November 12, 2002

Network security breaches jump

The number of illegal actions on campus computers has increased at an astronomical rate over the past three years. According to Networking Services and Information Technology (NSIT), the number of security reports — from vulnerability scans, hacked machines, copyright violations, and harassment — increased 186 percent in the past year, and over 394 percent during the 2000-2001 academic year.

"An estimated 10 to 30 percent of machines on campus were or may have been compromised over the last year," according to an e-mail sent by Bob Bartlett, director of Enterprise Network Servers & Security at NSIT.

The NSIT security team's incident load has risen 800 percent in the past two years but the staff hasn't.

"The personnel of the Network Security Center are working enormous hours to deal with this flood of incidents," Bartlett said. "It is difficult to develop proactive measures when a person is working 60-70 hours a week just responding to incidents."

Gregory Jackson, vice president and chief information officer for the University, would like to increase the size of the security team, but they have to figure out what it would cost before they can attempt it. Current University spending on information technology is about $75 million, while NSIT expenditures total around $60 million annually.

This year, 94 percent of compromised machines used a Windows operating system, yet only 55 percent of computers linked to the campus network run Windows.

"The sophistication and availability of automated attacks, particularly but not exclusively against [Windows], is the driving force behind the increase in the number of vulnerability scans and the number of machines compromised," Bartlett said. Even a quick Internet search brings up a number of tools that can be used to exploit network vulnerabilities.

"Older operating systems really weren't designed to be used on open Internet connections, and therefore can't be defended adequately against being taken over," Jackson said.

Newer operating systems can be configured to block most attacks, but the default setting usually is not.

Other operating systems are not as vulnerable. The number of compromised Unix machines actually decreased 35 percent, from 79 to 51, even as the total number of people using Unix systems seems to have increased. Macintosh machines made up the remainder of the compromised systems.

Every workday, another 3.5 machines on average are compromised. When NSIT ran operating system fingerprinting, 15 percent of detected machines resulted in a compromised machine. Nearly three times as many machines were compromised this year as compared to last year.

A compromised machine is one that has been targeted with a vulnerability scan, which is a systematic attempt to find and exploit a computer's security weaknesses. While such scans cannot be prevented, steps can be taken to uncover and report security vulnerabilities. 'Hacking'/'Cracking' are concentrated attacks on a computer or network. Harassment and copyright violations take many potential forms.

While both Jackson and Bartlett find the situation frustrating, they are taking steps to deal with it. These steps, warns Bartlett, will "almost certainly...inconvenience the University community."

Installing a firewall that blocks desktop filesharing, Web servers, and database servers would improve the situation, but, according to Bartlett, these measures will be unpopular and will require action by the individual. NSIT is also considering other actions, such as site licensing tools that will "help systems administrators protect their systems," Bartlett said.

When asked what NSIT planned to do about the large number of compromised machines, Jackson replied, "Keep looking for them, keep taking them off the network, keep encouraging people to secure their machines in the first place rather than wait for trouble to strike."

Not reacting to the problem is not an alternative, as it puts the University network at risk. But in order to combat the problem, some information services may have to be limited. Whatever solution NSIT decides upon, bandwidth speed might be affected; both users and administrators would have to make conscious, continual efforts to maintain security.