Virginia Tech needed to assess security threats to the network and bring the university into compliance, reports Greg Masters.

The IT team at a university is faced with many of the same issues as at a retail operation -- in particular, preserving the integrity of customer information on its computer networks. While students are not necessarily thought of as “customers,” the fact is their credit card and personal information traversing the university network must be protected with the same vigilance as at any retail operation.

Fred Pinkett, vice president of product management at Boston-based Core Security Technologies, says that part of the university environment is like an open network. While it tends to be more heterogeneous and built up over time, it is often challenged by funding restrictions. 

“Pieces are put in place at different times,” he says. “There's a lot less control in the university environment than with a corporate environment. There's less control over the network.

Added to this patchwork, is the fact that the students are sophisticated users, using Web 2.0 and downloading a slew of music and videos. However, he points to this user base, and the administrators who watch over the network, as an audience inclined toward using sophisticated tools.

At Virginia Tech, that responsibility falls to Randy Marchany, director of the university's IT security laboratory and assistant IT security officer. The Blacksburg, Va.-based university – with more than 21,000 undergrads, 6,000 graduate students and 2,600 faculty members – had been using a freeware program with pen test capabilities to monitor its network operations connecting the user base to over 180 departments. However, when it came time to do security reviews, Marchany found the free utility's report generating to be insufficient.

In the fall of 2006, Marchany and his team began research to find an upgrade. The impetus in making the move, he says, was bringing university departments into compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). Marchany's team had to perform security tests, including vulnerability scans and penetration tests. Specifically, PCI Requirement 11.3 calls for “penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).”