In conjunction with the Committee on Communications proposal for a Disconnect Policy for computers [here], Penn's Information Security Officer recommends steps to prevent such disconnects. Risky Businessby David R. Millar Imagine sharing your home with total strangers. The front door is always ajar and you always leave a light on. Nothing valuable has been stolen yet and the damage has been minimal, but you have begun to wonder what happens when you are away. Your neighbors have stopped talking to you. Purchasing and installing a powerful computing workstation or server with no regard for security is not too much different. If intruders discover your system, then sensitive data are at risk of disclosure, alteration or destruction. Seventy computer break-ins were reported at Penn in 1998. Our systems are scanned almost continuously with automated scripts probing for weaknesses. Once, a system was hacked the day after going on the network. When someone breaks into your computer they frequently use it to try to attack other systems, often those of your peers right here at Penn. They might attempt more break-ins or they might simply try to crash other computers and networks. Sometimes they use your disk space to store illegal pirated software. The recovery effort can take several days, costing thousands of dollars of staff time, and possibly leaving you without e-mail or access to critical data. Under the proposed Disconnect Policy, your computer could be disconnected from PennNet if it has been compromised and poses a significant threat. Many break-ins could have been prevented if someone were managing the system. Vendors often ship new computers with weak security, and nearly every month new weaknesses are discovered in the most popular operating systems like UNIX and Windows NT. Part of the system administrator's job is to first secure the system before putting it on the network, and to apply the necessary security fixes. The trouble is that if the system has been carelessly managed, or worse, not managed at all, then it gets hacked. Recommendations
Send security requests and questions to security@isc.upenn.edu. Good systems administration will not stop all computer break-ins. When simple passwords are used for authentication without being encrypted, they are vulnerable to snooping. Stronger authentication methods, firewalls and intrusion detection can reduce risks. But establishing formal system administration is an important first step to reducing risk. Almanac, Vol. 45, No. 29, April 20, 1999 |