|
| Kevin Unrue, university security coordinator with the Office of Information Technologies, poses in the Network Operations Center in Rhodes Hall. Robert Barker/University Photography |
We've learned to walk quickly through the city at night, keeping to lighted streets. We've learned to lock our doors and windows, even in "safe" neighborhoods. Now it seems we must learn to build fences around our homesteads in cyberspace.
At a university, we have to balance security with openness. Although we want to make our information available to the world, there are a few people in that world who see our open doors as an invitation to set up squatters' rights and use our computers for their own purposes.
That's the situation facing Kevin Unrue, who arrived last May to fill the long vacant post of university security coordinator in the Office of Information Technologies. Unrue comes from a corporate environment, where, paradoxically, the job was simpler. "In my old job, my title was 'perimeter access manager.' Here there is no perimeter," he explained.
And it shows. Since August, at least 200 network security incidents have occurred, he reports. About 35 percent of those are "casual," he said -- just somebody poking around.
Others have more serious implications. Since a university has very few "secrets," hackers who intrude on campus systems are mostly hoping to find places from which they can launch anonymous attacks on other parts of the Internet. The recent denial-of-service attacks that plagued Yahoo!, CNN.com and other popular web sites are excellent examples of why Cornell should be concerned, Unrue said. Hackers create accounts for themselves on computers running multi-user operating systems like Unix or Windows NT; then they can run programs on those computers just like local users, including programs that reach out over the Internet to break into or interfere with other computers.
Other intruders, Unrue said, just want to steal storage space for very large files, or for material that would be dangerous to keep on their own computers, such as pornography or pirated software.
Cracking into computers is no longer the activity of a few highly-skilled geeks. Programs to "sniff" network traffic and guess passwords are now easily available for download on hacker web sites, tempting high school students and other amateurs to use them. These programs are most effective when used against computers or networks whose managers don't take security seriously.
That's where Unrue comes in. "I'm paid to be paranoid," he said.
He emphasizes the word "coordinator" in his title. "When I arrived it was made clear that I was not supposed to do Cornell's security," he said. Rather, he said, his job is to find the people who are responsible for security, advise them, assist them if necessary and "get them talking to each other."
"Part of the challenge is that we have some bright people working on security, but they're not all working together," Unrue said. "Inconsistently applied security is nearly zero security."
He illustrates this with the image of a medieval castle: high walls, a drawbridge, guards on the battlements -- and a hole in the wall in the back. "All it takes is one modem in auto-answer mode," he pointed out. (Some local networks that need special protection connect to the Internet through "firewalls" that check incoming traffic for suspicious activity. But if a user on such a system hooks up a modem so he can work from home, the firewall can be bypassed by a hacker dialing in the same way.)
So far Unrue has recruited about a hundred people, ranging from Cornell Information Technologies programmers to network and system administrators in colleges and departments, from whom, he said, he's "borrowing cycles" -- an inside joke that refers to using part of the processing power of a computer chip. They communicate through mailing lists and monthly seminars.
How much security each manager must apply varies. While most data stored on university computers is public, there are a few things, such as student medical records, that the law requires the university protect, and a few others the university wants to protect for its own reasons. Unrue describes the university system with another image: a city with many public spaces and a few "gated communities" with increased levels of protection. And even systems that contain no sensitive data need to be protected against unauthorized use by outsiders.
"We're looking for ways to increase the protection level without imposing a burden on the community," Unrue said.
Some of this he plans to accomplish by installing new software, including some that provides better detection of intruders. But much of his work will be focused on education. He is planning an educational program to persuade users to choose harder-to-crack passwords. Most everyone knows by now to avoid obvious password choices like the name of a child or pet or a birthday or street address, but hackers have password-cracking programs that literally try every word in a dictionary, so a good password will not be a word at all. Combinations of words with numbers and symbols are recommended, as is running two words together to form a "non-word" that's still easy to remember.
Unrue also will be working with campus police and the judicial administrator to prosecute computer crime against the university or violations by members of the university community.
Most of Unrue's career has been in the private sector. Before coming to Cornell he was with the systems integration firm, EDS, in Texas. But Unrue's wife, he told us, didn't care for Texas. So, for a time he left EDS to work for GTE, but when they made him the Y2K project manager, he opted out, going back to EDS, but putting out a few resumes. When the offer came from Cornell, he asked his wife how soon they could be ready to move. "How about 6:30?" she replied.
That didn't mean everything was perfect. He recalls coming to campus for an interview, looking out the window of his room in Statler Hall and thinking, "This is either the opportunity of a lifetime or I'm in way over my head."
After the first year, "It's an opportunity definitely," he said.
Unrue has an "e-mail hotline" at security@cornell.edu. Urgent questions, he said, will receive a response in 24 hours or less. Persons experiencing an immediate attack on a computer system should contact the CIT Help Desk at 255-8990 or the Network Operations Center at 255-9900; the latter is open 24 hours a day
| Cornell Chronicle Front Page | | Table of Contents | | Cornell News Service Home Page |