May 4-10, 2001
Back Issues
IN THIS ISSUE
Arts and Sciences Academy chooses three from U.Va.
Library becomes co-publisher of Meridian
U.Va.'s Seven Society honors graduate teaching assistants

Colleagues remember Meloy as dedicated, hard working
Study finds wide variation in children's experiences with first-grade classrooms
Police chief's watch ending after 17 years
Gottesman is retiring after illustrious psychology career
President Casteen's speech on video
Download the latest in office technology
Hot Links -- The Lightbulb
From the Arctic Circle to Fluvanna, scientist studies nature and ozone
University seeks to raise shields on computers

University seeks to raise shields on computers

By Matt Kelly

University computers can be a target.

“We’re being hacked all the time,” said Shirley Payne, director of Security Coordination, Office of Information Technologies. “It’s an everyday event.”

Payne said hackers from around the world are interested in universities because they have powerful computers and open systems that are hard to close down. She said while U.Va. is not in worse condition than other universities, new policies have been put into place to govern computer security for any machine connected to the University’s network. She said this includes home computers used to access information from U.Va.’s network.

“If they are connected, if they dial in, anyone who is attached to the network has to be aware,” Payne said. “If there is a group of visiting scholars here with computers connected to the network they would have to comply with the regulations.”

The regulations include an array of suggestions for both personal computer and network users, including improved password control, limiting access and backing up files.

Hackers also target universities because they can use a school’s large computer system to launch attacks against commercial sites. In February 2000, there was a wave of distributed denial of service attacks on Yahoo Inc., eBay, Buy.com, Amazon.com, eTrade and CNN, in which millions of packets of information from around the globe flooded into the sites and shut them down. The attacks were traced to computers in several universities, including James Madison, Stanford, University of California at Santa Barbara, Oregon State and the University of Washington.

University computers also carry sensitive information, such as patient and student records, credit card data and research findings.

Approximately 60 percent of hacking comes from within the system, according to Payne. She said disgruntled employees or experimenting students can cause damage or create mischief. Some hackers are just playing and may not be aware of the damage they are causing, she noted.

Payne said there should be security alarms on the University’s systems so that the machines will react if they are probed or penetrated by an unauthorized user, but she also admitted that there may have been times when the system was compromised without being detected.

Payne said that at times the Federal Bureau of Investigation has notified the University about stolen data it has uncovered.

Richard Schupp, director of risk management for the University, said there is insurance coverage for many incidents where a dollar loss can be calculated. He said this would include replacement cost for damaged computers, time and labor expense in re-entering data and if there were a measurable loss of sales in the bookstore or other sales points at the University. He said, however, that grey areas may not be covered, such as the loss of research findings and time lost not being able to access the Internet.

“We have to look at it on a case by case basis,” Schupp said.
Payne said individual computer users need to be vigilant to prevent incursions. Among the recommendations in the new computer security policy are:

• Use strong password protection - some exploits are thwarted if the attacker cannot guess the computer’s log-on password. Computer users should learn what constitutes a good password, establish ones they can remember and change passwords if they have reason to believe they have been compromised.

• Limit access - The file sharing capability of computers should be enabled only if it is essential that others be able to access files on it. Also, the machine should be physically secured, such as locking an office door, to prevent unauthorized access.

• Keep files from unknown sources off the computer - Accepting files from others by opening attachments, downloading files from Web pages or other means can be risky. Judgment as to the reliability of the source should be made before loading any document onto a computer.

• Backup files - A backup of the entire system should be created periodically. Backups of critical data files should be made as they are updated.

• Use up-to-date anti-virus software - Anti-virus software should be installed on computers if it is not there already. The feature to allow the software to run continuously on the devices should be turned on, so that it can constantly protect from attack. Also, an automated schedule for updating the anti-virus software should be established to keep it “aware” of new virus types.

• Keep the computer’s operating system updated - The Web site of the operating system software vendor should be checked regularly for the availability of new software updates. Updates correcting security-related defects should be downloaded and applied.

• Keep the machine’s application software updated - Web browsers, word processors and other application software present some risks of exposure. Software manufacturers regularly provide updates to their software. Updates that correct security-related defects should be downloaded and applied.

• Turn off or delete unneeded software features - The more software products there are on a computer, the more opportunity there is for exposure. Products that are not used should be removed. Also, products often include features that can be turned off or on. The product manuals should include information about such features.

• Regularly request a security vulnerability scan report - ITC provides a free service to scan computer devices for known security vulnerabilities and produce a report for the user. s

For more complete information on the University’s new computing security policy, consult http://www.itc.virginia.edu/security/policyguide.html.


CURRENT ISSUE

© Copyright 2001 by the Rector and Visitors
of the University of Virginia
UVa Home Page UVa Events Calendar Top News UVa Home Page