Good Writer 64 | - ✏ Freelance Writer
Sep 05, 2014 | #1
Introduction
Like most other institutions universities are not immune to the security vulnerabilities and potential information compromising that is rampant throughout the world. These universities maintain large accessible networks that harbor enormous amounts of sensitive data pertaining to both students and faculty. Such databases are treasure troves of valuable information for hackers who may seek to leverage this data for their own personal gain or, possibly, steal someone else's identity. Therefore, it is imperative that proper security measures are implemented to ensure that this data is carefully safeguarded. There have been several attempts, both successful and otherwise, to infiltrate security of university networks and the security staff must remain vigilant in its resistance to such tactics. With a variety of security measures available and many of the tactics employed by hackers know to security firms, university officials can implement programs that keep their data safe from any potential harm.
Near the end of 2010, three American universities were the victims of network security breaches that left the information of either students, employees, or both vulnerable to hackers. The largest breach at the Ohio State University affected a total of 760,000 people. In this case, the intrusion was caught during a routine security review, meaning that the breach could have gone undetected for months since the last routine inspection, leaving names, addresses and social security numbers vulnerable to exposure (Schaffhauser, 2011). Though the breaches at these institutions seem to have been caught in time to prevent any significant security breach from occurring, if it happened once at these venerable universities, there is no reason to conclude that it could not happen again.
There are two different paths a university can take to provide adequate network security for both staff and students. The first and simplest route is to hire a network security firm to manage all aspects of the network, freeing up university staff for other tasks and eliminating the need for a very large IT department. Iona College in New York opted for this approach when they hired IdentityForce to manage their network security. The company helped the college to set up training programs for their staff to reduce the threat of security breaches, while also ensuring compliance with all federal and state laws. The company also provided identity theft protection for students, faculty and staff (Case Studies, 2012).
There are several advantages to this type of arrangement, including the ability to focus the college workforce on other projects without worrying about security as much. However, the added level of security provided by a third-party contractor comes with a cost. For instance, many universities may opt to employ identity tokens for computers accessing a network, possibly with a USB dongle or a type of software that identifies the computer individually. The cost of implementing such technology for a large network with 10,000 users can run from a low of just over $100,000 to over $1 million (Strong Authentication at a Fraction of the Price, 2012). This type of program does virtually ensure that no unauthorized user can access the network, unless a computer or dongle is physically stolen and then, if reported it can be instantly deactivated, making this a very secure option for many universities.
Many institutions of higher learning may theorize that, since they train the young men and women who will be providing network security for the rest of the world, it only makes sense that they should be able to protect themselves with limited outside influence. For many of these universities, a preferable solution can be provided by purchasing hardware from a security firm and then operating and maintaining it themselves. One such institution that chose this route was John Carroll University of Ohio, which implemented Cisco's Network Admission Control. This system deployed Cisco routers and switches on campus that enforced policy compliance for all users and devices accessing the network and also includes additional firewall security (University Improves Network Security and IT Efficiency, 2009).
This approach comes with its own cost limitations, however. The equipment involved can be quite costly. The university employed two Cisco switches, two wireless access points, and the necessary software to control it all (University Improves Network Security and IT Efficiency, 2009). The total cost of the hardware alone for this type of setup would be well over $100,000, but at least that cost would be limited to the initial purchase of equipment and would not continue long-term (PEPPM Pricelist Template Form, 2012). Of course, a university employing another service to manage their technology would also need to purchase equipment for their network anyway, so this outlay of funds is inevitable. Given that, the idea of purchasing the right equipment for securing the network through a company like Cisco probably makes more sense than hiring an outside company since current IT employees can be trained to monitor the equipment. Also, this gives the university greater control over their security than they would have with a third party running everything. Maintaining proper training for IT employees will be crucial however.
There are many different regulations that deal both directly and indirectly with cybercrime in the United States on both the federal and local levels. These laws seek to protect individuals and institutional entities from harm that may be caused by those who actively seek to retrieve personal or institutional information from computers without proper authorization. On the federal level the Department of Justice is primarily responsible for investigating and prosecuting computer crimes (The United States Department of Justice, 2012). The DOJ also seeks to protect intellectual property of U.S. citizens and prosecutes those who attempt to steal copyrighted material (The United States Department of Justice, 2012). The DOJ works with other government agencies as well as private sector and academic institutions in order to achieve these ends while the department's lawyers attempt to strengthen the domestic and international legal structure to improve the prosecution of network criminals.
Many laws currently exist at the federal level to combat cybercrime. The main law that is used to capture cybercriminals is the Computer Fraud and Abuse Act, which was originally passed in 1984 and amended in 1994 to include malicious code such as viruses (May, 2004, p.2). While this was sufficient for dealing with those who might distribute malicious programs to access personal computers without authorization, the law had to be amended yet again with the National Information Infrastructure Act of 1996, which made it illegal to view information on a private computer even if there was no commercial gain gleaned from it (May, 2004, p.3). Along with the Electronic Communications Privacy Act of 1986, this law formed the basis of prosecutors' cases against cyber criminals.
There were still loopholes that could be exploited without fear of repercussion and the Cyber Security Enhancement Act, passed as an amendment to the Homeland Security Act in 2002, sought to curb those. With this law's passage law enforcement agencies were granted sweeping authority and handed more severe penalties that that which were available earlier. This law compelled Internet Service Providers (ISPs) to hand over personal information about their customers to a government agent if there was any suspicion of wrongdoing (May, 2004, p.6). The need for a warrant to intercept Internet communications was also abolished and harsher sentences for individuals who violated the law were put in place (May, 2004, p.6). The Digital Millennium Copyright Act was enacted in 1998 to help curb the distribution of copyrighted material (May, 2004, p.6). The Economic Espionage Act and National Stolen Property Act have also been used to combat the explosive growth of cybercrime (May, 2004, p.7).
Many states have sought to help bolster federal laws by implementing their own to complement the federal cybercrime programs. In Pennsylvania regional task forces were started to join with federal, state, county and municipal law enforcement agencies to fight everything from fraud to child pornography (Pennsylvania State Police Creates Regional Computer Crime Task Force, 2002). This law allowed local municipalities to benefit from the technology available to the state police and to receive up-to-date training for fighting cybercrime.
Once it has been determined that a network has been compromised, it is imperative that an investigation commence to determine the extent of the damage. This can involve anything from personally examining the computer that was believed to be used in the hacking attack to performing an investigation of suspicious network activity. If the computer in question is under investigators' authority, the process becomes a bit more manageable. In this case, the particular hard drive from that computer becomes the main focus of the investigators' efforts.
A complete digital copy of the original evidence must be made and only the copy may be used for investigative purposes to avoid damaging the original evidence. The copy of this evidence must then be authenticated to verify it is the same as the original and the digital copy must then be analyzed. This can be accomplished by ensuring that crime scene is immediately secured and all available evidence properly documented, restricting all access to the site to only necessary investigators (Craiger, 2003, p.8).
For investigating computers that are not capable of being physically investigated for criminal activity, more extensive methods of investigation are necessary. In this case, computer logs are a valuable resource for determining from where the potentially devastating attacks emanated. Whenever a system is accessed, the firewall log should record a copy of the user's IP address and whatever information may have been transferred via File Transfer Protocol. Logs also record email activity, content posted on the Internet, or by many other computers along the network that record all activity.
In the case of cell phones, historical cell site analysis can provide evidence in regards to the whereabouts of a certain individual at a given time. Any completed cell phone calls or sent text messages can be reviewed to show a pattern of movement of the person's cell phone. The geographic locations of cell phones can be found by linking them to the cell phone towers at specific times and trying to map the radio frequency of the phone to that recorded by the tower. These signals can be tracked to determine if a person was in a given area in which a crime may have been committed.
Most of the technology used to glean such information is readily available to IT professionals. The logs will automatically be recorded by the software that has been installed to monitor the network and should only require modest research from the IT professionals. If the computer is available to the investigators, the hard drive can be removed and copied without much incident and would only require rudimentary tools that are readily available to most IT professionals. The hard drive can simply be inserted into another available computer if that is the only option, which would require no significant monetary outlay. For searching cell phone records, either the FBI would need to become involved, or the cell phone service provider would need to be compelled to reveal the necessary information needed to track the phone on the network. With this research technique as with many others, the need for significant expenditures is irrelevant. However, it is important to note that cell phone records should be requested as soon as possible since they may not be available for a very long period of time.
Conclusion
There are many different potential problems facing universities who allow access to their networks. However, there are also many techniques for safeguarding the data that is transmitted along these networks and, should they be attacked anyway, many other techniques and laws available for dealing with such situations. First and foremost, universities must make the necessary investments in network security to ensure that student and staff information is kept as private as possible and there are several possible ways to accomplish this, some more expensive than others. Should they fail to protect the information, though, they must act quickly to limit the damage that may be done to those who have entrusted their information to the school. Again, there are myriad tools at their disposal for such activity, varying in the degree of difficulty and the price of recovery. Regardless of which method is implemented however, it is impossible for universities to ignore the threat that cybercrime presents to their systems. Furthermore, the cost of implementing these programs is easily offset by the savings of any data loss.
References
Schaffhauser, D. 3 universities knocked by security breaches. Campus Technology.
Case Studies. Identity Force.
Strong Authentication at a Fraction of the Price. Entrust.
University Improves Network Security and IT Efficiency. (2009).
PEPPM Pricelist Template Form. (2012). PEPPM.
The United States Department of Justice. (2012). Computer crime and intellectual property section.
May, M. (2004). Federal computer crime laws. SANS Institute Infosec Reading Room.
Pennsylvania State Police Creates Regional Computer Crime Task Force. (2002). Government Technology.
Craiger, J.P. Computer Forensics Procedures and Methods. Retrieved from:
ncfs.org/craiger.forensics.methods.procedures.final.pdf.
Donovan, J. (Ed.). (2011). Obtaining and Admitting Electronic Evidence, 59(6).
Like most other institutions universities are not immune to the security vulnerabilities and potential information compromising that is rampant throughout the world. These universities maintain large accessible networks that harbor enormous amounts of sensitive data pertaining to both students and faculty. Such databases are treasure troves of valuable information for hackers who may seek to leverage this data for their own personal gain or, possibly, steal someone else's identity. Therefore, it is imperative that proper security measures are implemented to ensure that this data is carefully safeguarded. There have been several attempts, both successful and otherwise, to infiltrate security of university networks and the security staff must remain vigilant in its resistance to such tactics. With a variety of security measures available and many of the tactics employed by hackers know to security firms, university officials can implement programs that keep their data safe from any potential harm.
University Security
Near the end of 2010, three American universities were the victims of network security breaches that left the information of either students, employees, or both vulnerable to hackers. The largest breach at the Ohio State University affected a total of 760,000 people. In this case, the intrusion was caught during a routine security review, meaning that the breach could have gone undetected for months since the last routine inspection, leaving names, addresses and social security numbers vulnerable to exposure (Schaffhauser, 2011). Though the breaches at these institutions seem to have been caught in time to prevent any significant security breach from occurring, if it happened once at these venerable universities, there is no reason to conclude that it could not happen again.There are two different paths a university can take to provide adequate network security for both staff and students. The first and simplest route is to hire a network security firm to manage all aspects of the network, freeing up university staff for other tasks and eliminating the need for a very large IT department. Iona College in New York opted for this approach when they hired IdentityForce to manage their network security. The company helped the college to set up training programs for their staff to reduce the threat of security breaches, while also ensuring compliance with all federal and state laws. The company also provided identity theft protection for students, faculty and staff (Case Studies, 2012).
There are several advantages to this type of arrangement, including the ability to focus the college workforce on other projects without worrying about security as much. However, the added level of security provided by a third-party contractor comes with a cost. For instance, many universities may opt to employ identity tokens for computers accessing a network, possibly with a USB dongle or a type of software that identifies the computer individually. The cost of implementing such technology for a large network with 10,000 users can run from a low of just over $100,000 to over $1 million (Strong Authentication at a Fraction of the Price, 2012). This type of program does virtually ensure that no unauthorized user can access the network, unless a computer or dongle is physically stolen and then, if reported it can be instantly deactivated, making this a very secure option for many universities.
Many institutions of higher learning may theorize that, since they train the young men and women who will be providing network security for the rest of the world, it only makes sense that they should be able to protect themselves with limited outside influence. For many of these universities, a preferable solution can be provided by purchasing hardware from a security firm and then operating and maintaining it themselves. One such institution that chose this route was John Carroll University of Ohio, which implemented Cisco's Network Admission Control. This system deployed Cisco routers and switches on campus that enforced policy compliance for all users and devices accessing the network and also includes additional firewall security (University Improves Network Security and IT Efficiency, 2009).
This approach comes with its own cost limitations, however. The equipment involved can be quite costly. The university employed two Cisco switches, two wireless access points, and the necessary software to control it all (University Improves Network Security and IT Efficiency, 2009). The total cost of the hardware alone for this type of setup would be well over $100,000, but at least that cost would be limited to the initial purchase of equipment and would not continue long-term (PEPPM Pricelist Template Form, 2012). Of course, a university employing another service to manage their technology would also need to purchase equipment for their network anyway, so this outlay of funds is inevitable. Given that, the idea of purchasing the right equipment for securing the network through a company like Cisco probably makes more sense than hiring an outside company since current IT employees can be trained to monitor the equipment. Also, this gives the university greater control over their security than they would have with a third party running everything. Maintaining proper training for IT employees will be crucial however.
Laws and Government Agencies
There are many different regulations that deal both directly and indirectly with cybercrime in the United States on both the federal and local levels. These laws seek to protect individuals and institutional entities from harm that may be caused by those who actively seek to retrieve personal or institutional information from computers without proper authorization. On the federal level the Department of Justice is primarily responsible for investigating and prosecuting computer crimes (The United States Department of Justice, 2012). The DOJ also seeks to protect intellectual property of U.S. citizens and prosecutes those who attempt to steal copyrighted material (The United States Department of Justice, 2012). The DOJ works with other government agencies as well as private sector and academic institutions in order to achieve these ends while the department's lawyers attempt to strengthen the domestic and international legal structure to improve the prosecution of network criminals.
Many laws currently exist at the federal level to combat cybercrime. The main law that is used to capture cybercriminals is the Computer Fraud and Abuse Act, which was originally passed in 1984 and amended in 1994 to include malicious code such as viruses (May, 2004, p.2). While this was sufficient for dealing with those who might distribute malicious programs to access personal computers without authorization, the law had to be amended yet again with the National Information Infrastructure Act of 1996, which made it illegal to view information on a private computer even if there was no commercial gain gleaned from it (May, 2004, p.3). Along with the Electronic Communications Privacy Act of 1986, this law formed the basis of prosecutors' cases against cyber criminals.
There were still loopholes that could be exploited without fear of repercussion and the Cyber Security Enhancement Act, passed as an amendment to the Homeland Security Act in 2002, sought to curb those. With this law's passage law enforcement agencies were granted sweeping authority and handed more severe penalties that that which were available earlier. This law compelled Internet Service Providers (ISPs) to hand over personal information about their customers to a government agent if there was any suspicion of wrongdoing (May, 2004, p.6). The need for a warrant to intercept Internet communications was also abolished and harsher sentences for individuals who violated the law were put in place (May, 2004, p.6). The Digital Millennium Copyright Act was enacted in 1998 to help curb the distribution of copyrighted material (May, 2004, p.6). The Economic Espionage Act and National Stolen Property Act have also been used to combat the explosive growth of cybercrime (May, 2004, p.7).
Many states have sought to help bolster federal laws by implementing their own to complement the federal cybercrime programs. In Pennsylvania regional task forces were started to join with federal, state, county and municipal law enforcement agencies to fight everything from fraud to child pornography (Pennsylvania State Police Creates Regional Computer Crime Task Force, 2002). This law allowed local municipalities to benefit from the technology available to the state police and to receive up-to-date training for fighting cybercrime.
Forensic Techniques
Once it has been determined that a network has been compromised, it is imperative that an investigation commence to determine the extent of the damage. This can involve anything from personally examining the computer that was believed to be used in the hacking attack to performing an investigation of suspicious network activity. If the computer in question is under investigators' authority, the process becomes a bit more manageable. In this case, the particular hard drive from that computer becomes the main focus of the investigators' efforts.
A complete digital copy of the original evidence must be made and only the copy may be used for investigative purposes to avoid damaging the original evidence. The copy of this evidence must then be authenticated to verify it is the same as the original and the digital copy must then be analyzed. This can be accomplished by ensuring that crime scene is immediately secured and all available evidence properly documented, restricting all access to the site to only necessary investigators (Craiger, 2003, p.8).
For investigating computers that are not capable of being physically investigated for criminal activity, more extensive methods of investigation are necessary. In this case, computer logs are a valuable resource for determining from where the potentially devastating attacks emanated. Whenever a system is accessed, the firewall log should record a copy of the user's IP address and whatever information may have been transferred via File Transfer Protocol. Logs also record email activity, content posted on the Internet, or by many other computers along the network that record all activity.
In the case of cell phones, historical cell site analysis can provide evidence in regards to the whereabouts of a certain individual at a given time. Any completed cell phone calls or sent text messages can be reviewed to show a pattern of movement of the person's cell phone. The geographic locations of cell phones can be found by linking them to the cell phone towers at specific times and trying to map the radio frequency of the phone to that recorded by the tower. These signals can be tracked to determine if a person was in a given area in which a crime may have been committed.
Most of the technology used to glean such information is readily available to IT professionals. The logs will automatically be recorded by the software that has been installed to monitor the network and should only require modest research from the IT professionals. If the computer is available to the investigators, the hard drive can be removed and copied without much incident and would only require rudimentary tools that are readily available to most IT professionals. The hard drive can simply be inserted into another available computer if that is the only option, which would require no significant monetary outlay. For searching cell phone records, either the FBI would need to become involved, or the cell phone service provider would need to be compelled to reveal the necessary information needed to track the phone on the network. With this research technique as with many others, the need for significant expenditures is irrelevant. However, it is important to note that cell phone records should be requested as soon as possible since they may not be available for a very long period of time.
Conclusion
There are many different potential problems facing universities who allow access to their networks. However, there are also many techniques for safeguarding the data that is transmitted along these networks and, should they be attacked anyway, many other techniques and laws available for dealing with such situations. First and foremost, universities must make the necessary investments in network security to ensure that student and staff information is kept as private as possible and there are several possible ways to accomplish this, some more expensive than others. Should they fail to protect the information, though, they must act quickly to limit the damage that may be done to those who have entrusted their information to the school. Again, there are myriad tools at their disposal for such activity, varying in the degree of difficulty and the price of recovery. Regardless of which method is implemented however, it is impossible for universities to ignore the threat that cybercrime presents to their systems. Furthermore, the cost of implementing these programs is easily offset by the savings of any data loss.
References
Schaffhauser, D. 3 universities knocked by security breaches. Campus Technology.
Case Studies. Identity Force.
Strong Authentication at a Fraction of the Price. Entrust.
University Improves Network Security and IT Efficiency. (2009).
PEPPM Pricelist Template Form. (2012). PEPPM.
The United States Department of Justice. (2012). Computer crime and intellectual property section.
May, M. (2004). Federal computer crime laws. SANS Institute Infosec Reading Room.
Pennsylvania State Police Creates Regional Computer Crime Task Force. (2002). Government Technology.
Craiger, J.P. Computer Forensics Procedures and Methods. Retrieved from:
ncfs.org/craiger.forensics.methods.procedures.final.pdf.
Donovan, J. (Ed.). (2011). Obtaining and Admitting Electronic Evidence, 59(6).