Information Security in Campus and Open Environments
by Adrian Duane Crenshaw - Originally published in issue 2 of (IN)SECURE Magazine - Tuesday, 23 August 2005.
Much of an information security professionalís job involves keeping outsiders away from the internal network. A great deal of time and money is spent on firewalls and Intrusion Detection Systems to protect server and client machines from threats coming from the Internet, limiting some attack vectors to only computers on the LAN.

Physical security is also taken into consideration with access cards and locked doors to keep unwanted visitors off of the local network. This is all fine and good for corporate environments, but what about open environments like libraries and university campuses? When an organizationís purpose is the dissemination of knowledge, the paradigm (donít you just love that word) of information security shifts tremendously and one can not be sure that all users on the LAN are completely benevolent.

This article will be geared towards techies at libraries and schools and will attempt to address common security problems that may pop up at these institutions. Iíll gear the solutions towards Open Source, freeware, and base operating system security in a Windows XP/2k environment to keep the information useful to the largest number of people. Not all of us have the budget to buy software like Deep Freeze or other products to protect our patron workstations. Too many articles recommend expensive solutions when there are plenty of free or cheap solutions available. Links to most of the software mentioned as well as sites for further research can be found here.

A word about terminology

Iíll generally use the term patron to refer to students, faculty, staff and general visitors except where a more specific term is needed.

Also, I will use the term attacker or deviant user instead of ďhackerĒ or ďcrackerĒ because the later terms have so many different meanings depending on who you talk to (a hacker is a wood cutter and a cracker is some white dude from Georgia).

Some folks like the terms White Hat Hacker and Grey Hat Hacker, but those are still too flexible (I prefer to consider myself a Plaid Hat Hacker).

A different kind of environment

Institutions like Universities and Libraries are different from the corporate world. You canít physically lock the patrons out of every computer at your facility. The entire mission of a library or university is to give patrons the tools and information they need to learn and the faculty what they need to teach. At the same time a system administrator has to protect staff and patron workstations from deviant users on the network. Every information security professional worries about internal attacks, but this worry is greatly amplified in a campus or open environment where so many users have physical access to the computers and the network.

So how do we hold back the hordes when the barbarians are already past the gates? In this article I hope to point out some of the common security problems with campus environments and some of the solutions. Many problems may not be solvable because the solution would be counter to the mission of your organization, but with a watchful eye many troubles can be averted.

Local Security on Windows Boxes


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th