Insecure and Unaware
The Chronicle of Higher Education has a story (available for another 5 days or so) on computer security at the nation’s universities, which concludes that security lapses are common. Here are some choice quotes:
“What I’ve seen is a top-to-bottom lack of awareness of issues related to security,” says Eugene H. Spafford, a computer-science professor who is executive director of the Center for Education and Research in Information Assurance and Security, at Purdue University at West Lafayette. Too many students, he says, don’t know that they need to fix computer holes and use antivirus software, and that some of their activities — particularly downloading copyrighted music without paying for it — are illegal.
“You have faculty who believe that because it’s their machine and because of academic freedom they should be able to do whatever they want,” he says. “And you have administrators who don’t understand the risk or the need to invest in appropriate technology and set policy appropriately.”
Indeed, E. Eugene Schultz, a principal engineer at the Lawrence Berkeley National Laboratory who is editor in chief of the journal Computers & Security, says universities are “among the least secure places in the universe, as far as computing goes.”
Some of the problems identified in campus security audits are:
Colleges are not doing enough to encourage students and other campus users to protect their campus accounts. Passwords are not changed periodically, are too short, or are not always required for employees to gain access to confidential information. Many colleges have not created disaster-recovery plans so that crucial information can be saved if a campus is leveled by a hurricane, terrorist attack, or other catastrophe. College officials are often slow to terminate or revise employees’ computer access after they leave. Such delays increase the chance that a disgruntled worker can sabotage the network. Because colleges are not performing risk assessments of their networks, officials don’t know where to concentrate resources to protect networks and data.
Here’s the full article.