OIT ramps up security success



Stephen Colbert once said, “I’ve never trusted the web. How do you hold it personally responsible? Can you put a distributed network of fiber-optic cable on notice? In other words, can I challenge it to a fight?”

He makes a good point: how can we trust the web? Network security on a scale as massive as Tech’s is a huge target for digital evil-doers, and the only two things standing in their way is students’ personal security measures and Tech’s Office of Information Technology (OIT).

“We have gone from ‘every man for himself’ to ‘we’re all going to do our part’ to better enable security,” said Herb Baines, director of OIT Information Security, said, “This is not only to protect ourselves, but to protect the rest of the Institute and to help new students become aware of this culture of having shared responsibility.”

Tech’s security plan is not a strictly regimented, centralized bureaucracy; rather, each department decides how their IT should be geared to meet their particular mission. However, with that flexibility there are incurred risks, so OIT balances the needs of each department with the need to protect the information.

Student information and their personal security measures are the most important areas, as protection of it is legally mandated and access to a single student’s information is a serious weakness in overall student security.

“Maintaining [students’] own individual laptops so that it’s not infected and spreading viruses around campus and protecting yourself on social networks is the most serious area of concern,” Baines said.

While phishing and scams are the more obvious consequences of a public dossier via Facebook, personal information is also often scrutinized by employers. A recent survey by the major employment website CareerBuilder showed that 45% of employers screen job candidates on social networking sites.

The genuine risk to the students’ machines is malware like viruses, botnets and phishing sites, most often brought on by carelessness or poor personal security.

“Protecting the laptops that students bring is a sore spot,” said Victoria Anderson, associate director of OIT Information Security, said, “But we do offer free antivirus and anti-spyware software on our website. If they do get a virus, they can come to our technology support center, and we will clean the virus off the hardware and help recover affected information.”

On another level, simple habits or extensions to programs most students already use are often more helpful than entire AV programs. William Flint, first-year ME major, changes passwords often, uses the Firefox extension Adblock, scans his machine weekly and has an external hard drive.

“I don’t give out any information that isn’t critical, and I don’t fall for phishing schemes or download things that are blatantly viruses,” Flint said, “I also keep an active Linux partition in case my Windows does get compromised, so at the very least I can recover documents.”

OIT would very much like student feedback about what data and machine protection should be provided. Anderson believes that students likely have some simple solutions that could be implemented within a day, but it takes someone to actually come forward to bridge the gap between students and a department like OIT.

With all the necessities of protecting student data, OIT requires advanced technology to hold the line against intruders. Though this tech can—and most often defaults to — monitor internet activity by users like accessing certain sites or illegally downloading music, OIT makes a concerted effort to not engage this capability.

“We do not monitor anyone for any reason,” Baines said, “Georgia Tech is not in the business of policing behavior. The only time we may monitor activity is if we get a legal requirement to do so or if there is any reported misuse.”

In fact there have been several employees fired for fraud, discovered by legal requests; however, no student has ever been monitored or seriously implicated in illegal internet activity.

While students must act themselves to protect their personal data, OIT must ensure protection of students’ school data, like financial aid information and grades. Since 2001, average attacks per week has been in the millions — mostly on student data — with over 150 million attacks weekly in 2008. However, the number of incidents per year — where security had failed on either technical or personal behalf – has dropped drastically. In 2001, a basic intrusion detection strategy saw 5500 incidents on Tech’s network; but, after deploying firewalls, risk management seminars, free AV software and other measures, the number had dropped to 118 incidents in 2008.