Security plan: Encrypt laptops, scan servers

Would-be intruders are always out there, poking at the edges of the university network, looking for a way in. To help keep intruders at bay, information technology services (ITS) is rolling out a number of cyber security measures this school year.

Among those measures are encrypted laptops, software that sniffs out security holes in campus servers and stronger passwords. They're part of a six-point plan developed last spring in the wake of breaches on several department servers.

"There are technological ways to tighten security, said chief information officer Jim Davis. "We'll add some new software tools. We'll tap into expertise at the Information Assurance Center, which is nationally recognized for research and education in cyber security.

"But our technological efforts aren't enough. We'll need broad collaboration across the university community to secure our network and information. Everyone with a Net-ID and password has the key to some part of our network. We all have an important role to play in ensuring its safety."

Davis and several other IT officials recently talked about why and how new security measures will be implemented on campus. Joining Davis in the conversation, summarized below, were associate CIO Angela Bradley, systems and operations director Mike Lohrbach and information security officer Andrew Weisskopf.

1. Scanning for protected information

Among the thousands of servers and storage devices on campus, there are many forgotten files. Out of sight, deep in the folder hierarchy, most are innocuous -- old memos, drafts, reports. Some, however, are more troublesome. They could contain Social Security numbers of former students (as was the case with last spring's security breach) or other kinds of personal information, such as driver's license, passport or credit card numbers.

A new software program, IdentityFinder, is making it considerably easier to find pockets of protected information on campus servers. The software, provided to college and departmental IT staff in August, currently is scanning university web servers in search of data patterns that may indicate the presence of Social Security, credit card, driver's license or passport numbers. When it finds a likely pattern, it alerts the appropriate administrator to the file location. The administrator then checks the file to determine if it contains confidential information and takes appropriate action.

Once all web servers have been scanned, IdentityFinder will be used for similar scans on campus file and database servers.

2. Scan for bugs, vulnerabilities

Timely security updates on several storage devices might have prevented last spring's security breach. Unfortunately, keeping up with the steady stream of updates for browsers, operating systems and software is daunting, especially for IT administrators who are managing multiple servers.

The task will get easier with another scanning system that may be on campus as early as spring semester. Unlike IdentityFinder, the new system won't look for files that may contain confidential information. It will scan university servers in search of vulnerabilities -- potential security holes in everything from operating systems to browsers. IT administrators throughout campus can use the system to find vulnerabilities on their own servers, and plug security holes before intruders find them. The system won't be used to scan individual desktop computers.

3. Encrypting laptops

A login password won't protect the contents of a stolen laptop. That's because the thief can bypass the password altogether by plugging the laptop's hard drive into another computer. Data theft gets a lot harder, however, on an encrypted laptop. Without a password or an encryption key, the laptop won't yield anything but unreadable gibberish.

That's why Iowa State is moving toward full-disk encryption on all university-owned laptops. ITS has begun encrypting laptops of its clients. Windows laptops get Microsoft's native Bitlocker encryption and Macs use Apple's FileVault 2.

Other departments and units will be required to install encryption on their laptops as well. ITS staff are putting the finishing touches on a best practices document, and the official documentation should be available soon. An important issue is ensuring that IT has a way to recover data if users lose their encryption keys or passwords. ITS' solution is to securely store the encryption keys for its clients' laptops.

XKCD webcomic on password strength

See why hard-to-remember passwords are easily cracked. Source: xkcd.com.

Users shouldn't notice much difference between encrypted and unencrypted laptops. They'll sign onto encrypted laptops just like they did before, with their Net-IDs and passwords.

4. Stronger passwords

Virtually any security measure put into place on the university network can be foiled by a compromised password. And the kinds of passwords most of us have -- eight letters or so with a few numbers, symbols and capital letters thrown in -- are easily cracked by software programs that can spew out a thousand guesses a second.

ITS staff are working with university committees and cyber experts to come up with a policy to strengthen passwords. No requirements have been developed, but ITS officials say it's fairly certain that most passwords will need to be longer and that we'll all be required to change our passwords occasionally.

The good news is that longer password phrases are easier for humans to remember and harder for computers to crack.

5. Protect personal info in reports, AccessPlus

ISU officials recently began a review of business processes and reports with the goal of:

  • Reducing the number of reports that contain confidential information
  • Reducing the number of people who have access to those reports

SSNs are a key target for the reviewers. While SSNs are still needed in some areas, like financial aid, payroll and human resource services, officials want to be sure that the number of people with access to SSNs is kept as small as possible.

ITS officials also are considering extra authentication steps or another type of added security on AccessPlus. Someone who gains entry to your AccessPlus account can change direct deposits or even grab your W2, file a tax return and beat you to your own tax refund. Both kinds of incidents have occurred at other Iowa universities in recent years.

6. Provide workshops and training on security

Over the summer, ITS released "Don't Be Fooled," a well-received online training video to help faculty, staff and students spot fake web pages and possibly dangerous links. More training opportunities will be introduced to the university community in the coming months.

"We're working hard to let the campus community know what the risks are and provide them with the common-sense things they can do to help keep our network safe and secure," Davis said.