The University Record, April 26, 1999
The University strives to be an open environment for information access, creation, and exchange. But not all people who access U-M information systems are sensitive to the needs and rights of legitimate users and the community.
According to Virginia Rezmierski, director of the Office of Policy Development and Education, "if systems are too open, unauthorized users may access U-M resources. Too much security, on the other hand, overly restricts our community's access to resources." It's a constant challenge to balance ease of access to information and resources with existing security concerns, Rezmierski notes. Regardless of the actions taken, the impact often is felt by the entire institution.
The important task of ensuring system security falls heavily upon the shoulders of systems administrators. Most systems administrators are extremely busy, and they often have numerous roles, ranging from technical support and server operator to network technician. With limited resources and, in many cases, insufficient time to learn new systems, systems administrators are confronted with constantly changing technology; incompatible applications; and hardware, software and user problems.
As a result of an initiative focused on reducing information security risk across campus, funding was procured in 1997 from five U-M units. The University purchased a site license for Internet Scanner to help systems administrators maintain the security of their systems.
Internet Scanner software is designed to emulate the behavior of a system cracker--someone who would break into and perhaps even change a system's configuration. This "hacking," however, is intended to inform and help. The software identifies systems weaknesses and produces multiple reports. Reports also include information about how to correct identified vulnerabilities. The scanner software does not actually correct any problems it encounters. Correcting problems is the responsibility of the systems administrator. At present, the software can look at more than 300 known vulnerabilities and is updated frequently to reflect the latest information.
The University recently acquired BindView EMS, a scanning, reporting and management software tool for NetWare and Windows NT systems.
Any systems administrator or information technology manager may schedule an appointment with the Information Security Education and Assessment
(I-SEA) administration team by contacting Krystal Hall, 647-3214. If the requesting unit is part of one of the partner network segments (MCIT or CAEN), Hall will direct the unit to team member who will perform the scan. Otherwise, the I-SEA central team will perform the scan. A team member then consults with systems administrators in each unit to create a customized scanning template for the portion of the system that should be examined. The services are free and the results confidential.
"Past reports were enlightening, but possibly overwhelming in their detail," notes David Nesom, I-SEA coordinator. "In response to customer requests, I-SEA is working to improve the quality of the reports by making them more concise." If requested, the I-SEA team member will work with systems administrators to determine the actions necessary to correct the vulnerabilities that are found.
Feedback from the systems administrators in charge of the 28,000 hosts‹including workstations, servers, routers and printers‹that have been scanned so far is positive.
"The scanning services are part of an educational process for our systems administrators," says Carl R. Smith. "It offers them a way to contribute to the reduction of institutional risk." Smith is director of University Audits and a member of the scanning team oversight committee. As more departments request rescanning--required within six months of the original scan--the overall state of information systems security on campus will increase. "That's a win for the entire community," Rezmierski says.