Client Login Contact Us imi : home

Home

Clients
Services
Industries
Capabilities

News Releases
Articles
About imi
Why We're Here
Technology Partners
Join Our Team



by Richard Jacik

Unfortunate timing can turn a great idea into a questionable one, and a questionable idea into a bad one. Time rarely turns a dangerous or stupid idea into something you can live with.

Unfortunately, giving away critical and sensitive information, along with the knowledge and skills to use it, isn't limited to the friendly skies (see clip below). Why was United Airlines so emphatic that everyone, not just employee- pilots, should have a shot at flying their jets? What decision process before the tragedies of the 9/11 made United offer to teach the public at-large how to operate a 767?

Would an accidental survey of your university web site turns up information that it shouldn't? How about detailed network schematics that provide a roadmap for hackers?

Or a map with certain campus locations like labs and research centers labeled as unsecured? It is rare to see sensitive information about an individual student exposed on web pages. Yet information that might be leveraged against the university by crackers, hackers, criminals and other troublemakers is often all too available.

Looking for some unusual entertainment?
(Excerpts from a brochure received by United Airlines frequent flyers on September 14)

Want to take the ultimate ride? United's state-of-the-art Flight Training Center, located in Denver, is now taking reservations! Now you can visit the most advanced pilot training facility in the country.With United Services' Pilot For A Day program, you can experience the thrill of flying a jumbo jet. The program simulates actual flight scenarios, which include hands-on "stick time" with take-off, approaches and landings. Plus, you'll have a staff of qualified United pilots who set up your flight plan and provide guidance.

And you'll want their tips - the flight simulators are actual aircraft cockpits mounted on huge six-axis motion systems that require a three-story building just to accommodate the range of vertical motion. 34 full flight simulations are available for Airbus and Boeing aircraft.

Fly solo, or with a crew. There are a variety of packages to choose from, with prices starting at $1,150. Most sessions include a simulator briefing, full flight simulator session, debriefing and a tour of the United Flight Training Center. Don't want to go it alone? Bring along two or three friends or family members to act as a flight crew. Your entire crew will be invited to attend briefings and receive time at the controls of the flight simulator. To purchase a package or for additional information, please contact United Services at .."


When pressure encounters a vacuum
Trouble can happen when the high-pressure of university openness meets the content vacuum of the world-wide-web. The vacuum results from web environments that never fill up. There are few incentives to limit the content that well-meaning employees publish on their organization's web sites. In fact, there are significant pressures to document, publish and display everything possible.

Turning campuses into vaults of secrecy is not the answer. Rather, common sense and the lessons learned from 9/11 are probably more to the point. Some middle manager may have been rewarded for the flight simulator idea. Turning a cost-center into a profit center is usually a worthy business objective. "Need to know" was probably never considered.

Examples of bad sense abound
But what about the U.S. Navy? One can only imagine that anyone with a real need to know the location of an aircraft carrier would be able to get that information without clicking on a publicly available website. Perhaps I was the only one surprised to find out that the week after September 11th, the U.S. Navy stopped posting the location of the USS Carl Vinson ("America's Favorite Carrier" according to their home-page) on the web.

The inexorable pull of the content vacuum led to the rash display of information. After all, what good would an aircraft carrier's web site be without lots and lots of good data about its mission, position and other fact, trivial and otherwise? Meanwhile, recent visitors find the Carl Vinson's "facts" page "Currently Not Available."
Around the same time, the Department of Energy decided it would remove the GPS coordinates of all the nation's nuclear reactors from the web-site. Certainly, there may be real estate developers who truly and fairly want to know how near their proposed subdivision is to a power plant. Does that mean such information should be posted on a web site for the world to see?

Limited only to the government?
Chalking the problem up to military SNAFUs and federal government incompetence might lead one to believe the problem isn't widespread. It is. Here's a small sampling of what's available on some .EDU web pages..

  • Locations of network access points in unsecured locations (e.g., parking garages), along with the hours that they are unsecured.  Want to physically tap a network or bring down a backbone?  Here's your treasure map.


  • Detailed blueprints of campus buildings including electrical, communications and security schematics. Want to break into a campus research lab? Here's your Mapquest.

  • Firewall, server and router information that includes operating system, patch level, and low-level machine addresses.  Want to hack a worm or virus that takes advantage of known vulnerabilities?  Here's your requirements list.


  • Server and network performance rates, updated graphically, in (near) real time. Care to test out your latest denial of service attack? Fire away at these servers and watch the real-time results, Nintendo-like, right in your web browser.

It doesn't take a psychic or a PhD to predict how such information could be leveraged against those campuses. But one may say that perhaps those weaknesses aren't weaknesses at. Perhaps they're "honey pots" - targets too good for an intruder to pass up, strategically placed to help track, trap and apprehend intruders. As of yet, not likely so. Higher educations has not made extensive use of such techniques.

Don't make the attacker's job easier
Of course, all but the most junior bad-guys can snoop most of your server and network information surreptitiously. However, do more than be an inviting target. To be sure, removing ignition keys and locking a car door, may not cut down the crime rate. But it can shift the crime to an easier target. And volunteering to be a victim by making it easier for attackers is a very bad idea. On some campuses, data security responsibility falls somewhere between internal audit groups and IT security offices, while physical safety lies with campus police departments. However, in this era, data security is too important to be left to the experts.

So where does the prudent administrator draw the line? How does he or she protect both the safety and security of the campus while not damaging the sense and purpose of open collaboration and information sharing?

Know your data
Universities have become pretty good at dealing with controlled access to their structured data that is used in and managed by campus business systems. Structured data is granular and controllable by embedded access rules.

On the other hand, unstructured data resides outside of relational databases. It is embedded in documents, spreadsheets, diagrams and pictures. Diagrams and pictures contain very few words and thus foil even the best content searches. The only way to determine if sensitive information is contained in an Adobe Acrobat (PDF) document is to search the document. Worse, a Visio network diagram or PowerPoint architecture diagram must be read with comprehension to evaluate its content.

Take this test
Before calling in the white-hats (hacker good-guys) to do a friendly penetration test of your technology assets, a few common-sense action items are in order.

  • First, review campus policies on data access and web-posting.  Look for information gray areas that may be omitted or inadequately addressed.  Take a paranoid look at the types of information that the bad guys would find desirable.


  • Next, audit the information on your web site. Organize a red-team to look for information and artifacts that make the campus more vulnerable. Is the decision process (if there was one) that resulted in the posting still applicable? Should some items be removed?


  • Last, think about content management. Of course a web site should be dynamic, and the constant pull of the content vacuum means that your campus web pages are being changed, appended and added constantly. Yet a site that can be managed by one webmaster needs some degree of content management.

Content management helps enforce policies when adding or changing web pages. It also helps maintain site quality and consistency. It may cause some items to go through multiple levels of revision and approval prior to posting. I don't like it. You won't like it. Content contributors hate it. Get used to it.

Richard Jacik is president and co-founder of Information Methodologies, Inc., higher education's leading enterprise web integrator. Contact him at 703.435.0370 or via eMail at jacik@infometh.com.


This article originally published by The Greentree Gazette.