Print
Stanford Report, August 18, 2004

ITSS expert discusses computer security, how to protect machines against hackers

David Hoffman, computer security officer in Information Technology Systems and Services (ITSS), helps to coordinate Stanford's computer security efforts. Hoffman, who studied computer science at Stanford, talked recently with University Communications about securing the university's computer network and about what individuals can do to protect their machines.

What are the university's computer security challenges?

There are two major issues. First, there are 40,000 machines on campus, many of which are vulnerable to attack. We are installing a program called BigFix that will be available to everyone this fall. It can be installed on any Windows machine and will do critical operating system patches automatically. Our challenge is getting machines updated quickly to protect against something like the Blaster virus, which hit last summer. There are about 25,000 Windows PCs at Stanford. If, say, two-thirds are patched in time to protect against vulnerability, that still leaves about 8,000 machines open. That is how many computers Blaster affected. We can't cover 100 percent. But we need at least 98 percent. Even a 2 percent hit is about 500 machines, which is the limit of what we can repair.

Another focus is protecting the many information assets throughout the university ­ all the educational records, the medical records and other sensitive data. This information is subject to federal regulations, including the Health Insurance Portability and Accountability Act and the Family Educational Rights and Privacy Act. Plus, there are other records that, although not regulated, are sensitive enough to warrant extra attention, including anything affecting our students, staff and faculty. In the past, records were stored on mainframes. Because there were so few such mainframes in the world, they didn't offer the potential for widespread chaos that is attractive to hackers. Now that the Internet is connecting the world in ways no one could have predicted, we have to implement more protection. Firewalls are a good start ­ like putting a lock on your door. But we are also changing the network so there can be zones with more restrictions and some with more freedom.

Computer security is always a balance between what you want your machines or your network to do and what you are willing to give up. When you are in a corporation, you don't let anyone into your network, but that doesn't work for a university committed to the dissemination of information.

When a computer is connected to the Internet, it is immediately scanned by hackers. How is that possible?

It's possible because machines are so powerful and the Internet is so fast. It doesn't take exotic resources to launch an attack. You type in a few commands and a program will start scanning machines. Stanford is a juicy target because our access to the Internet is phenomenal and our cachet is high. Also, there is an underground spam economy. There are major spam players who will pay money to people capable of breaking into networks and using them to send spam. It's a little like the Wild West.

What are the implications for an individual whose computer has been used by a hacker?

I suffered an attack on my home computer, which is how I got interested in computer security. You feel violated. A clever attacker ensures you don't know. The longer he controls your computer without you knowing, the longer he has that machine to play with. We often find out about attacks because a business will contact us and say: "Your campus is attacking my network."

What is our response when we discover a break-in?

There are thousands of break-in attempts, many coming from outside the United States. We can't pursue every one. We notify the owner of the machine and recommend that he or she back up all data, wipe the machine clean, reinstall the operating system and get it patched up. If an infection hits the whole campus, a removal tool is likely available to fix it. But, if someone attacks an individual machine, the only guaranteed solution is to start clean and patch immediately.

What can individuals do to protect their machines?

The easiest defense is a good password, meaning one not easily guessed ­ not your name or your department, nothing dealing with pop culture. There are automated programs that simply start guessing passwords based on the obvious. And the password shouldn't be short. Also, it is important to keep your machine up to date with operating system patches and antivirus software. We have a site license for antivirus software at Stanford, so it's freely available to everyone.