Search The Site

Opinion & Forums
The Chronicle Review Commentary Forums Live Discussions

Careers
News & Advice My Career homepage Search jobs by position type by discipline/field by state/region by institution Tools & Resources Employer Profiles

Multimedia

Leadership Forum

Technology Forum

Resource Center

Campus Viewpoints

Services
Help Contact us About The Chronicle Subscribe Day pass Manage your account Advertise with us Rights & permissions Employment opportunities

From the issue dated December 19, 2008

COLLEGE 2.0

Top 10 Threats to Computer Systems Include Professors and Students

Related materials

Video: A campus security analyst explains why she dressed in a fish costume to raise awareness of e-mail "phishing."

Article tools

Printer friendly	E-mail article	Subscribe	Order reprints

	Discuss any Chronicle article in our forums
Latest Headlines Universities Must Disclose More Data on Animal Research A court settlement requires the U.S. Department of Agriculture to make public more information about research on animals, prompting some academic researchers to worry about further attacks by animal-rights extremists. 2-Year Colleges Streamline Student Aid and Focus on Counseling For Provost Who Fled Lebanon, U. of Dayton Is His 'Village' Letters Home From World War II Soldiers Are Found in College Basement

By JEFFREY R. YOUNG

Karen McDowell spent several days this fall dressed in a purple fish costume, holding a plastic spear.

Ms. McDowell, a network-security analyst at the University of Virginia, wanted to raise awareness about "phishing," e-mail schemes in which con artists send messages to trick people into giving out passwords or other personal information. Ms. McDowell walked around high-traffic areas of the campus to get attention. "Sometimes I introduced myself as a fraudulent e-mail because many people don't know what a phish is," she said.

The outfit hooked curious students, who asked her what she was up to, and most listened to her spiel. In the past, plainclothes administrators set up tables and handed out brochures about the importance of computer security. But Ms. McDowell felt that such efforts made little impact, since students mostly walked by without stopping. The fish costume was her idea — the university paid a local seamstress $60 to make it — because she felt that a bit of flashiness and humor would help the message sink in.

User awareness is growing in importance when it comes to computer security. Not long ago, keeping college networks safe from cyberattackers mainly involved making sure computers around campus had the latest software patches. New computer worms or viruses would pop up, taking advantage of some digital hole in the Windows operating system or in popular Web software, and officials would work to plug the gaps.

Those were the good old days — back when many big attacks were started by hobbyists who got a cheap thrill watching geek squads scramble.

Today a growing number of network bad guys are professional criminals, and they're looking to steal real money. They don't just want to post an embarrassing note on your college's home page. They want to nab the identities of students and professors to go on shopping sprees with forged credit cards. With the global economy getting lousier, officials predict that even more hackers will get into the act in search of easy cash.

Increasingly, the weakest part of a network is the users, who carelessly give out their passwords or leave important information for the taking.

That's the conclusion I reached at a recent Dartmouth College conference on "Securing the eCampus: Building a Culture of Information Security in an Academic Institution," where I was asked to give my take on security threats. I compiled the following top-10 list of campus computer-security risks based on several recent computing surveys and interviews with more than a dozen college-technology leaders. The list, ordered from least to most serious, is by no means scientific, but it gives a sense of where today's battle lines are — and why "phish" costumes should become more common on campuses.

Threat #10: Spammers

The unwanted e-mail advertising messages named after canned meat represent a constant attack on the campus, and collectively they can have a significant impact on network performance. Even though many colleges can stop most spam messages before they reach users, filtering out ads for Viagra diverts energy away from other activities that IT officials could be doing.

More important, spam is an underlying factor in other network-security problems, since some attackers aim at college networks to help them send more spam, by hijacking student computers and turning them into spam servers. So if spammers could be stopped, that would help reduce other kinds of network threats.

Threat #9: Cellphones

The number of iPhones and other Web-surfing smartphones on campuses is growing rapidly. Since some phones can connect to wireless networks that blanket campuses, it is easy for students, professors, and administrators to do all sorts of communication on their phones that they used to do on their laptops. Which is great, until hackers create viruses for cellphones or until a user loses a phone with sensitive data stored on it. And so far, smartphones are harder to secure than laptops or desktops because virus-detection software can quickly run down cellphones' batteries.

Threat #8: Phishers

Phishing scams are getting more sophisticated. Some early e-mail messages that attempted to trick users into revealing passwords were littered with spelling errors or poor grammar, tipping people off that they were fakes. But today the bait is more lifelike.

In a scheme that has emerged in the past year, scammers pretend to be college network officials asking recipients for their network ID's and passwords. Colleges are struggling to educate students and professors that they should never, ever give out their passwords via e-mail.

Threat #7: Social Networks

The popular Facebook social-networking system was invented by a college student, and students are among its most enthusiastic users. But cybercriminals have found that social networks are ideal pools for phishing attacks.

A study by Indiana University researchers showed that phishing schemes were much more likely to trick people on social networks than via e-mail — in some cases getting 70 percent of users to fall for the scam. In one popular scheme, students get a message that appears to come from a friend, saying that if they click a link they will see a video clip that they appear in. The link takes users to a site that tries to install malicious software on their computers.

Threat #6: Outsource Partners

Colleges are outsourcing more technology services than ever these days, putting the security of campus information in someone else's hands. Calling vendors a "threat" is probably too strong, but companies can be a point of vulnerability for campuses. Case in point: This April a contractor for SunGard Higher Education had a laptop stolen, and it contained data from 18 colleges that were clients of the company. For one of those institutions alone, Connecticut State University, the laptop had data for 3,502 students and alumni from four campuses.

Threat #5: Students

Every year students seem to become more careless about computer security, according to some college officials. Students will happily give their passwords to friends to check their e-mail for them. Or they'll create simple passwords that are easy for attackers to guess.

Threat #4: Professors

The only people more careless on their computers than students are professors. When a phishing scheme hit Stanford University this year, for instance, the vast majority of those who fell for the con were faculty members.

Threat #3: Staff Members

Some colleges collect more sensitive information than they need, leaving more opportunities for the data to be exposed to the public or swiped by hackers. Several recent reports said mistakes by careless employees had caused more data breaches than outside attackers had.

Threat #2: Thieves

Thefts of computers with sensitive data have increased each year for the past five years, according to the latest survey by the Campus Computing Project, which tracks college IT trends. This year more than 30 colleges have reported lost or stolen computers or hard drives with sensitive data on them. As laptops get smaller and flash drives get more capacious, this threat will very likely grow. Officials recommend that professors and administrators encrypt sensitive data so that criminals won't be able to see such information on laptops they've swiped.

Threat #1: Malware and Botnets

The Georgia Tech Information Security Center estimates that 15 percent of online computers worldwide are part of botnets: millions of computers infected with malicious code that lets attackers turn them into "zombies" for their own evil electronic deeds (botnets are often used to send spam). That's up from 10 percent a year ago.

The problem is that malware, as this and other malicious software is called, gets upgraded faster than antivirus software. "The bad guys can repack and rerelease their malicious code faster than the good guys can build and distribute antivirus signatures to identify and block it," says Joseph E. St. Sauver, manager of security programs for Internet2, an academic-computing consortium.

It's clear that tech security is as much a people problem as it is a technological one. And education and awareness of good computer hygiene are more important than ever to keep networks clean and data safe. The University of Virginia has already received requests from security officials at other colleges who want to borrow the costume.

College 2.0 explores how new technologies are changing colleges. Please send ideas to jeff.young@chronicle.com

http://chronicle.com
Section: Information Technology
Volume 55, Issue 17, Page A9

Home | Chronicle Careers | The Chronicle Review