Issue link: http://www.e-digitaleditions.com/i/59881
Before setting up a firewall, HBS administrators imple- mented a product called PacketShaper, which restricts band- width available for services such as file sharing. Not only does this instantly cut down on illegal activities such as swapping movies and music, says Arsneault, it allows the system admin- istrator to see which ports are being used for which applica- tions. "When it came time to put in the firewall and close services, we were able to close more than 99 percent of the ports without stopping a single service that was being used on the campus," says Arsneault. About a year after installing the first firewall, he says, admin- istrators went back in and shut down all incoming traffic out- side the data center. "That means people can't go in and host their own Web sites, and can't host peer-to-peer information to their own PCs. It has literally made problems like denial of service attacks and compromised PCs almost disappear." Inside the Castle: Virus Protection Anti-virus software can do a superb job of preventing infect- ed information from corrupting the network—but it only works if every user has installed it and is keeping it up-to-date. And "every user" means every professor, staff member, and student who logs on to the network. "You can literally take out the network with one rogue PC," says Arsneault. It's easiest to control faculty and staff computers. At Harvard, faculty and staff must be authenticated as they log onto a school directory. Service patches and anti-virus updates are automatically pushed through the staff/faculty system by the central IT office. Recently Arsneault changed the virus update refresh date from once a week to once an hour. "When you ask the server if there are any definition updates available, 99 percent of the time the answer is no," he says. "But if a virus definition is released, within 60 min- utes the system is updated." Harvard has also installed LANDesk management software on the faculty and staff systems, which gives the central IT department the capability to do hardware and software inven- tories while allowing individual users to install software on their own computers. "They still have ownership over their PCs, but we have the ability to know what's on the network now and what software is running," says Arsneault. Harvard's IT department also has installed two layers of virus control. The one at the e-mail gateway, which guards the system from outside attackers, purges 25,000 infected e- mails a day, says Arsneault. The second one, a McAfee prod- uct, monitors internal e-mail—which doesn't have to go through the gateway—to make sure school personnel don't pass on viruses picked up inadvertently. 26 BizEd JANUARY/FEBRUARY 2005 The Chink in the Armor You can install every piece of hardware ever invented; you can require absolute synchronization of software. But if you don't get a buy-in from the users, the system will eventually break down. As is so often the case, in the realm of cyber- security, human beings are the weakest link. The organization Educause offers schools basic informa- tion about technical security solutions on its Web site at www.educause.edu/security/guide, says security task force coordinator Rodney Petersen. But for any school security pro- gram to work, the human administrators must first develop a policy that explicitly spells out who is responsible for what and what should happen when something goes wrong. "The three steps are prevention, detection, and response," he says. In terms of prevention, the first important component is risk assessment, which includes identifying and classifying all the data an institution collects. "For instance, a public Web server is public by definition, whereas student records and grades are private," he says. The second component is to identify who the "data steward" is—such as the registrar for student information and the comptroller for financial information. The third component of prevention is setting policies about access: who has it and what kind of controls are in place. The fourth component is training those with access about how to use and protect the data under their stewardship. "I once worked at a university where a student employee in the registrar's office gave the media information about a stu- dent athlete that he had obtained from student records," says Petersen. In the area of detection, Petersen says, administrators can't just secure the mainframes and think they're done; they have to secure the multiple devices that download and manipulate data from that mainframe. For instance, a trust- ed employee can go to a protected mainframe and down- load employee information to his laptop. If the laptop is stolen or compromised, all that data is at risk. "We tend to focus on electronic data and forget that it can exist in a physical form," says Petersen. "One day an administrator showed me a printout of all the employee information, which he'd found in a trash can. What we're talking about is the three stages of data flow: in storage, in transit, and in use. And we forget about data in transit and in use."