Stan Gatewood, UGA’s chief information security officer, is new to campus this year. He discussed with Columns the range of computer security concerns.
Columns: What can you tell us now about the break-in to the UGA server in January?
Gatewood: I can’t get too specific because the investigation is ongoing-the Federal Bureau of Investigation as well as the Georgia Bureau of Investigation have asked us not to go into too much detail. But I can say that on or about the 17th or 18th of January, we were notified by an agency that a machine in our domain seemed to be scanning their machines.
It was true-a box containing admissions information was scanning the world. That means that box is out of control-because we don’t, as an institution, scan other boxes outside of uga.edu domain. So we pulled the box off the wire.
Columns: I’ve heard this was not a result of poor management in the office that ran the server.
Gatewood: Right. The box was a typical box-there was nothing strange about its configuration, hardware or software, its security patches were up to date; and it is as close to minimally secure as anyone is going to get. They did everything that could be done.
Columns: So what can be done to prevent such break-ins?
Gatewood: What we need to do is lower the risk to an acceptable level. Because there is going to be risk when you put a machine on a network-people are going to attack it, from within and from without. Look at the numbers. You have in excess of 310 million users on the Internet, and somewhere in the neighborhood of 40,000 overall in the UGA community.
So what we’re going to have to do is move to a different level with our security. We’re going to have to insist that you use anti-virus protection, insist that you use a firewall, and intrusion detection, and application protection. Our systems and network administrators must have some understanding of security awareness training and eduction, some minimal training. That’s something that my office will do-give these folks training around campus.
Columns: So EITS will require a certain level of protection of every machine connected to the network?
Gatewood: But not just EITS-it needs to come from the top management. They need to say that, in order to connect to the network, you must meet these minimum security requirements-anti-virus, intrusion detection, firewalling, application protection, user name and password, encryption if necessary. That will give us layers of defense.
Does that imply there are other layers of defense? Yes. We have a perimeter, we have a wire called the network, we have a machine that connects to the network, on that machine we have data. We will at every one of those layers have protection. Information Security will take care of that.
We do want to make it transparent to the user-they shouldn’t have to remember 10 more passwords, or understand cryptography, or turn something on, or study their logs.
Columns: Can you give me an example of the kinds of security that are in place?
Gatewood: For instance, on our perimeter we have an intrusion-detection engine that is capable of looking at every single packet that comes into this university. We have anti-virus running around the wire. We scan the boxes on the perimeter looking for vulnerabilities. We scan the wire continuously, 24 hours a day, 7 days a week.
On the host itself: intrusion detection, anti-virus, firewalling, and application protection.
And then, behind the box, the wildest of wild cards in the equation: people. People need to be trained. You do not share passwords with somebody. If your machine is acting a little strange, you need to go to your security contact within your unit and say so.
What I do need to do is raise the awareness: we’re living in a networked environment, our enterprise at UGA is a global enterprise, and there’s but one network in the entire world, and that’s the Internet. That means that anybody in the entire world can get at you from wherever they may be just by going through a browser-www.uga.edu is publicly accessible.
It is not the World Wide Web-www is the Wild Wild West. And there’s no sheriff in town. There’s nobody actually in charge of the Internet-you can be what you want to be, you can go anywhere you want to go.
Columns: The average user has a hard time taking the threat seriously because most of us have no idea how you would break in to somebody’s computer.
Gatewood: But after you become a victim, it’s too late. For six years I’ve been trying to help some people I worked with in California who are trying to get their identity back and to clear up the fraud that had taken place because they were banking online and leaving their machine wide open.
Columns: What’s going to happen to the Internet? Is it just going to get worse and worse?
Gatewood: Yes. The bad news is it will get worse and worse and worse. The good news is it will proliferate, and everybody will get a chance to get on the Internet and enjoy all of its riches.
There’s a price for intuitiveness, for speed, for being connected 24 hours a day 7 days a week forever. There’s a price for having no boundaries, no borders-and that price is it will continue to get out of control.
Columns: That lack of control must be frustrating to you.
Gatewood: But we are a higher education institution. The free flow of information and exchange of ideas is what we’re all about.