Incident Response, TDR, Vulnerability Management

Keeping malware out: Eastern Kentucky University and FaceTime

The IT staff at Eastern Kentucky University faced a unique challenge: maintaining academic freedom while still protecting network users, reports Angela Moscaritolo.

A year ago, the IT help desk staff at Eastern Kentucky University (EKU) was dealing with a steady flow of malware-infected machines needing to be serviced. It was a never-ending fight.

Malware, short for malicious software, is installed on a user's PC without their consent and can be designed to do a variety of things, some annoying, some very hostile, said Ed Riley, director of systems support at EKU (right).

“There was somebody infected all the time,” Riley said.

EKU, located in Richmond, Ky. has a student population of 16,000 and 2,000 faculty members. Supporting both faculty and student technology needs is an IT staff of 60, including Riley, a 25-year veteran of the department.

The school has two different networks. One serves faculty and staff and also includes lab computers that students use. But that's not the network that causes most of the problems. The residential halls network, in use where approximately 4,000 students live, is where most of the malware-infected computers come from.

“In the residence halls, it's like the Wild Wild West, if you can imagine,” Riley said. Ed Riley, assistant director, networking, telecommunications and systems, Eastern Kentucky University

For students and staff at EKU, malware results in a loss of productivity. When infected with malware, oftentimes a student doesn't even know it. What they do know is that the computer isn't working right, and that the network is running slower than usual.

“The problems we have seen run the gamut of having a PC being unusable because it becomes extremely slow because of the infections, or spam-generating machines that can get your site's domain blacklisted, which effects legitimate email from reaching its target,” Riley said.

For the IT department, the all too familiar problem means going into the user's PC to wipe out the infecting malware. The time it takes to clean varies depending on the type of malware that's infecting a machine. Some can be remedied with anti-virus or anti-malware software, but others can take up to four hours to clean off.

“It's very labor intensive to try and clean those machines,” Riley said.

EKU has a slew of security measures in place, including anti-spam and anti-virus appliances. As a prerequisite, before machines are able to use the network, students must run Cisco Clean Access, which requires them to install anti-virus software, ensures their anti-virus signatures are up to date, and requires that their machines have the latest Microsoft updates applied.

“We also have other security measures in place to protect the network and our servers, but I really don't want to discuss the details. Providing too much information about what you use can aid someone if you are a target,” Riley said.

While they have comprehensive anti-virus security measures in place, a year ago, the university's malware security was lacking. The only defense against malware was a user-based anti-spyware program, which allowed users to mediate their PC only after it was infected. Riley was not satisfied with this approach to dealing with the problem.

“I'm a firm believer in perimeter-based defense systems,” said Riley. “By relying on a user-based approach, we were essentially relying on people, and I think anyone in IT would agree that people are the weakest link in any security system.”

So Riley began looking for a product that would block malware from entering the network. The goal was to take care of the issue before the user ever sees it.

But Riley faced a unique challenge: when implementing any new security system in a college setting, it's imperative to maintain academic freedom while still protecting the user. The product needed to allow administrators to have control over what is blocked , whileallowing access to resources if they are needed.

Riley saw a magazine article with a “bake off” of competing anti-malware solutions. Real-Time (RT) Guardian from FaceTime stood out as the winner.

Frank Cabri, vice president of marketing and product management, FaceTimeRT Guardian essentially looks at all web and internet traffic, everything except email, and identifies malware trying to enter the network, said Frank Cabri, vice president of marketing and product management, FaceTime (left).

What Riley likes about RT Guardian is that it stops malware from being installed on PCs, gives administrators the freedom to block and allow what they want, and it doesn't introduce latency, or slow down internet browsing on the network.

With other types of anti-malware solutions, if an internet user browses to a page, they may have to wait for the software to process the request, slowing down their browsing. RT Guardian works in real-time, though.

“It's like a traffic cop just watching the cars go by,” Cabri said.

The IT department deployed a demo version and monitored it for a while before deciding they wanted the product. After the initial demo was successful, RT Guardian was deployed to all 2,000 machines using the faculty network and 4,000 in the residence hall network.

Instillation took a couple of hours and was very easy, Riley said. He said compared to a lot of other products, it was easy to get up and running.

Websites that may potentially infect a user's computer with malware are blocked. When a user tries to navigate to a site that is blocked, they are informed via their web browser that the site is blocked.

Now that they have been using RT Guardian for a year, Riley said that it's helped block malware and increase the productivity of the IT staff, since they don't always have to deal with malware-infected computers.

In the faculty network, Riley said the problem is virtually gone. Within the residence hall network, the problem has gone down significantly.

While it has decreased, the problem of malware in the residence halls is still present. When students take their computers home for breaks, they are often on unsecured networks, causing malware infection. Usually there's an upswing of malware-infected computers needing to be serviced toward the beginning of each semester when students return from break, Riley said.

Riley has not gotten any complaints from students about sites being blocked. A few faculty members have told him that certain sites should not be blocked though. In that case, the IT staff can visit the site, and see why it's being blocked and have the flexibility to unblock it.

One of the nice things about the product is that administrators are able to view reports which tell them what's going on in the network and which computers are infected with malware, Cabri said.

When they first installed RT Guardian, the IT staff at EKU was looking at the reports everyday, but now they look about once a week. They also allow residence hall staff to view reports, and they can reach out to students asking them to bring in computers to be cleaned off.

While the help desk used to spend up to half their time servicing malware-infected computers, they now spend most of their time working on more productive tasks.

“The help desk folks are really happy about it. We are all happy about it. They can do things that are productive as opposed to fixing a machine that has some type of malware on it,” Riley said.

Carl Perkins Building on the campus of Eastern Kentucky University.  This is where the data center is housed

Ed Riley, assistant director, networking, telecommunications and systems, Eastern Kentucky University

Frank Cabri, vice president of marketing and product management, FaceTime

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.