Spyware, Spam, and other Threats
The six things you need to do now
By Jean Marie Angelo
Malware is out there, in cyberspace, and ready to
make a home on your network's computers. Malware, the catchall
description for spyware, viruses, worms, and other IT nemeses,
can do expensive and time-consuming damage to a campus system.
Are you doing all you can to protect your IT assets?
University Business has come up with six essential
steps that all IT administrators should be researching now to
protect against threats.
1. Search for Spyware
Spyware is at the top of the list of IT security threats.
Spyware is malware that clandestinely records users' online
activity and even specific keystrokes. Often users are unaware
that hackers have broken into their computers and are stealing
data such as passwords and credit card numbers. The appearance
of popup windows is one sure giveaway that a computer has been
infected with spyware. Granted, many users give the OK for
cookies to follow their online actions so they can access
certain sites. An inordinate number of popups, however, is
sure proof that spyware is lurking on a machine.
On campus, illegal filesharing is the most common path
spyware takes to get onto computers, says Michael Cooper,
program coordinator for the Technology Support Center, West
Virginia University. Basically, if students are using
Kazaa, Grokster, Morpheus, or any other free P2P service, an
IT director can be sure that spyware is on their PCs and
laptops, probably causing compatibility problems, watching
users, hogging bandwidth to propagate itself, and slowing down
the network.
Cooper combats the problem with network monitoring that
identifies illegal P2P users, in part by noting if they are
using an inordinate amount of bandwidth.
Those identified as illegally downloading music and movies
are sent an online warning. The next step is to shut the user
out of the network. "I am guessing we have 400 shutdowns per
year," he notes. Students who are cut off from the network
must bring their computers to the center for scanning. Through
the use of Symantec software, machines are cleaned of spyware
and any potential virus problems that can result from spyware
infiltration.
Such protection is necessary on campus given the continued
popularity of free P2P downloads. Even though the Recording
Industry Association of America has filed lawsuits against
college students and IHEs, campus users continue to download.
Consider the statistics issued by Student Monitor, a research
organization. During the last month of 2004, 29 percent of all
four-year, full-time undergraduate students admitted to
downloading unlicensed music or movies. In general, males are
more likely to download, with 40 percent owning up to the
behavior, compared to 19 percent of females. And 35 percent of
the students surveyed believed "almost everyone" on campus
downloads illegal files and 75 percent are in favor of illegal
file sharing because it is such a common activity.
Monitoring P2P use, and following through on the necessary
cleanup and spyware checks, costs money and takes up staff
time. But it is necessary. As Cooper says, "The music is free,
but the problems aren't." All the more reason to get a policy
in place regarding illegal file sharing and put the correct
network safeguards in place to protect against illegal P2P
activity and inevitable spyware problems.
A handful of colleges and universities, such as
Pennsylvania State University, have subscribed to
legitimate P2P services, such as the revamped Napster. In
Penn's case, all students registered for at least one course
during a semester can use the P2P service. Up until the last
day of spring semester classes, 85 percent of Penn's student
body had signed up for an ID and password and were downloading
an average of 250,000 songs per day, notes Sam Haldeman,
assistant to the associate vice provost. Getting such a volume
of traffic to migrate to the legitimate service is saving
bandwidth on the network, he adds.
Other schools, including Colby-Sawyer College
(N.H.), are relying on the type of detection software that
West Virginia University uses and have similar policies for
shutting out P2P offenders.
Earlier this year, security company LANDesk added a spyware
detection and removal application. It is a sure bet that many
IT security companies will be promoting spyware protection in
the same way they now focus on virus scans and spam. "Students
can download anything on their own PCs and this introduces
risks," says Dave Taylor, the company's vice president of
Worldwide Marketing. The higher education sector is especially
vulnerable because users are more mobile than corporate
employees. Bringing laptops on and off campus, and plugging
into several networks, adds to the security risks.
"People lose as much as 50 percent of bandwidth to
spyware," notes Taylor, whose higher ed clients include
Tufts University (Mass.) and Baylor University
(Texas).
2. Can the Spam
On a Monday morning in mid-May, Bryan Lucas, server
administrator at Texas Christian University, knew
something had gone wrong over the weekend. The university,
which has an enrollment of 8,500, was pounded with about 2,000
e-mail spam messages--all in German. Worse, the spammers were
able to hijack some of TCU's computers and use them as
"zombies," embedding programming that commanded these
computers to launch another 100,000 to 150,000 additional
German spam e-mails.
While those receiving the messages hadn't a clue what they
said, almost everyone recognized them as spam and called the
university's help desk. "The number of calls swamped us," says
Lucas. "My phone started ringing at 8 a.m.; my CIO met me at
the door."
Luckily for TCU, certain spam and security safeguards were
in place. Otherwise, these spam messages, which may have
carried viruses with them, could have crippled the network,
resulting in a denial of service. One of Lucas' first actions
was to look at Symantec's website to get the latest spam and
e-mail news. After an hour, information was posted on this
latest spam attack. Next came a message from CipherTrust, an
e-mail security company whose Iron Mail product is used by
TCU. CipherTrust provided an explanation of what was
happening: The messages were known as German political spam,
which luckily did not carry viruses; they did contain German
messages related to the 60th anniversary of World War II and
the Allied bombing of Dresden. Some messages referred to the
bombing as a "mass murder." Many of the e-mails included links
to German political websites. Some used language that was
translated as saying the senders were "against forgetting" the
bombing of Dresden.
CipherTrust supplied remedy code that could be loaded onto
the network to stop the spam attack.
Unfortunately, hackers will attack systems through common
applications like e-mail, warns Ken Kleiner, system manager of
the Computer Science Department at the University of
Massachusetts, Lowell. Because servers allow e-mail
traffic to get in and out, hackers commonly attack the code
that runs e-mail software. Given e-mail's security
vulnerability, and the proliferation of spam, some
universities are considering blocking forwarding options to
Hotmail, Yahoo, and other free e-mail accounts.
The high volume of spam moving around the internet will
certainly slow systems down. A reported 15 percent of the
400,000 daily e-mail messages that come into George Mason
University (Va.) carry viruses. That amount of malware
drags on a network's performance.
Adding to the e-mail security problem is the nature of
higher education. "Typically in a university setting, dare I
say, the IT environment can be chaotic," says Tim Griffin,
director of ITS Systems and Networks for Mississippi State
University. There is always a lot of legacy "baggage," he
notes. Where the corporate IT world might replace hardware
every two years, the world of higher ed doesn't have that
luxury. The same is true for software and related
applications. The end result: IHEs hold on to a mix of legacy
e-mail systems that faculty users simply won't part with. Then
again, campus IT directors also serve the early adopters who
will be the first to ask about Google Gmail accounts or other
new applications.
"We have five different e-mail environments here," says
Griffin, who suspects that trying to impose standardization at
MSU would be futile. "To standardize is to imply authority,"
he adds. The higher ed environment rails against limits,
maintaining the ideal of an open exchange of information and
ideas.
Griffin's solution has been to find an e-mail security
product that works with a variety of e-mail clients. All MSU
e-mail runs through Roaring Penguin's anti-spam software. This
particular company bases its software on open-source tools,
says Griffin. "Their spam software sits in front of any
solution, allowing you to have many e-mail packages." And
while network users can opt out of having their e-mail
filtered, they must agree to run all messages through an
anti-virus program.
3. Tighten Network Controls
"Our entire campus is behind a firewall," says UMass's
Kleiner. This firewall acts as a protection to deny unwanted
traffic from having access to the network. For example,
students and faculty using the system can have access to
certain web servers, but they do not have access to the
department's FTP server. "We close all the doors, except a
few," says Kleiner.
His department also relies on Auditor 128, a network
appliance that monitors traffic. "This application scans the
network for vulnerabilities," says Kleiner, and provides
analysis on the fly. The auditor scans e-mail and network
traffic and looks for trouble. "It looks for weaknesses in the
code," says Kleiner. Then the program sends an e-mail
suggesting that he might want to install a software patch for
protection. "Every day we get an update on the latest
vulnerabilities," he concludes.
Nearby, at the University of Connecticut's School of
Business, Nortel and other vendors safeguard the students'
leased laptops and high-speed internet connections in the
school's 14 classrooms and faculty offices. Security systems
further manage student access to network resources, not just
by turning networks on and off, but by allowing professors to
specify what types of networks the students can use. Nortel's
Optivity Policy Services controls access to UConn's "Financial
Accelerator" trading floor, a business center that provides
students with real-time brokerage feeds.
"Giving students laptops was a bit of a distraction in
class," says Michael Vertefeuille, director of information
technology for the School of Business. Through network access
controls, professors are able to turn protocols on and off, in
essence controlling what students do in class and protecting
the network from any malware students might inadvertently
download.
At Colby-Sawyer College, the IT administrator is most
concerned with protecting computers from damage done by
students. Anytime they plug their laptops into the network,
whether in their dorm rooms or elsewhere on campus, they
introduce the possibility of downloading malware and spreading
it throughout the network, says Scott Brown, information
security analyst. "I recently saw one computer with more than
5,000 infections on it," he says, adding that oftentimes
service packs will fail to clean up the mess thoroughly
because the infections are so bad. More typically, a student's
computer might have 400 to 500 infections, he says. "Cleaning
up something like this is so time-consuming and the computer
can barely function. It has taken up to three hours to work on
a computer riddled with spyware."
For him the antidote will be mandated security scanning and
access for each computer. Beginning with the 2005 fall
semester, every student and network user will have to agree to
a scan done by the product NOD32 offered by the company ESET.
Every port to every student computer will have to be
registered with the college.
4. Install Personal Firewalls
UConn's School of Business has equipped every laptop with a
personal firewall. This is exactly what it sounds like: an
individual firewall for every computer in the school. "We used
to centralize protection," says Vertefeuille, "but we found
that when one machine gets attacked, they all get attacked. We
had to block things at the machine level."
Vertefeuille calls this "edge protection," as opposed to
the traditional "core" approach. "We are able to block viruses
at the end-user's port," he asserts. UConn's School of
Business began going to the "edge" two years ago. Putting
these safeguards in place helped protect the network from the
I Love You and Nimba viruses. "We tracked specific patterns on
the network and could block the e-mail containing the virus at
the computer port level," he explains.
MSU strongly encourages users to have personal firewalls,
but the school doesn't require that they do so, says Griffin.
His first suggestion is for Microsoft Windows users--which
make up 90 percent of the computer users on campus--to turn on
the personal firewall application built into Windows XP
Service Pack 2. "It is better than using nothing," he
notes.
5. Protect Against Identity
Theft
The list of colleges and universities that have experienced
security breaches gets longer by the day.
Academe walks a fine line between fulfilling its mission as
an open institution and safeguarding IT data. This spring,
administrators at Jackson Community College (Ohio)
learned the hard way that it is necessary to err on the side
of caution when it comes to protecting assets. The college
reportedly was almost 90 percent finished with shielding its
network behind a firewall when a hacker was able to access
Social Security numbers housed on one of the computers not yet
protected. The upshot: 8,000 people had to be notified about
the security breach and all IT administrators had to scramble
to issue new network passwords to everyone on campus and
quickly move away from a Social Security-based ID system.
At the University of Toledo (Ohio), IT
administrators have already been granted $15 million to begin
the overhaul of the computer network, including revamping the
ID system to replace Social Security numbers with other codes,
according to media reports. Many other IHEs, including
Texas Southern University, have announced network
changes. This spring, TSU said it will be dropping Social
Security numbers in favor of random ID numbers for its 11,000
students. The university describes the switch as a
"large-scale project" that will take up to 12 months to
complete.
6. Anticipate the Next Threats
Malware and spyware are the latest buzzwords. But new
threats are coming. Phishing scams, which include urgent spam
messages that plead for consumers to supply bank account
information and credit card numbers in the effort to "verify"
accuracy, are fairly easy to identify. But phishing is getting
more sophisticated as hackers get savvier. New phishing scams
are timed so that e-mail recipients are tricked into giving
out information early in the month, so that they will not
notice problems until they receive their bank statement or
other monthly bills for 30 more days.
There are, no doubt, more layers of complexity that IT
directors will have to be wary of up in the months ahead.
According to a survey conducted by Insight Express in March
2005, 56 percent of IT directors are worried about phishing,
yet only 40 percent have protection against phishing e-mail
scams. In addition, 45 percent of those surveyed are concerned
about zombie attacks--the backdoor programs that lay dormant
on an in-house computer until commanded to launch attacks on
other computers and networks. But only 45 percent have
protection against zombies.
According to Educause's Current Issues Survey on IT trends,
IT security and identity management is fast becoming the most
critical issue, surpassing IT funding in its potential
importance.
"Perhaps more important than security breaches is the
fundamental issue of individual computer vulnerability, which
can turn machines into open doors or worse," according to the
Educause survey summary. "Without a comprehensive plan to
protect institution-owned, as well as personally owned,
network-connected computers from malware, there can be no
reasonable level of reassurance."
Related Information