Penn responds to information security threats
March 4, 2004 :: David Millar, University Information Security
Summer, 2003 was a very busy time for IT professionals at Penn
and around the world. Many organizations, both public and private,
reported spending hundreds of thousands of dollars mopping up
in the aftermath of the Welchia and MSBLAST worms which infected
over a million Windows computers worldwide. Penn was no exception.
IT professionals at Penn worked long hours in August and September
last year to clean up infected machines and to ensure that the
worms did not spread further. Thanks to everyone's efforts, the
damage was contained to individual computers and never threatened
the stability of PennNet.
Uncomfortable that similar repeat attacks were likely and could
once again waste valuable staff time and productivity, as well
as put sensitive data at risk, Penn began strengthening its
polices and processes for how to assure the
security and integrity of Penn computers,
data, and networks.
Concurrent with the spread of the worms over the Summer, ISC
began to draft plans focusing on three key areas: prevention,
detection, and response.
Our overriding preference is to prevent security problems in the
first place, so a great deal of planning went into defining policy
directions and supporting education, awareness and tools to ensure
that Penn computers are as secure as reasonably possible.
Recognizing, however, that computers are never perfect, we chose
as our second priority to ensure that if a computer at Penn should
get hacked, we have the tools to quickly detect the problem.
The more quickly a hacked system is removed from PennNet
and properly secured, the less potential there is for serious
harm and disruption.
Finally, our experience managing hundreds of incidents of worm
infections in Summer, 2003 pointed out room for improvement
in our security incident response tools and procedures.
The third priority became to make improvements to our incident
response process. An improved process will enable us to
more efficiently manage security incidents when widespread worms
and viruses are rampant.
During Fall, 2003, ISC and the Networking Planning
Task Force (NPTF) devoted much of its annual IT
planning effort to the problem of assuring information
security at Penn. IT professionals campus-wide were brought into
the process and the plans were reviewed, discussed, refined
and ultimately improved. The end result is that we have established
a consensus around a good plan and have begun working to implement
it. The plan includes the following elements, to name a few:
- All systems
on PennNet, including desktop computers, must follow good security practices,
including applying security patches, using strong passwords, and using anti-virus
- The University will work with vendors to improve the security out-of-the-box
of new computers purchased at the Computer Connection.
- ISC will develop educational and training materials to provide IT professionals
and end users with the tools and knowledge that they need to do their part
in securing Penn computers.
- ISC will deploy Microsoft Windows Software Update Service (SUS), a subscription-based
security patch management service. This service will help address the growing
updated with the latest critical updates and patches released from Microsoft,
thus keeping them free of security holes. By automatically installing critical
updates, patch management will significantly reduce the amount of time users
spend in manually monitoring and installing patches
to keep their computers updated.
The planning efforts have already borne fruit. Starting in October, 2003, ISC implemented email virus filtering on selected Penn email domains
mail.med, etc) allowing us to block over a quarter million viruses.
You can expect to hear more details about security plans in coming months.