Click here to receive your FREE subscription to Campus Technology
Focus
Feeling Vulnerable?
12/29/2005
When it comes to vulnerability scanners, know your tools, and clarify your goals—or be sorry later.
“You can be sure of succeeding in your attacks if you only attack places which are undefended. You can ensure the safety of your defense if you only hold positions that cannot be attacked.” —Sun Tzu, The Art of War
As a University of Nebraska Cornhusker football fan, I have always looked forward to the spring game that pits the team’s best offensive unit against the best defensive unit. For network security folks, vulnerability scanning is our version of that spring game. With it, we can attack our own network to find the weaknesses in our defenses. Then we can fix them before we play with a real-world opponent.
Which Strategy?
Vulnerability scanners are one part of a broader set of tools that follow one of two broad strategies. The strategy used by vulnerability scanners is to periodically run computer programs that look for weaknesses in your network and attached systems by comparing a database of known vulnerabilities against data about your systems. Another strategy is to monitor your network and attached systems in real time, looking for anomalies that indicate the presence of an intruder. That strategy is really dealing with threats, not vulnerabilities. Yet, each strategy has its advantages and disadvantages and, in practice, both are needed. While the focus here is the first strategy, vulnerability scanning, the trend is to integrate both strategies into a single tool suite.
Are the Bad Guys Winning?
EUGENE
SPAFFORD, professor and executive director, Center
for Education and Research in Information Assurance and Security (CERIAS)
at Purdue University (IN), and a former member of the President's
Information Technology Advisory Committee (PITAC), is one of the world's
leading authorities on cyber security--and he's concerned about the future.
He feels that today's cyber security strategies are retroactive, and that
the number of vulnerabilities makes it increasingly difficult, even ultimately
impossible, to keep pace. He points to the fact that the Computer
Emergency Response Team Coordination Center (CERT) at Carnegie
Mellon University (PA) reports that 3,780 new electronic vulnerabilities
were published in 2004—that's more than 10 a day, and a 20- fold increase
since 1995. Spafford recently testified before the House Science Committee;
“The software and hardware being deployed today have been designed by individuals with little or no security training, using unsafe methods, and then poorly tested. This is being added to the fault-ridden infrastructure already in place and operated by personnel with insufficient awareness of the risks. Therefore, none of us should be surprised if we continue to see a rise in break-ins, defacements, and viruses in the years to come.”
The solution, according to Spafford, is simpler, more robust, and better-crafted systems. Unfortunately, a hardware/software vendor's revenue stream depends upon the regular issuance of new and more powerful hardware required to run new and/or updated software jam-packed with new, and largely unused, “features,” resulting in a downward spiral of increasingly complex and vulnerable systems. The market d'esn't reward simple, stable, well-architected hardware or software. Equally unfortunate, both private and government research is almost entirely focused on short-term patching rather than the longterm development of new, inherently secure computer architectures.
Spafford sees three outcomes to the current trend. In the first, the market realizes the cost of tacking security onto systems as an afterthought, and demands and compensates vendors for simpler, more secure systems. This will probably require a new revenue-generation model.The second outcome is that we limit our use of information technology to avoid security-related problems. The third outcome is that we continue on our merry way until the system implodes.
How serious is the problem? I encourage you to read Cyber Security: A Crisis of Prioritization, Report of the President's Information Technology Advisory Committee, 2005,which is available at www.nitrd.gov/pitac/ reports/20050301_cybersecurity/cybersecurity.pdf.?
Recommended Reading
- Tiffin U's New Online College to Use Pearson's eCollege for Course Management
Beginning this fall, students in Tiffin University's newest online program, Ivy Bridge College, will use eCollege, a course management system from Pearson, for all of their online courses. The 2,350-student Tiffin U is located in Tiffin, OH and offers both on-campus and online classes. Since 2005, those online courses have been managed through Jenzabar Internet Campus Solution.
- California Community Colleges Adopt SunGard Banner Software
California's Rio Hondo College and Sierra College have selected software from the Banner Unified Digital Campus and other solutions from SunGard Higher Education to help address their growing enrollments and to help improve student retention and services.
- Luidia Releases eBeam Interact 2.1 for Interactive Whiteboards
Luidia has released a new version its eBeam software for use with classroom-based interactive projection environments. eBeam Interact 2.1 offers both new and upgraded features, including enhanced screen recording and a comprehensive online image gallery, as well as the company's Scrapbook Image Writer feature.
- McGill U Library Scanning Rare Books with Kirtas
McGill University Library in Montreal will be using a Kirtas Technologies APT BookScan 2400RA to digitize its collections. The company says that the 2400RA is capable of acquiring page images at the rate of 2,400 pages per hour. The library will be working with Ristech, a Canadian reseller, to implement the digitization solution.
- Ball State U Web Sites Now Managed with Sitecore
Ball State University in Muncie, IN has gone public regarding its deployment of a Web site content management system from Sitecore. Ball State chose Sitecore's software to revamp its 220-plus sites, integrating common new media applications and garnering a next-generation user experience that has won several awards from education and new media marketing organizations. Now, Ball State maintains uniformity across all university Web sites and said it has enhanced its recruiting efforts through the site's new look and interface.
- Bio-Key Launches Emergency Alert Platforms for Schools
Bio-Key International has announced the release of two new emergency alert and management solutions for the education market. MobileSRO is designed specifically for the K-12 environment, while MobileCampus caters to higher education and other campus-based organizations.
