Trade Center site. The attack was called NIMDA and for a nation that has become dependent on computer networks, it was a wake-up call. NIMDA, a type of computer "worm," propagated across the country with enormous speed and went from nonexistent to nationwide in an hour, lasted initially for days, and infected 86,000 computers -- forcing many businesses to lose customer access and others to rebuild entire computer systems.

While the Internet has grown globally, it also has grown increasingly insecure. According to Kathleen Kimball, director of Security Operations and Services (SOS), NIMDA and attacks like it have brought attention to the many cyber vulnerabilities that exist and have alerted national leaders that protection for businesses, institutions and organizations throughout the country is critical.

"In recognition of the need for a coordinated effort between government, industry and higher education, a number of national efforts are under way to identify and address priorities for achieving a more secure cyberspace in both the public and private sectors," she said. "An important part of these initiatives is the implementation of security goals among higher-ed institutions."

Under the direction of Internet2 and Educause (two well-known university consortiums), a collaboration of universities and colleges has responded to the national initiatives by setting goals to adopt and implement a five-point plan that would improve information technology security in higher education (see http://www.educause.edu/security/). Penn State has participated in some detail in the planning efforts of this initiative, said Kimball, and in the analysis of responses to key related surveys and workshops that have occurred this last year.

Although SOS plans to examine how best to implement any recommendations that result from the Internet2/Educause collaboration, the University's cyber security initiative has been an ongoing effort beginning in 1993, when Kimball's office was created. SOS, a unit of Information Technology Services, works daily to educate students, staff and faculty about the importance of protecting their computers with anti-virus software, personal firewall support (technology that blocks invasive attempts) and encryption (coding techniques that disguise sensitive data). The office also provides training classes and consultation on ways to prevent electronic dangers, such as securing operating systems and applications, and safeguarding passwords along with other sensitive access control information.

In addition, SOS employs a commercial scanning technology, known as the Internet Security Scanner (ISS), to reinforce the University's security efforts. The system, installed in 1997, enables units, offices and departments to use the World Wide Web to request a scan of a designated University network area, then identifies any vulnerable systems susceptible to probes and other types of hostile activity within that area. SOS also employs custom scans written by University staff to identify machines affected by hostile code that has been observed at Penn State and which may not yet have been incorporated in commercial scanning systems. This allows rapid response to newly observed attacks.

According to Michael A. McRobbie, vice president for information technology at the Indiana University System, investing in procedures, training and equipment that can make networks more secure is well worth the expense for higher education institutions.

"In a time of increased national-security concerns, pressure is mounting for colleges to gain better control of their computer networks, or risk losing federal grant money for research," he told an audience at the Educause annual meeting.

By scanning for network vulnerabilities and by the introduction of state-of-the-art technology such as Intrusion Detection Systems (programs that function like burglar alarms to recognize and respond to attacks in progress), the University can be warned about a variety of electronic dangers, including automated or scripted attacks, one of the most common and costly types of cyber intrusion institutions face today. In this type of attack, a hacker will automatically probe for unprotected network connections, then break into -- and control -- a group of computers.

Among other uses, the hijacked computers (sometimes hundreds or even thousands of them) provide a platform for the hacker to launch electronic assaults that are capable of impacting large numbers of people. A common type of automated assault is a "denial of service" attack, where cyber criminals or vandals, frequently of juvenile age, use a number of "zombie" computers to create an Internet traffic jam.

In addition to automated attacks or denial of service attempts, computer users in higher education often are vulnerable to probes, because some hackers search for computer networks that provide access to sensitive research or government-related information. Hackers also frequently target the high-speed connectivity available in university network systems.

"Technology such as ISS is a big help, but Penn State is by no means immune," said Kimball. During 2001, a total of 6,476 security incidents were reported. That number is nearly 50 percent higher than was reported in 2000. The security of any information system is only as good as its weakest link -- and that's why it's essential that every individual affiliated with Penn State learns how to fully protect his or her own computer."

For more information, e-mail the SOS office at SecurityConcerns@psu.edu.

Heather Herzog can be reached at heh4@psu.edu. John Dixon can be reached at jwd1@psu.edu.

Back