October 27, 2005

Schuster Talks on I.T. Security

Print More

Speaking about new challenges to Cornell network security, Steve Schuster, director of information technology security, spoke yesterday at the Biotechnology Building to a small group of faculty and students. The lecture was part of “Cyber Security Awareness Day,” sponsored by the Office of Information Technologies.

Schuster also revealed that Jonathan Wee ’07 was the winner of Cornell Information Technology’s (CIT) Silver Screen Security Challenge video contest, in which students created and sent in videos about I.T. (Information Technology) security to advance to a national contest.

Schuster spoke about the current state of Cornell network security, stressing increased communication as how to prevent network security compromises in the future. He was introduced by Polley McClure, vice president of information technology.

“It’s no surprise that the security of I.T. resources is an ever-increasing issue across society in general and at Cornell. Steve takes these issues very seriously,” McClure said.

Schuster started off the lecture showing two videos, one from the University of Virginia and another from George Mason University. Both videos tackled the subject of I.T. security, with the George Mason video taking a serious discussion approach, and the UVA video humorously showcasing small children speaking about large I.T. security violations, asking “How much trouble can you buy with your computer?” Schuster said that these videos reached out to viewers and created essential “user-awareness.”

“It’s fun to look at video clips from other universities. It’s nice to hear that other people have problems too. But on the serious side, videos like these helps us convince our managers that security is worth investing in,” he said.

According to Schuster, there were 72 reported serious network compromises nationally in the first half of the year. Over half of these compromises specifically targeted higher education institutions.

He then asked faculty in the room to raise their hand if they had any recent notifiable incidents. Almost all raised their hand.

“It happens here more than any of us care to think,” he said.

Schuster posed several questions to the audience, asking how much analysis would be necessary in case of a compromise, and how to increase awareness of I.T. security issues, such as identity theft.

“I firmly believe that as awareness of security issues grows, we have a growing social obligation to analyze data and prevent compromises,” he said.

Over the rest of his lecture, Schuster addressed new challenges to properly secure I.T. networks, including new accountability laws, when to notify university heads and continuing decentralization in universities.

Schuster said his worst nightmare would be for a security compromise to end up on the front page of The New York Times. With new state laws that require universities to report network compromises to the New York Attorney General, such information would be readily available to the media.

“We have to do everything we can possibly do to make sure compromises do not happen, and if they do, that they do not get out to the public. A little prayer helps too,” he said.

Schuster criticized new laws such as the Gramm-Leach Biliey Act and the Family Educational Rights and Privacy Act as the government butting in on university privacy.

“I’m not sure [these laws] will have the desired effect – we’ll notify the state, but I feel these laws are detrimental to our freedom to act. However, they might give us more leverage with the University to increase I.T. security,” he said.

Although no higher education institution has yet faced legal trouble due to network compromises, Schuster urged Cornell to prepare a legal defense now.

“It won’t be long before higher ed sees lawsuits. Everyone says its coming, and it will happen. It’s better to be overly cautions than to be caught off-guard,” he said.

Schuster also claimed that faculty and student network access needs limits. According to him, about 80 percent of faculty and students don’t need wide-open internet access. He also defended billing students for extended ResNet access, saying it has vastly increased security.

“Bottom line – what data needs protecting? The truth is that most students don’t need access to everything on the internet. I know it’s controversial, but I still think that network billing has been the best thing to happen to network security. People are thinking about [the network],” Schuster said.

Schuster closed his speech talking about Cornell’s Data-Loss Response Team, a CIT team composed of different institutional officers designed to deal with network compromises.

“We now have an infrastructure that is working very, very well. We’re improving the decision process and increasing minimum standards for analysis. Most of all, we have established a more thorough understanding of IT security challenges across the community,” he said.

At the conclusion of the lecture, Schuster revealed Wee as the winner of CIT’s Silver Screen Security Challenge video contest. Wee’s video focused on protecting Windows XP from viruses. Wee used the computer game Warcraft III: The Frozen Throne as an analogy of security, portraying viruses as enemy monsters.

Wee created the winning video in three days.

“It’s pretty cool, I guess … I always liked making home videos … this was the perfect outlet to show off my work,” Wee said.

Wee’s video will be entered in a national security video contest hosted by EDUCAUSE, a non-profit organization whose mission “is to advance higher education by promoting the intelligent use of information technology,” according to their website.

At the end, Schuster opened the floor to questions. Ben Walther ’06 asked Schuster if CIT had considered allowing more students to become involved in I.T. security.

“I love the idea. But if I offered such a program, the question becomes, where do you draw the line? There’s no doubt that students could help us weed out more compromises, but we also can’t have a lot of students poking around in sensitive areas. There has to be a balance,” Schuster said. Reaction to the lecture was fairly positive.

“I thought it was a solid summary of how CIT takes threats very seriously. I think it’s great that if you ever want something, they will listen to you,” Walther said.

“It seems like a good idea that [CIT] is getting together to organize,” said Matt Kulick ’07.

Three iPod shuffles were raffled off throughout the lecture, and Wee received an iPod nano as a prize.

Archived article by William Cohen
Sun Contributor