Cyber-security requires vigilance

Earlier this summer, Purdue’s computer servers were hacked.

Three former Purdue students are being charged with an assortment of crimes — among them, conspiracy to commit computer tampering and conspiracy to commit burglary — after a collective four years of unabashed grade-changing that elevated two students from straight F’s to nearly straight A’s.

Considering the classified nature of the information these students were tampering with, the apparent ease with which they were able to use their technical know-how to the detriment of the university raised several concerns. What does it take to protect such vital information as grades from ill-willing individuals or groups – what goes into the maintenance and protection of a university’s personal information systems?

Dennis Cromwell, IU Associate Vice President for Enterprise Infrastructure, has been working on these issues for years and stresses that cyber-security is something that requires constant, forceful vigilance.

“Security is an ongoing responsibility and an ongoing issue,” Cromwell said.

He said this is because of the fact that there are many reasons why IU’s servers might come under an attack at any time — as a recent New York Times article notes, aside from the droves of student and employee personal information held by university IT systems, there is also sensitive intellectual property that must be protected.

Andrew Korty, University Information Security Officer for all IU campuses, agreed that threats to the University’s cyber-security are constant and continually adapting, and must be dealt with accordingly.

“Any organization with an Internet presence is combating online crime and malice every day ... Security is always an ongoing process,” he said. “Technologies are always changing, and so are the techniques criminals use to exploit them.”

The University takes pervasive measures to protect against online intruders. Cromwell said the actions taken by University technology authorities to maintain and protect IU’s personal information systems, such as the Central Authentication Service, range from “physical” to “logical” security measures.

Physical security measures involve literal protection of data servers. For example, Cromwell said data servers reside in a data center behind three levels of security.

Logical security measures include things such as firewalls and prevention of certain connections from entering the servers.

Korty added that aside from barriers like those discussed by Cromwell, the University Information Security Office acts as a cyber-sentry, continuously screening for attacks and taking action if anything goes awry.

“At IU, we have automated systems that detect intrusion attempts, and we have teams that take appropriate action if such an attempt appears successful,” he said. “If a breach were to occur, we would contain the damage, determine what was accessed, and notify the affected individuals ... Then we would take a more in-depth look at the weakness that led to the compromise and determine what steps to take.”

Apart from protective measures taken by the University, both Cromwell and Korty stressed the substantial role of individuals in supporting cyber-security.

Individual workstations are far more vulnerable to attack than the system at large and this is particularly true at universities where thousands of students and faculty are logging onto systems such as CAS every day, according to the New York Times article.

“The security of individuals’ computers is a key factor,” Korty noted. “In fact, generally speaking, personal computers tend not to be as well-maintained as servers and are more frequent targets for attack.”

Cromwell referred to this as “the human side of security” – individuals need to be as vigilant in protecting their computers as the university is vigilant in protecting the entire system.