Ed Smiley's Blog

Jayson Steet tweeted a link to a Computer World article about the recent rash of security breaches in the academic environment.  (Aside: Follow Jayson as he will soon be releasing a book called F0rb1dd3n that looks awesome!).  There are a few interesting tidbits in this article and definitely worth the read if you work in academia.

I think the author might be too bold by saying that during the last few weeks of the semesters that breaches occur more often due to students being under duress.  I think pretty much everyone is under some sort of duress during these important final weeks of the semester.   From the faculty designing finals and grading, to the staff having to put up with the faculty, to the IT staff having to make sure everything is working .  Perhaps it is people trying to take shortcuts (such as taking PII home on their laptop, which then gets stolen) to get work done quickly in situations where time is limited, but I think you can hardly pin it just on the students.

Computer World also talks with the author of “Breaches in the Academia Sector“, John Correlli, who adds a spot on statement of “Privacy governance in academia is far too frequently thrown into the laps of the IT folks, who are then told, implicitly or explicitly, that privacy isn’t a priority until it’s a problem.“  When is it considered a problem?  When you (being the college, unit, dean) need to spend money to notify victims of a breach?  When you suffer embarrassment due to a breach?   I think the ‘it can’t happen to us‘ way of thinking no longer applies as breaches have struck all areas of academia.  So why not take the steps to be proactive beforehand so you don’t have to pay for notifications or you don’t have to suffer the embarrassment?  Simple, people hate, fear, and resist change. Unfortunately, the open environment of academia hinders change and is typically used as an excuse to resist it.

John also says that the academia is prone to these threats due to “A customer user population that is relatively low paid, lives “on site” and experiences high turnover.”  I agree with this and not only in the customer user space, but in the IT Staff space.  Typically lower end IT Support/Sys Admin jobs are stepping stones for people to move onto better positions and typically on the lower end of the pay scale.  Although I don’t have any numbers (but would love to find some) on the pay differences between academia and business, I would say that academia IT is on the lower end of the pay scale compared the same position in the commercial sector.  Then a new person has to come in, make heads or tails of what the last person did (You mean every IT person does not document what they did?!?), and go on with their everyday job.  So then it comes to how do you keep talented young IT staff who can go work somewhere else for plenty more money, and most times much less grief.

So, the million dollar question is, how do we secure data and promote the open environment of academia?  I think Michael Santarcangelo has some great ideas in his book ‘Into the Breach‘ such as holding people accountable for their actions and engage the people whose data you are trying to protect.  Would love to hear how other people are doing it.

An interesting whitepaper was released by Beyond Trust (found via TaoSecurity) entitled “Reducing the Threat from Microsoft Vulnerabilities” (PDF)  Here are some of the key findings from the study:

• 92% of Critical Microsoft vulnerabilities are mitigated by configuring  users to operate without administrator rights.
• By removing administrator rights companies will be better protected  against exploitation of 94% of Microsoft Office, 89% of Internet Explorer, and 53% of Microsoft Windows vulnerabilities.
• 87% of vulnerabilities categorized as Remote Code Execution vulnerabilities are mitigated by removing administrator rights.
• Of the total published Microsoft vulnerabilities, 69% are mitigated by removing administrator rights.

If those stats don’t make you want to take away administrator rights from your users, I don’t know what will.  Coming from a scientific background, I love to see statistics, numbers, and facts.  In the past when discussing admin rights with users, I used an Eweek article entitled “Is System Lockdown the Secret Weapon” to drive home my point.  In short, they basically visited some nefarious websites using three separate computers.  One with Administrator rights, one with Power User rights, and one with User rights.  They then ran a malware/spyware scan afterwords and found that the computer with Administrator and Power User rights had 19 threats and over 2000 registry keys installed.  The computer with User rights had a single threat that was in the browser cache.  A single threat people!

In academia, removal of admin rights has been met with much resistance (by both faculty/staff and IT staff).  We have been making it work in our area by doing the following:

1. Working with the faculty and staff to find out their needs for computing.  Assuring them that they will continue to function in the same capacity they were able to with Admin rights.
2. Knowing that applications will need to be installed, we are very prompt when these requests arise to limit possible downtime.
3. Developing practices for our “road warriors” that keep them safe, but allow for emergency admin rights if necessary.
4. Set an example by having IT staff run as users when we are not performing tasks that require administrative rights and elevate our rights when necessary.

Following these steps, over 95% of our faculty/staff perform their jobs without admin rights.  It is getting to the point where this is going to have to be reality in academia.  Free and Open education can exist when having user rights and many places around the University (including us) have proven that and make it work.  The sad part is that I hardly ever hear it mentioned when trying to explain to faculty and staff about removing rights.