Skip to Content, Navigation, or Footer.
Sunday, Nov. 24
The Indiana Daily Student

UITS takes steps to increase security

More than 2,500 students had their names and Social Security numbers downloaded from the Office of the Bursar by an unknown international source in February. In light of the security breach, the board of trustees passed a resolution during their meeting two weeks ago to increase the security of IU's computing system.\nUniversity IT policy officer Mark Bruhn, who is responsible for the University's technological security, said University Information Technology Services' policymakers have a plan for increasing security across the University. This includes a vulnerability scanning service, an advisory subscription service and an increase in security seminars.\n"Almost every computer system has the potential of being a security problem," Bruhn said. "The issue is that there's approximately 55,000 networked systems. We need to get information to all people associated with those systems at some level. We must educate everyone at some level, and technicians at a higher level."\nTechnicians can use the vulnerability scanning service to scan their own system for vulnerabilities before someone on the Internet can do it. If a vulnerability exists, the technicians will then be able to fix it themselves before someone on the Internet discovers it.\nThis service has been provided for a couple of years, but UITS is working to increase the capabilities of the vulnerability scanning service, Bruhn said. UITS is working with individual departments to make it part of their specific routine.\nAccording to Bruhn, in the past three years, 55,000 scans have been made by 82 distinct departments.\n"We need to increase that to many, many more departments," Bruhn said.\nAdvisory subscription services can check the security of a computer system, but this service is intended for use by any computer and any user working from the IU network, according to Bruhn. The user simply needs to access the advisory subscription service Web site, subscribe to advisories and follow the instructions.\nThe third thing UITS plans to do in order to increase overall system security is education. Bruhn said he hopes there will be an increase in service training programs. He said UITS classes and human resource seminars need to focus more on security and technology information.\nBruhn said he feels each University department must work with UITS to help increase technological security. He said while security lapses will always exist, the goal of UITS is to minimize the number of opportunities for security to be breached.\n"One can presume if a technician is diligent in scanning his or her own systems, other intruders' opportunities will be minimized," Bruhn said. "We won't eliminate vulnerability. We should be able to minimize the opportunities for others on the Internet to exploit the vulnerabilities on those systems."\nBursar Susan Cote, whose office's information was stolen in the initial hack, feels the new policies will help increase the overall security of the University's technology.\n"We know that some vulnerability may exist (across the campus)," Cote said. "The more guidelines for training, resources and scans, the more secure the department as a whole will be."\nFollowing the breach, UITS made several security recommendations to the Office of the Bursar. According to Cote, "all of those recommendations were put into place."\nDespite the University's attempt to beef up security, some feel they are not addressing the real concern behind the initial hack.\nDoctoral candidate Kurt Richter, whose information was stolen from the Bursar's system, has been an outspoken critic of the University since the hack. He said while the University has in general done a good job of both security and increasing security, they are not addressing the root of the problem.\n"One of the things they're not doing is the idea of changing the Social Security numbers as a means of identification at the University," Richter said. "They've missed the point of that last breach."\nRichter suggested the University use a random digit in place of the Social Security number as a student identification number, and that the two numbers be correlated, for purposes of reporting to the government, through an Intranet, not Internet, based computer.\n"It's untenable that a student should have to give a Social Security number to loan out a badminton racket," Richter said. "It's a callous disregard of the purpose of the Social Security number."\nDespite criticism, Bruhn feels the University is moving in the right direction in regard to technological security. He hopes to look for opportunities where a large number of people might gather to talk "not just about information security but also technological security."\n"There are many departments that pay very good attention to security," Bruhn said. "Some need help in that area; they don't have technical expertise, they don't have the staff"

Get stories like this in your inbox
Subscribe