Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Network-Security Expert Says Colleges Should Do More to Prote ct Their Computers
- From: Paul Howell
- Date: Tue Jul 18 12:03:46 2000
Paul Killey writes:
> "And universities are going to increasingly find themselves the targets of
> civil liability if they don't start controlling what they do." Does that
> include running vendor software? Whether MS or CDE?
I'm not trying to defend that statement, but I think the issue of liability
comes down to a "safe harbour" concept. That is, if you are practicing all
reasonable secuirty measures and following any/all "standards" on security,
then you've done all that you can, and more importantly, what everyone else
has done, then you have "safe harbour" protection.
If you aren't doing as much as you could be, then it sounds like you may
have some liability.
Take firealls as an example. Many schools have them, a lot of private
industry uses them, but the universities that don't, may be perceived as
not doing what is an accepted "standard". If a university is broken
into and its systems used to launch a DoS attack, the victim could argue
in a law suit, that thet university wasn't practicing accepted security
measures and should be held liable for the damage the victim encored.
> This idea of universities having different problems w/ security than private
> sector outfits I think is nutty. Also, the combination of Pollyanna-ish
> advice like "don't open enclosures" and "everyone can do their bit" and
> "this stuff is really hard and universities can't get it it done" is causing
> some cognitive dissonance for me.
I agree with you on on the "Pollyanna-ish" advice, but I'm not so sure that
universities don't have different security problems than the privat sector.
Three examples of what I'm thinking about come to mind. First, many
universities offer some kind of anonymous access, usually in a library
but sometimes to the general student population. This makes enforcing
accountability difficult.
Second, there tends to a strong emphasis on privacy. I'm not suggesting
that this is bad, but it does create a tension between accepted security
practices and protecting people's privacy. Firewall logs, IDS, etc..
Third, physical security tends to be very weak. People not affiliated with
a university can probably cover quite a bit of it on foot. You don't
see students wearing student badges, and those that aren't wearing one,
being challenged. Maybe the UMich medical center is more like the private
sector than the rest of UMich in this regard.
The above three items create different security situations from the
private sector.
> Should colleges do more? Yes. Which puts them in the same boat as
> everybody else.
Amen brother! ;->
< paul
|
