Monday Matters
If you are a member of the College faculty or staff but don't normally read this column, this week you should. I am going to discuss an issue that has become increasingly important to our College because it threatens our resources, our reputation, and our infrastructure. The topic is computer security. Perhaps you tire of receiving email messages reminding you to patch your operating system or update your virus protection. If so, then this column is especially for you. I want to briefly explain why this is such a serious problem and how non-compliance with these email requests hurts you and your colleagues in very real ways. I also want to make you aware of a new policy that I am implementing, as well as new systems that we are putting in place to give you help if you don't feel comfortable with computers or are unsure how to update the security systems on your computer
How I Shocked my Family (and Lived to Tell About It)
About six months ago I began receiving two strange kinds of emails from members of my family. The first kind was email from some family members asking me why I was sending out pornographic messages. Needless to say, I was not delighted to hear that someone was sending such messages using my email address as the return address. I suspected what had happened and the second type of email message confirmed my suspicions. I began receiving similar pornographic messages, purportedly from members of my family. I even received one purported to be from my mom! Soon the entire family received an apologetic email from one of my uncles. His computer had acquired a virus. This virus stole email addresses from his address book. It would then send a pornographic message to one address in his address book and made it look like it was sent from another address in the same address book. In addition to embarrassing my uncle and making him the brunt of family jokes, it also cost him time and money to hire a computer expert to clean his machine and secure it so that this would not happen in the future.
This true story illustrates three major consequences that result from a computer attack: it cripples infrastructure, it saps resources, and it causes embarrassment. Attacks similar to those that affected my family can and have been made on organizations as well. In fact, they have happened to one organization that you are all familiar with. No, I'm not referring to Microsoft, Amazon, or IBM. I'm talking about the College of Education. The result has been degraded or lost internet access, the loss of an operational computer for hours or days, and an all-too-high commitment of resources to fixing machines that never should have needed to be fixed in the first place. The loss of person hours last week alone is more than we can afford. Some services that I had expected to be in place before the semester started have been delayed because of the hours we have had to dedicate to dealing with attacks on computers. The computer upgrades that I have promised have also been delayed by several weeks. This is not a problem to shrug off and chalk up to overly concerned computer geeks. This is a very real resource issue.
If I have not convinced you of the problem yet, let me provide some specific scenarios that could occur if computer security is not kept up to date. Scenarios like these have been documented on this and other campuses.
-
Students take control of your computer and access course information, including grades, exams, and homework keys.
-
Email messages are sent to your colleagues, University administrators, or Board of Trustee members that look like they were sent by you from your computer.
-
Your computer becomes the host site for the illegal distribution of music or pornography, even as you continue your daily work on your computer without any evidence that this is taking place in the background.
-
Your computer joins thousands of other computers in attacking some site in the University (such as the University web site) or a major corporation. Such attacks are conducted in order to overwhelm the corporation services so that the corporation can no longer conduct business. These are referred to as "denial of service" attacks. This is the kind of attack that Microsoft recently sustained (and continues to sustain) as thousands upon thousands of computers (mostly from innocent computer users who have no idea what their computer is doing) attempt to cripple a company.
If you have ever wondered why your email and internet service sometimes seems to crawl at a snails pace when students return to school, it is often because of attacks like those above that are orchestrated by a few students who have fun doing this. Not many months ago it was common to find over 90% of the internet usage at the University dedicated to students swapping files (such as music files) in the manner made popular by Napster. This kind of exchange of copyright material has been ruled illegal by the courts. The FBI is paying particular attention to universities as it investigates this illegal activity. The University of South Carolina has been taking steps to eliminate this problem and other forms of computer misuse, but there is only so much that can be done at the University level. The best defense for the kinds of attacks I described above is for individual computer users to be proactive in stopping these attacks by ensuring computer security on their individual machines.
Two Easy Steps to Computer Bliss
There are only two steps that you must take on a regular basis to protect you and your computer from attack. First, you must update the operating system. I am not talking here about switching from one operating system to another (such as switching from Windows 98 to Windows 2000), but rather I'm suggesting that you keep the operating system that you use up to date. Modern operating systems have built-in functions for making this simple to do. In fact, the newest operating system (Windows XP) can be configured so that updates occur in the background automatically without you ever needing to know or worry about it. The reason that operating system updates are so important is because computer hackers constantly seek vulnerabilities in these systems. Once they start to exploit the vulnerability, the company who made the operating system releases a patch to fix the vulnerability. The hackers then seek other vulnerabilities and this trend continues. Eventually the operating system becomes more secure, but then a new operating system is released and new vulnerabilities are found. This is one reason why we don't rush to switch all the College computers to a new operating system as soon as it is released.
The second step you must take is to update your virus protection on a regular basis. Whereas operating system vulnerabilities can expose your computer to direct attack via the internet and the local area network, viruses can be more subtle and sneak in through email messages. You should never open an attachment on an email from someone that you don't know. Even when an attachment is sent by a trusted friend, make sure that this is an attachment that you expected or that it is referenced in the email in enough detail so that you are certain that your friend intended to send it. The most prolific viruses are those that are sent from one unsuspecting friend to another. Once these viruses are on your machine, they can wreak havoc. The most malicious viruses are intended to open up new vulnerabilities so that attackers can get on your machine or to damage or erase the contents of your hard drive. Some viruses are designed to sit idly until a certain date and then begin to damage your system. These viruses are difficult to trace because the trail has become cold by the time they do their work. Also, if many machines in a company (or college) have one of these dormant viruses, the company (or college) can be crippled when the virus becomes active on multiple machines all at once.
If you think that there is no need for you to update your operating system or your virus protection, think again. Two weeks ago we simulated an attack on College computers to determine which ones we could exploit. Out of the approximately 150 computers in the College, 45 of these machines were vulnerable. You might imagine that this happened simply because people were gone for the summer, but in fact when I looked at the list of vulnerable machines I recognized most of these as being owned by people I saw in the hall or had email communications with during the summer. A quick call to Computer Services confirmed that although this is a University-wide problem, the College of Education has one of the lowest compliance rates whenever there is a campus-wide announcement of a new operating system patch or virus protection update. This is unacceptable.
Our simulated attack turned out to be an eerie prediction. Many of the vulnerable machines were attacked for real last week and the Office of Information Technology (IT) spent the entire week cleaning and repairing machines. As of this writing, they're still not done. I had high hopes that some new web services would be finished and that the process of upgrading computers would have begun in time for the new semester, but this dream vanished along with some data and hard drives on the attacked systems. Whether it is lack of understanding, indifference, or nervous reluctance to try something new on the computer, our failure to heed warnings is becoming increasingly costly and consuming an expanding portion of our limited resources.
The New Strategy and Support Systems
Whether we like it or not, we must each take responsibility for keeping our operating system and virus protection up-to-date. I simply do not have the personnel resources to assign someone to go room to room patching machines every time we receive a warning of a new threat. As a member of a college of education I have a better solution: education. If we can spend one-time money to teach every faculty and staff member how to patch and update their systems, that will save us considerable resources in the long run.
The newly organized Office of Instructional Support is adopting a new training model that emphasizes one-on-one professional development. (I will be telling you more about the OIS and the services they provide in an upcoming edition of Monday Matters.) If you have a difficult time understanding the instructions that are sent by Computer Services or IT, or if you are generally uncomfortable attempting a new procedure on a computer, contact the OIS. We are in the process of refining an online form that you will be able to use for all of your technology needs, but for now you may write to Susan Quinn at susanq@sc.edu. She will assign a technology trainer to meet with you and teach you how to run patches, update the operating system, and update virus protection. If you then update the operating system and virus protection on a regular basis, as well as run the special patches that are referred to in Computer Services and IT notices, you can rest easy and avoid the headaches associated with a malicious attack.
To help protect the College as a whole and thereby conserve our computer support resources, I am initiating the following policy. (1) The IT office will be responsible for periodically scanning the College network to find vulnerable computers. (2) Notices will be sent to individuals responsible for these computers to alert them to the fact that the computer is vulnerable to attack. (3) If the computer is still vulnerable 72 hours after the notice is sent, I will have the Ethernet cable removed from the computer. This is a protective, rather than a punitive, measure. With the Ethernet cable removed, the computer cannot be attacked, nor can it unwittingly attack other computers in the College. You will still be able to use the computer but will not have access to the internet or email until the computer is patched. The other option that University Computer Services gave us is to have our internet access shut down until all computers are in compliance. I prefer to focus our efforts on computers that are not in compliance rather than take all computers offline. This is also a way to protect the computers of people who may be out of town and are unaware that their computer is vulnerable. (4) If we need to remove an Ethernet cable, you will be notified where to obtain a patch disk and your cable so that you can have your machine online as soon as it is safe to do so.
If you have any questions about this policy or the support procedures that we have
put in place, please let me know. I am always open to comments, questions, or suggestions
about this and other matters. My goal is to provide a high level of support even
in the face of dwindling resources. By working together and being willing to embrace
professional development opportunities, we can assist in building a safe and efficient
computer network. Thank you for doing your part.
Until next week,
Mike