In conjunction with the Committee on Communications proposal for a Disconnect Policy for computers [here], Penn's Information Security Officer recommends steps to prevent such disconnects.

Risky Business

by David R. Millar

Imagine sharing your home with total strangers.

The front door is always ajar and you always leave a light on. Nothing valuable has been stolen yet and the damage has been minimal, but you have begun to wonder what happens when you are away. Your neighbors have stopped talking to you.

Purchasing and installing a powerful computing workstation or server with no regard for security is not too much different. If intruders discover your system, then sensitive data are at risk of disclosure, alteration or destruction.

Seventy computer break-ins were reported at Penn in 1998. Our systems are scanned almost continuously with automated scripts probing for weaknesses. Once, a system was hacked the day after going on the network.

When someone breaks into your computer they frequently use it to try to attack other systems, often those of your peers right here at Penn. They might attempt more break-ins or they might simply try to crash other computers and networks. Sometimes they use your disk space to store illegal pirated software.

The recovery effort can take several days, costing thousands of dollars of staff time, and possibly leaving you without e-mail or access to critical data. Under the proposed Disconnect Policy, your computer could be disconnected from PennNet if it has been compromised and poses a significant threat.

Many break-ins could have been prevented if someone were managing the system. Vendors often ship new computers with weak security, and nearly every month new weaknesses are discovered in the most popular operating systems like UNIX and Windows NT. Part of the system administrator's job is to first secure the system before putting it on the network, and to apply the necessary security fixes. The trouble is that if the system has been carelessly managed, or worse, not managed at all, then it gets hacked.

Recommendations

  • Contact your local support provider or ISC for advice on selecting and configuring a secure system.
  • Make arrangements through your local support provider for a qualified system administrator to manage security.
  • Apply the latest security patches.
  • Contact ISC for free UNIX and NT security training beginning Summer, 1999.
  • Request that ISC scan your system for vulnerabilities.
  • Subscribe to one of ISC's security e-mail lists to monitor computer security incidents on campus. ISC moderates lists for Unix security (UUGP) and NT Security (NTSP).

Send security requests and questions to security@isc.upenn.edu.

Good systems administration will not stop all computer break-ins. When simple passwords are used for authentication without being encrypted, they are vulnerable to snooping. Stronger authentication methods, firewalls and intrusion detection can reduce risks. But establishing formal system administration is an important first step to reducing risk.


Almanac, Vol. 45, No. 29, April 20, 1999

 FRONT PAGE | CONTENTS | JOB-OPS | CRIMESTATS | OF RECORD: Campus Safety and Security: A Shared Responsibility | TALK ABOUT TEACHING | BETWEEN ISSUES | APRIL at PENN