InfraGard

Secure networks versus information sharing

The Remediator Security Digest interviews David Barnhill,
Senior System Specialist of University of Kansas Academic Computing Technical Services

In education, information security is almost an oxymoron. Those in academia are in the business of sharing information, an act that often endangers attempts to secure it. The challenge is to both allow for the frequent exchange of information and to protect it.

A successful security model in the academic arena has much to offer the corporate IT manager. What can businesses learn from their example? Many businesses value information sharing, especially in business-to-business relationships where companies have partnerships and must keep communication lines open.

Recently, The Remediator Security Digest spoke with David Barnhill, Senior System Specialist of the University of Kansas Academic Computing Technical Services, about some of the unique security issues facing universities today.

The chemist who wins a grant competition and buys a supercomputer has the expectation that she and the grantor and the university will make a discovery using that machine to their profit. If that information is compromised or destroyed through a security breach, that expectation is at least downgraded. However, some would argue that if the information had been open and freely available in the first place, there would be no "crime." This is an honestly held opinion with some merit. It cannot be discounted, as many discoveries are the result of information exchanged in just such a manner. Xerox PARC is an example of a facility where ideas were developed fairly openly and much good came of this process.

In areas such as medicine or public health, there is a strong argument that progress could be made more quickly if information were more widely disseminated among academics, rather than held closely by corporations or research facilities.

Years of movement towards equal access makes the university enterprise systems differ from corporate ones. Corporations devise methods to secure information, traditionally through strong hierarchical control of resources and personnel. Most security solutions are designed for corporations where the user has been assimilated and will obey or be terminated. University staff, especially faculty, rightly resent such treatment and are not shy about communicating this news. "Who would want my stuff anyway?" is a common refrain of disbelief from users with compromised systems.

Corporations, by their nature, wish to protect their information, because intellectual property is valuable. Universities often have units that are grant-funded research organizations similar to corporations that readily embrace reasonable security measures. However, for the typical professor, grantees included, there is a fear that "security" is a sneaky way to hide or disguise research into weapons, frankenfoods (genetically modified foods), or other hot button issues about which the public has a right to know. Most are in a middle ground, muddled because they do not understand the problem, and have a sense that, "academic institutions shouldn’t be closed off from the outside; this security stuff is a bother and may be a bit sinister."

In January 2004, there is still a resonance for many faculty and administrators in the late Mario Savio’s (student leader for the Free Speech Movement) statements about the "odious machine" of dependence on corporate funding for research and the implications for academic freedom. Information with industrial espionage value and national security value sits in dissertations, simulations and even speculations passed between researchers. Someone with a grant from the DOD will be at least nominally conscious of the need for security, while a student researching word use in "Don Quixote" is not going to be overly concerned about securing his or her information. However, a linguist in Spain may be quite angry he is unable to telnet to his machine and login using clear text passwords.

The academic who is in the field doing research rightly understands the network should allow her to contact, at the very least, her email. She wants to log in, do the sorts of things she would do at her desk at the university. She doesn’t understand encrypted versus unencrypted sessions or that someone might use the university’s account to launch an attack. She may use very slow lines, and really need a telnet session in lieu of a Web-enabled email session.

Because some member of the "enterprise university community" is on the road at any given time, the university network is not unlike the corporate enterprise in that regard. The biggest difference is that a distinguished professor with a named chair is less receptive to a restriction on his access than a member of a sales force may be. The professor also may convey where you should put the laptop more pithily — and get a chairman or a vice-chancellor to agree with him. This is where clearly reasoned, well-articulated policy, backed up by the administration comes into play, not only to provide explanation, but also to guide people in making exceptions in genuinely exceptional cases as safely as practicable.

On the desktop, where much of the activity is targeted today, it has been a uphill battle. I like to characterize the adoption of computing in academic settings as the "better pencil paradigm." That is, all the average user wants is a better pencil, not to become a computing maven. When you begin to lock down the desktop, restrict installations of software, push updates down to the machines from centralized servers, you are being proactive, but you are also being invasive of this user’s space. To the person who has just gotten used to the idea of this "better pencil," this is like reading his private notebooks. Unless you spell it out in policy, someone will think you are being intrusive. At best, you are limiting his ability to make this an even better pencil, and then top it off by downloading things to his computer when he doesn’t understand why he needs them. Not to mention, the computer then asks for a reboot! This type of experience is not empowerment for the user.

The system administrator might know that the Windows update pushed out to department computers is a good thing, but the user perceives a little bit of his freedom is taken away. The user thinks historic traditions of free speech and open exchange are being kicked around a bit, if not quite trampled. The user fears he is sliding down that slippery slope of ever more restrictive policies.

Therefore, in security communications and policies, transparency is important. Users need to believe the risk-benefit analysis that the security staff performs has taken their needs into consideration. One can’t treat a bright and committed individual like Bogart did, "You’ll take it and like it."

Selling security for its own sake is a hard sell in any environment; it is expensive, can be cumbersome, and often feels intrusive. Federal mandates for security officers have moved the bar upwards, but for many there remains a sense of "it cannot happen here, we are too insignificant, etc." I know some security positions in academic and corporate settings were funded as full-time employees only after a breach of some seriousness. In that sense, both types of enterprise data centers are victims of their own success.

The absence of a compromise does not mean systems are safe, but it is hard to prove a negative when seeking a budget increase. A few ways to do this include:

• Collecting "bad" traffic data using open source software is an inexpensive way to quantify some risks.

• Calculating costs for recovery is another.

• Most administrators will not consider securing the infrastructure sexy or interesting to talk about. Point out that the media does find a breached system sexy and does like to talk about it with a headline along the lines of "Breach at <your university> Causes Panic over Identity Theft," on the front page.

I hope that last statement wouldn’t be needed even in the smallest community college setting, but I suspect that isn’t so.

In addition, sometimes a little drama will get their attention. Hearsay proves if you spend a few hours beforehand with Loftcrack (password cracker software), walk in to a security meeting with administrators with slips of paper with each person’s password, you can count on people paying attention. Then tell them how quickly you decrypted their passwords. Jaws will drop, their attention will be rapt, and though you may be chastised quite a bit for doing it, they’ll listen to you. Do not fail to point out that all undergraduates on campus have the same software available to them, a great deal of free time, and a faster computer than you do.

Corporate grant cases are somewhat clear cut. Though arguments retain much of the currency of the Free Speech movement at Berkeley, they question a censorial policy (even if based on copyrights, patents and precedent) versus reasonable protection of an asset, which defines "security" neatly. In this way, you are protecting your IP assets.

On the other hand, it is a great deal more difficult to explain to an individual professor why his Windows 2000 machine has to be locked down against viruses, worms and such. "I only have my correspondence and my research into the sex lives of manatees. What is threatened if some joker breaks into my machine?" The 150,000 emails one 1.6MHz machine with a 100-baseT connection can generate in short order, for instance. The "hop" from that machine to one with economic value in the same network simply does not compute to the man unless you explain to him the risks.

To a degree, security can be reduced to the personal privacy dimension neatly; the spammers love to use LDAP (Lightweight Directory Access Protocol, an Internet protocol that email programs use to look up contact information from a server) calls to grab email addresses, which can then be used to generate lists for brute force attacks on passwords in addition to the spam deluge. When you realize it can be boiled down to something that simple, the size of the problem begins to be apparent.

Conversely, when you break it down to the personal privacy dimension, the problem can be understood easier by the academic community. Because these institutions face security challenges like any other organization, the key is to find a balance between information sharing and protecting the systems. Though schools are an open book, network systems are more like a diary and have a lock and key for select people to open and read.

As the child of two professors, David Barnhill’s exposure to academia began at an early age. His first network computing experience came while working for NAPA in the 1970s, after which he migrated to the legal industry before segueing into computing at the University of Kansas. Simultaneously, David founded a word processing company as well as a couple of ISPs, and served on the boards of various non-profits. David is currently the Senior System Specialist at the University of Kansas Academic Computing Technical Services. He has three children and three cats and not nearly enough old sports cars. He adds a disclaimer that he isn’t speaking for the University of Kansas, but as someone who has been in the university community since birth.