Information Security
- Why do we need it?

 

General Computer Security Issues

Being connected to the worldwide Internet means being connected to people that don't have our better interest in mind. Our monitoring logs show daily attempts to exploit vulnerabilities in technology. There are tens of thousands of hostile programs circulating on the Internet...viruses, trojan horses, password crackers, system defect exploiters, vulnerability scanners, and many more. The reality of the situation is that we have to be vigilant about trust and protection issues in our computers just as we are in day to day life. One major difference is that the entire world can't reach out and touch our houses, our property, and our bodies in milliseconds as they can our computers. It’s not necessary that someone in another country come to your house to rifle through your personal effects, they just have to exploit a vulnerability in yours or someone else's computer.

Universities Under Scrutiny

Universities are attractive targets for would-be cyber-criminals. Most universities feature abundant high-speed internet connectivity, individual users who know almost nothing about information security, and minimal protections. Also, a institution is completely unlike a commercial business in its approach to computing. An industry would be able to adopt and enforce strict policies to protect their networks and infrastructure, policies like:

  • a strong firewall around servers
  • no unauthorized modems to connect from home
  • no private e-mail allowed
  • all e-mail attachments refused
  • no internet use that is not strictly job-related
  • users having access to approved software only
  • an administrator who will decide when passwords are changed and which passwords are appropriate.

This would never work at an institution.

Even though, technically any or all of these provisions could be implemented tomorrow, and even though it would provide the Institution network with much better protection, these kinds of safeguards restrict access to information and limit the ability to communicate, two fundamental rights upon which universities depend. Also, these actions would intrude on the essential privacy that faculty, staff, and students, have always enjoyed. Information security is dedicated to helping individuals protect themselves, not compromising the traditional rights and privileges of academia. It is essential, however, for everyone in the Institution to take appropriate measures to protect both individual and shared information and resources so that the entire institution can remain both secure and intellectually free.

Because they are relatively open, with few security measures to protect many resources, universities are enticing to people who want to commit mayhem. Also, at many universities, security is lax. Some computer users don't understand security issues or are too busy to see security as anything more than another time commitment; others just don't care, either about their own security or the risks they pose to others.

The Mission of Information Security…
educating people to take control of their computers and responsibility for their own data. The risks to individuals are too great for those individuals to continue to ignore them, and the Institution cannot protect irresponsible or unknowing users without compromising the academic freedom of everyone else.

The most common excuses for lax security don't hold up to scrutiny:

No one could possibly be interested in my information.

It may be your resources--your network space, your applications, the speed of your connections, or possibly the other network connections that you have access to--that entice an intruder. It may be convenience that makes your account interesting; it's easy to reach, or it may be unguarded, or maybe someone is intrigued by your filenames. You can be vulnerable to someone who is honing skills, or maybe a student disgruntled by a grade, or an adolescent who's mad at the school system...the possibilities are almost endless. Faculty and staff are especially vulnerable to students who are willing to sabotage grades or records. You need not see anything "personal" in an attack; you may just be a convenient target

Anti-virus software slows down my processor speed too much.

There are a host of issues surrounding anti-virus and anti-trojan programs. But users who have disabled their anti-virus software are vulnerable to common and uncommon viruses, ones that are designed to be "time bombs" or to deploy repeatedly, ones that are inconveniences and ones that destroy hard drives.

I don't use anti-virus software because I never open viruses or e-mail attachments from people I don't know.

Care and vigilance are commendable qualities, but this approach doesn't allow for even a single moment of inattention. And new generations of viruses will circulate without e-mail attachments. Some are circulating now. They can spread across networks; they can mail themselves from sources you trust. In the end, the risk isn't worth it--there is no good reason not to use anti-virus software and not to update it frequently.

So many people are on the Internet, I'm just a face in the crowd. No one would pick me out.

With the millions of people online today, one single individual may feel lost in the crowd, invisible and relatively safe. Relative obscurity may lessen your risk a little if you connect to the internet through a dial-up modem, but the edge you gain is only slight. And most users now connect through DSL or another permanent connection, which makes you extremely vulnerable, especially if you tend to leave your computer on all the time.

I'm busy. I can't become a security expert--I don't have time, and it's not important enough.

Your schedule may be packed, and you may feel that information security is not a justifiable expenditure of your time and expertise. However, you don't have to be a security expert in order to practice safe computing. This website, together with the Institution's continuing educational initiatives, will help you acquire the tools and skills you need to protect yourself.

In the past, the Institution has done everything in its power to protect information while respecting academic freedom. That commitment will continue, but with increasing risks, everyone who uses the Institution networks must be responsible for their part. The conventional adage that the security web is only as strong as its weakest link is truly accurate.

What You Can Do

How do you protect yourself and your data? Most of the best advice deals with behavior that is commonsense and easy to recognize; all it takes is a change of habit. Even the more demanding technical advice really isn't difficult. The information on this website is designed to help you by giving directions as clearly as possible.

The first step is to recognize several casually-related facts:

  • some people will take advantage of you if they get the chance;
  • some people don't acknowledge the consequences of their actions, especially when their actions harm others;
  • you are the only one who is really qualified to protect yourself;
  • because there are other people connected to your network, your security depends at least in part on the skills and habits of your colleagues.

Although the threats are significant, the advantages to working in a networked world are substantial. The internet has unlocked a world of information, the intellectual riches of the ages and the best ideas of tomorrow, side by side, and freely available to all. The ability to communicate, to read and to learn, in this environment, is an opportunity that has never before been available. Negotiating safely in this new world requires a few skills; the rewards are enormous.