TORONTO — Errors in user judgment may be as much to blame for network security concerns as any technology shortcomings or viral attacks, according to network managers.
“”We see our biggest challenge right now as educating users,”” said David Klein, network analyst for the Toronto Catholic District School Board. Layers of security technology only have a limited impact if students aren’t aware of the potential risks — even basic provisions like not giving out personal information online.
Klein, who spoke at a security roundtable hosted by Symantec Corp. Thursday, said his department encourages students and teachers alike to think of security as part of the broader education process.
Klein is responsible for network management at 200 different school board sites and 110,000 users. This includes 10,000 staff and 100,000 students, or what he described as “”100,000 potential little hackers.””
The wrong-doing comes from a lack of security knowledge more often than not, said Klein. “”One of the potential threats is a curious and inquisitive student”” who may want to download all manner of things from the Internet without considering the ramifications of what they may be introducing to the network.
Klein remembered one incident where a teacher assigned a class a paper on computer viruses only to later discover that some of them were downloading malicious code as research.
As a result of the variety of security threats, deliberate or accidental, Klein’s role has expanded greatly in the five years he has been the school board’s administrator. He said he currently oversees anti-virus coordination (the school board uses Symantec products), core network services management for both LAN and WAN, network design and implementation and overall network security.
Much of the school board’s network is locked down to avoid the worst security hazards and to protect students. Elementary school students have severely curtailed Internet access. The restrictions are looser for high school students, but there are restrictions on the types of applications they can use during a given class. “”We don’t necessarily want them surfing the Web or doing their math homework (during class),”” said Klein.
“”Generally we do pretty well, but we can still do better,”” he added. “”I think our senior management is really starting to understand the value proposition for security measures.””
Convincing the decision-makers to loosen the purse strings is also a challenge in the enterprise, according to Kiron Bondale, senior project manager of the diagnostic services sector at MDS Inc. But that will soon change since MDS, a health and life sciences company, will have to conform to the Personal Information Protection and Electronic Documents Act (PIPEDA), due to come into full effect next January.
MDS has contracted NexInnovations Inc. to perform a risk assessment of MDS’s offices — first in Toronto, then across Canada — not only for PIPEDA-compliance but as part of an ongoing security program. Eventually, MDS will move the assessment to its American offices, but that project has been put in the back burner. The U.S. equivalent of PIPEDA for health care, the Health Insurance Portability and Accountability Act, won’t come into full effect until April 2005.
NexInnovations has had a security practice for two years, formed in response to a clear customer need, said Wendy Lucas, the company’s vice-president and general manager for the central region. The firm is capable of managing a client’s security infrastructure, but most want NexInnovations to teach them what they need and prepare them for the future.
Bondale agreed that education is the most crucial element of good security practice. He said that “”we’re actually doing fairly well,”” but acknowledged that “”where our risks have been showing up have generally been around behaviour.””
He added that all MDS employees receive mandatory security training and sign a network usage agreement. Retraining is available for personnel that still demonstrate some weak spots.
Vigilance and a continuing education are essential elements of good security practice, said Michael Murphy, Canadian general manager for Symantec. “”For people to get their heads around this problem . . . there is a hope that they can get ahead of the curve, deal with the problem du jour as well as whatever’s around the corner.””
Murphy noted that the viral threats are hitting the enterprise at an accelerated rate. The Blaster worm, which infected hundreds of thousands of PCs in September, went from disclosure of the vulnerability to full-blown attack in 26 days. Initial attempts to exploit the vulnerability began as soon as 11 days, said Murphy.