Network-Security Expert Says Colleges Should Do More to Protect Their Computers

[Paul Howell]

At http://chronicle.com/free/2000/07/2000070501t.htm

Network-Security Expert Says Colleges Should Do More to Protect Their Computers

By FLORENCE OLSEN

The network-security expert Thomas J. Talleur
says universities can protect themselves from
attacks and other network intrusions the same
way that people protect themselves when they
go out in cold weather. "The more layers [of
security] you apply," he says, "the better
protected you will be." 

Mr. Talleur is a managing director of forensic
and litigation services at the consulting firm
KPMG, L.L.P., in Washington, where he
investigates cybernetwork attacks and
provides digital evidence in litigation involving
the Internet and telephone and satellite
communications systems. 

Before he joined KPMG, Mr. Talleur was in
charge of advanced-technology programs in
the National Aeronautics and Space
Administration's Inspector General's Office,
where he directed the law-enforcement unit
that investigates criminal attacks on NASA's
communications networks. 

Q. How should research universities deal
with network security?
A. The issues have always been ones of
openness versus security, privacy versus
accountability. At NASA, which was a
research environment, the researchers felt they
should have wide-open networks and
wide-open access, so they could run
experiments at the different
communication-protocol layers -- the Internet
is made up of seven protocol layers, and the
researchers wanted to experiment with all of
them. By leaving these protocol layers open,
as they are in their default configuration, they're
exploitable. So this is a question of risk
management. 

When a cybernetwork attack occurs, there
also has to be a balance between quick
remediation -- to get up and running again --
and stopping to recover the digital evidence to
affix responsibility for the attack. Often there's
a false perception that if we just reload the
operating system, the intruder is going to go
away because we've taken away his access.
But that's not the case. By the time the intruder
has gotten in, he usually has 10 or 20 other
points of access, and just reloading an
operating system or two and cleaning things up
is not going to make the intruder go away. 

Q. Do network administrators bear the
responsibility when a network is
vulnerable to attack?
A. It's very common that the people who set
up and provide information-technology
services do not understand how network
services can be exploited. They go to school
to become either Unix or Windows NT
administrators, and spend four or five weeks
just learning how to set up and provision
services. They're not trained to understand
how the services can be exploited. I.T.
security folks understand how systems can be
exploited, but they don't have any training in
forensics. Their natural response is to patch up
the holes, shut the system down, try to
reconstitute the system for remediation
purposes, and continue on with business as
usual. Forensics people understand the
litigation support, the legal issues. 

Q. Should campus-network administrators
be held more accountable for securing the
configuration of machines on their
networks?
A. Universities want to be open and cause
experimentation so their students can learn and
grow -- and that's great. The problem is that
the environment has changed. And universities
are going to increasingly find themselves the
targets of civil liability if they don't start
controlling what they do. One of the big issues
in cyberspace is the issue of civil exposure. If
your point of presence as a university is used
as a conduit point of attack to cause
downstream damage to another entity that
wouldn't have had that damage caused if the
university had taken appropriate steps to
protect its communications from being
exploited, then the university is going to be
open to civil exposure, in my opinion. 

Q. What security advice do you have for
institutions of higher education?
A. We ask people to do some simple, basic
things. One thing that would help is if there was
a worldwide awareness of the danger of
opening up unknown attachments to e-mail.
We have to remember that a lot of people are
just using computers for the first time. And
when they get an attachment, they innocently
spread something that they didn't mean to
spread. So user awareness is one big issue. 

Another thing is that universities should shut
down services that they don't need to run.
Network operating servers come, by default,
with most services turned on when you install
them. People need to configure these machines
when they install them. If they absolutely don't
need to have a particular service running, they
should shut it down, because if a service is
running, it can be exploited. 

File-sharing is a great example. Window 98 is
a peer-to-peer operating system, and it's very
easy for a user to turn file-sharing on, and not
have any idea that data are being taken off his
machine all day long across the network. If a
machine comes with Telnet as a default
service, people ought to shut it off unless they
need it. Telnet means telephone network
connection. I can type the command "Telnet,"
type in the name of your machine, and get right
into your machine -- bam! Nobody uses it
except system administrators or hackers. But it
comes as a default-activated feature of many
machines today. 

The e-mail clients that come with some
computers are another example. The software
asks: Do you want all of your features
activated? Yes! Users don't realize that what
they said yes to is a lot of things that will allow
people to peer into their machine. Just simple
common sense will mitigate a lot of problems
in cybernetwork attacks. It will get rid of the
ankle-biters out there who can break into
machines, so that guys like me can do what
they were trained to do, which is focus on the
organized criminals who are doing this. 

Q. What essential security tools should
universities have?
A. Most universities have all the tools available
to them to do the job. Either they don't deploy
them correctly, or they don't have trained
personnel to do it, or they just don't want to
do it. In many cases, they're scientists. They
don't think about who would do anything bad,
because why would somebody do that?