"When a student comes to campus, it's the first thing they want hooked up," says Seth Shestack, acting CISO at Temple University, Philadelphia, the nation's 28th largest college with a student population of 35,000. "Our help desk will get calls faster for students who can't connect to IM than for email being down."
With that demand for undisturbed IM access comes the need for the university's IT team to secure a communications means that is quickly becoming a preferred attack vector. In fact, solutions provider Akonix Systems recently reported that it tracked more IM attacks in October than any month of the year — and the upward tick is expected to continue. "The bad guys are looking for a new way in," Shestack says.
As it considers deploying IM security solutions, the college is turning to security awareness training as a stop-gap measure, Shestack says. Temple provides lessons on information security as part of its orientation programs, and offers pre-recorded streaming video through its newly created web portal.
Properly safeguarding IM systems is one of the key challenges emerging across academia as the year (and fall semester) come to a close. This is troubling news for security pros, already burdened with numerous risks inherent to colleges, notably the constantly migrating end-user population, the need to protect intellectual property such as academic research, and fears of infected networks due to unfettered internet access and the increasing use of endpoint devices.
As colleges' reliance on technology continues to grow in 2007 more security pros will look toward establishing tougher policies, says Rodney Petersen, policy analyst at EDUCAUSE, a nonprofit dedicated to advancing higher education through IT.
In a recent EDUCAUSE study, only 10 percent of nearly 500 respondents have an IT security plan in place, but half were in the process of creating one.
"As people continue to devote more resources and attention to IT, there will be more strategic consideration on how to do security right as a result, and we will see progress," Petersen says.
The study did reveal considerable improvements. Now one-third of responding institutions have a CISO, and 60 percent report they have implemented a centralized IT security posture.
"The reality is colleges and universities are confronted with security as a bigger priority," he says.
Meanwhile, administrators at the K-12 level have problems of their own. Should the Deleting Online Predators Act of 2006 (DOPA) pass, the bill would require schools and libraries that receive E-rate funding to ban access to chat rooms and social networking sites, such as MySpace. (E-rate funds are federally granted money used to pay for internet connectivity.)
"I know education is a little concerned about DOPA because, in some regards, it overreaches," says Paul Myer, president and COO of 8E6 Technologies, an Orange, Calif.-based content filtering provider. "It would be easy if you could block MySpace and be compliant — but that's not the case. Heck, you could social network off Gmail."
But schools are starting to realize that content filtering may not only satisfy legislative requirements and block children from viewing objectionable material, it could also protect a network's health, he says.
"Viruses, spyware, malicious code," Myer says. "When people go to those sites, it's not just content, but stuff that goes along with that content that wreaks havoc on the network."
Just as enterprises are expressing worry over the insider threat, schools have to be similarly vigilant. Nowadays, separating access rights between faculty and tech-savvy students is more important than ever, especially in light of protection requirements mandated under the Family Educational Rights and Privacy Act (FERPA), says Kirk Appleman, director of eastern sales at Applied Identity, a network access management firm.
"The key is: application security doesn't work, and the students know what they're doing," says Appleman, who suggests colleges deploy an identity-based firewall. But dividing access rights is a tough sell, particularly at colleges, where the free flow of information rules, says Temple University's Shestack.
"We're not like a corporation where servers that contain proprietary information are inaccessible," he says. "Students need to use stuff like USB keys."
Meanwhile, as more colleges and schools launch programs to distribute laptops to pupils, other risks arise. Ron O'Brien, senior security analyst at Boston-based Sophos, says the prevalence of WiFi hot spots is making it easier for fraudsters to compromise computers by creating bogus "landing pages" that may carry trojans. Colleges must deploy solutions that scan these laptops when they reconnect to the network, he says.
As the calendar turns to 2007, it is clear the education space is taking security more seriously than ever before. But colleges also have one saving grace working for them.
Need a hint? Think ramen noodles.
"In the higher education space, there's not a lot of financial gain, unless you're really going to take a chance and hope someone's got more than $10 in their checking account," O'Brien says while laughing.
LEARN SECURITY NOW:
Make it a career later
As IT pros work harder to secure networks inside schools, cybersecurity is steadily becoming a casual, if not integral part, of course lesson plans.
i-SAFE America has developed IT security curriculum for students of all ages that boil down the complexities of security threats
into explanations children as young as kindergarten-age can understand. While the curriculum is designed to protect unsuspecting users from the perils of the internet, some schools are establishing courses to prepare students for careers in information protection.
For example, some high school students in Rome, N.Y. are taking a new course that introduces them to varying topics on cybersecurity, including vulnerability detection and incident response. Organizers hope the class, created by the U.S. Air Force Research Laboratory in Rome, and Syracuse University's school of engineering, will inspire students to pursue a major in computer science at the college level.
The National Security Agency (NSA) runs the National Centers of Academic Excellence in Information Assurance Education (CAEIAE) program. These schools offer degrees in information assurance tracks, with the goal of reducing vulnerabilities in the nation's critical information infrastructure. Recent statistics show there are about 70 centers in more than 25 states and Washington, D.C.
— Dan Kaplan