seeks to raise shields on computers
computers can be a target.
being hacked all the time, said Shirley Payne, director
of Security Coordination, Office of Information Technologies.
Its an everyday event.
said hackers from around the world are interested in universities
because they have powerful computers and open systems that are
hard to close down. She said while U.Va. is not in worse condition
than other universities, new policies have been put into place
to govern computer security for any machine connected to the Universitys
network. She said this includes home computers used to access
information from U.Va.s network.
they are connected, if they dial in, anyone who is attached to
the network has to be aware, Payne said. If there
is a group of visiting scholars here with computers connected
to the network they would have to comply with the regulations.
regulations include an array of suggestions for both personal
computer and network users, including improved password control,
limiting access and backing up files.
also target universities because they can use a schools
large computer system to launch attacks against commercial sites.
In February 2000, there was a wave of distributed denial of service
attacks on Yahoo Inc., eBay, Buy.com, Amazon.com, eTrade and CNN,
in which millions of packets of information from around the globe
flooded into the sites and shut them down. The attacks were traced
to computers in several universities, including James Madison,
Stanford, University of California at Santa Barbara, Oregon State
and the University of Washington.
computers also carry sensitive information, such as patient and
student records, credit card data and research findings.
60 percent of hacking comes from within the system, according
to Payne. She said disgruntled employees or experimenting students
can cause damage or create mischief. Some hackers are just playing
and may not be aware of the damage they are causing, she noted.
said there should be security alarms on the Universitys
systems so that the machines will react if they are probed or
penetrated by an unauthorized user, but she also admitted that
there may have been times when the system was compromised without
said that at times the Federal Bureau of Investigation has notified
the University about stolen data it has uncovered.
Schupp, director of risk management for the University, said there
is insurance coverage for many incidents where a dollar loss can
be calculated. He said this would include replacement cost for
damaged computers, time and labor expense in re-entering data
and if there were a measurable loss of sales in the bookstore
or other sales points at the University. He said, however, that
grey areas may not be covered, such as the loss of research findings
and time lost not being able to access the Internet.
have to look at it on a case by case basis, Schupp said.
Payne said individual computer users need to be vigilant to prevent
incursions. Among the recommendations in the new computer security
Use strong password protection - some exploits are thwarted if
the attacker cannot guess the computers log-on password.
Computer users should learn what constitutes a good password,
establish ones they can remember and change passwords if they
have reason to believe they have been compromised.
Limit access - The file sharing capability of computers should
be enabled only if it is essential that others be able to access
files on it. Also, the machine should be physically secured, such
as locking an office door, to prevent unauthorized access.
Keep files from unknown sources off the computer - Accepting files
from others by opening attachments, downloading files from Web
pages or other means can be risky. Judgment as to the reliability
of the source should be made before loading any document onto
Backup files - A backup of the entire system should be created
periodically. Backups of critical data files should be made as
they are updated.
Use up-to-date anti-virus software - Anti-virus software should
be installed on computers if it is not there already. The feature
to allow the software to run continuously on the devices should
be turned on, so that it can constantly protect from attack. Also,
an automated schedule for updating the anti-virus software should
be established to keep it aware of new virus types.
Keep the computers operating system updated - The Web site
of the operating system software vendor should be checked regularly
for the availability of new software updates. Updates correcting
security-related defects should be downloaded and applied.
Keep the machines application software updated - Web browsers,
word processors and other application software present some risks
of exposure. Software manufacturers regularly provide updates
to their software. Updates that correct security-related defects
should be downloaded and applied.
Turn off or delete unneeded software features - The more software
products there are on a computer, the more opportunity there is
for exposure. Products that are not used should be removed. Also,
products often include features that can be turned off or on.
The product manuals should include information about such features.
Regularly request a security vulnerability scan report - ITC provides
a free service to scan computer devices for known security vulnerabilities
and produce a report for the user. s
more complete information on the Universitys new computing
security policy, consult http://www.itc.virginia.edu/security/policyguide.html.