Information Security

¶ … Security An institution of higher learning is one of the most vulnerable places to cyber-attacks available to hackers due to the number of units operating, lackadaisical security measures and the ability of hackers to hide in plain sight. The fact that these are vulnerable systems and individuals has made it a top priority of most institutions to ensure that the people who attend the school at least have a policy in place.

Because ensuring security for all residents of a school would be very costly, most schools have a policy regarding their own equipment, but assume that students will guard their own equipment while they are at school. The problem with this is that there is a lot of file sharing between students and between individual students and others using flash drives and the school's computer systems. Therefore, it is very simple to inadvertently introduce a deadly pest into the system.

To combat internet security issues in a larger sense, many companies offer individual and systems-wide software that will help combat breaches, and federal and state governments have tried to curtail the problem by enacting laws which will protect individuals and their private information. As can be seen from the almost daily report of breach information, these efforts are only partially successful. Regardless, agencies always try to stay either even or only slightly behind new attack capabilities.

This paper examines recent attacks at institutions of higher learning, processes designed to stop the attacks, laws which are supposed to protect individual information and hardware designs that are helping the cause. Recent Attacks at Universities Attacks against institutions of higher education have increased over the past few years, but they are nothing new. It would probably amaze people to realize that the first documented bug placed in an electronic system was an actual bug (hence the name).

In 1945, "Rear Admiral Grace Murray Hopper discovers a moth trapped between relays in a Navy computer. She calls it a "bug,"…Murray Hopper also coined the term "debugging" to describe efforts to fix computer problems" (Krebs, 2003). Of course, now they are much more serious, cause more widespread damage, and can cost billions of dollars to search out and repair.

It is a constant warfare between the people who wish to damage systems, or simply by accessing them illegally damage them, and the people whose constant job it is to thwart them. Specific attacks have either been used against institutions of higher learning or they have, more often, originated there. Universities are often a hotbed of this type of criminal activity because a large group of individuals with the understanding of the mechanisms necessary to create havoc are gathered at one place.

In 2003, a virus called the "Slammer Worm" infected "hundreds of thousands of computers in less than three hours. The fastest-spreading worm ever wrought havoc on businesses worldwide, knocking cash machines offline and delaying airline flights" (Krebs, 2003).

Although this worm did not originate at a college necessarily, the speculation is that the original code, which was so small it just caused interruptions as it was not designed to write itself onto other computers, did come from a campus and that it spread through the internet for weeks before causing the damage it did (Krebs, 2003). A team of researchers at Princeton University in 2007, completed a project in which they developed cutting edge attacks and released them locally to determine their effect.

The controlled results proved that it was possible to break into previously unassailable networks. The lead researcher stated "We've broken disk encryption products in exactly the case when they seem to be most important these days: laptops that contain sensitive corporate data or personal information about business customers" (Parker, 2008). This technology has been used in subsequent attacks and is the basis for technology that allows criminals to steal data from laptops on a router or hotspot.

Another writer, talking about the dangers of cyber-attacks on college campuses says the dangers "malicious software (malware), phishing, infrastructure attacks, social network targeting, and peer-to-peer (P2P) information leakage are not potential threats; they're actual, daily issues" (Rasmussen, 2008). Recently, 2010, a computer system type that is the backbone of many university systems was attacked using a bizarre set of coincidences. Rasmussen writes; "In a high-profile BGP incident, every organizations' vulnerabilities were demonstrated when a Chinese state-controlled telecommunications company, perhaps inadvertently, positioned itself to intercept 15% of the world's Internet traffic routes.

In that case, China Telecom advertised erroneous BGP routes that funneled traffic for websites, e-mail and other transactions of the U.S. Senate, Department of Defense, NASA and Department of Commerce through Chinese networks before this traffic reached its intended destination." This attack did not affect any college campuses, but a similar issue could easily happen to sensitive research data because it is so commonly used. The fact that the U.S. government was so highly infected by its use is proof that any network is at risk.

Security Systems Devised Because of Attacks Cyber crime has yielded a large number of products and processes that are commonly used to combat the recurrence of the issue. There are a few issues with this approach. First of all it is reactionary. Instead of taking the time to build a system that will assess and address a variety of security issues as a unit, the goal is usually to stop the attack that is happening or has just happened.

The problem with this is that by the time the reaction has produced a new set of processes or products, the criminals are already two or three steps ahead (Rasmussen, 2011). Another issue is that most systems designed to stp this type of crime are piecemeal. This means that they are different products from different manufacturers that have been patched together to form a complete barrier. Unfortunately, the systems often do not work well together so, as a whole, it is vulnerable to further attacks.

This approach also slows the business that the organization is trying to do, so, in essence, the criminals have won a small victory by both hacking the system and by curtailing future operations (Cisco Systems, 2007). Fortunately there are organizations, such as Cisco, that are trying to address the problem as a whole. The Cisco system "Cisco Campus Secure for Higher Education Networks is based on the Cisco Systems vision of the Self-Defending Network -- a network that is integrated, collaborative, and adaptive.

A Self-Defending Network: Integrates security throughout all aspects of the network Collaborates among all network and security elements to create a unified defense system Adapts to new threats as they arise" (Cisco Systems, 2007). This and other systems that have to be geared toward the problems that a university has because they are unique issues that other businesses do not face. The Cisco system was designed with a university customer in mind and has taken all of the vagaries of the project into consideration.

Technology or Processes used to Lower Computer crime Threats Comprehensive programs like Cisco's can be expensive because they are expensive. Of course they offer a pupil network secure solution that keeps an individual secure for a $4.99 fee. This is basically the same as purchasing any other antivirus software, but it is supposed to be specified for the problems and usage that a college student might face. Other vendors do offer similar products though.

Norton sells a version of similar software that can be purchased on a yearly subscription basis at just $140.00 for a two-year download license. McAfee has a similar product that it sells for a one-time price of $100.00, but the purchaser can purchase updates also for a separate fee. Kaspersky also has similar software that it sells for approximately $60.00 for a yearly download and updates. Others have the same products, such as ATT and Personna, that retail for about the same price.

Possibly the best rating system for an good that can be purchased is Consumer Reports. The site does not take any donations or advertisement, but exists using subscriptions to its service. The reason for this is that the reviewers on the site want to remain as unbiased as possible. During a review of security system platforms for the internet, Consumer Reports rated the Kaspersky system the best, Norton second, and McAfee last of the products mentioned above. Avira and G. Data had the best systems, but G.

Data cost half as much. So, it seems the suggestion is to go with the G. Data Internet Security 2012 product (Consumer Reports, 2012). Computer Attack Laws Because this is such a widespread problem, the government has also gotten involved to try and tighten the law which governs internet and system security. Many organizations, including the U.S. government, have data that they need to ensure is secure because it is of a very sensitive nature.

The problem is that it is difficult to write a body of law that is at once broad enough to capture all that can happen, and specific enough to ensure that correct punishments are provided for individual types of offences. The way that the government has handled this problem in the past is to write a broad body of law, such as the Americans with Disabilities Act, and then allow court cases to work out the specifics.

To that end, there have been three Acts from which the largest body of cyber-security comes. The first is called the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This Act protects people from having their private health information stolen and provides penalties for such acts. The second was the Financial Services Modernization Act of 1999 which sets standards for financial information security.

The final major federal law from which judicial precedent is set is the Homeland Security Act of 2002 which basically fills in the holes of personal security left by the other two. The three laws form a basis for all other federal law that has been adjudicated. State governments have further defined the federal laws by passing such bills as that in California which proclaims that any company which has a security breach must inform the people affected by it.

Hardware to Track Crime Another issue that has been noted is that there are a lot of different devices that people are using now to store private information, and if a device is in any way connected to a network it can be hacked. Because devices more and more frequently operate on cloud systems, there is a need to try and secure these types of networks so that people can communicate effectively and without fear of being compromised.

The reality is that these types of systems are very difficult to secure due to their very nature and, although new systems are always being devised to help with this problem, there are always going to be risks. Students invariably carry cell phones of one type or another now, and most have a smart device. The issue here is that because of the power of these devices and the fact that they easily hook up to the internet, they are just as vulnerable as any computer or internet machine.

Many different companies offer security software designed specifically for smart phones and they comes in all different.