Everybody Needs to Do Their Part
In the days of standalone computers, reckless or unauthorized use of a computer generally affected a single computer. With our computers interconnected and our resources shared, we have become interdependent upon one another. One clicked attachment, downloaded file, or out of date browser can quickly result in a compromise of that computer and associated accounts. One compromised computer can lead to another compromised computer across campus. One compromised account can lead to the compromise of other accounts, shared disk space, or an entire server.
Some of those not so innocent screen savers and games we once downloaded with abandon can cause much more damage and affect many more people. A hastily built, unmaintained web server is almost guaranteed to be compromised in short order. A Windows desktop that hasn't been patched is a sitting duck for the next virus that doesn't even require the operator to click an attachment. All of these scenarios may result in outside accesses to our PeopleSoft and email accounts, exposure of network passwords from neighboring computers, or attacks on outside web sites making front page headlines.
Even with switched networks, a compromised computer may be used to sniff network traffic from neighboring computers. Thus, your security is dependant upon your neighbors' security and their security on yours.
Your particular computer may not seem to be a desirable target of a compromise attempt but any computer is attractive as a stepping stone or attack vehicle. Computer vandals and their code don't need a reason to attack a specific computer...many are just out to do as much opportunistic mischief or damage as possible. Using a discarded computer and freely available, automated software a person with minimum motivation can set up their computer to walk through the Internet scanning for and compromising vulnerable computers. We see such scans daily at NCSU. Your computer doesn't have to be a target...just available.
Special Effort Required by Decision Makers, Designers, Developers, and Service Providers
Decision makers, designers, developers, and service providers have special responsibilities. They affect the types of things we do with our computers as part of our day to day activities and likely control access to our data and services. These people must elevate security to the same level of concern as they do ease of use, supportability, and functionality during the design and development process. Just as they have a responsibility to provide a usable, supportable, functional service, they also have a responsibility to provide confidentiality, privacy, data integrity, and availability. Security must be an integral factor in all design decisions...not an add-on.
Every product and platform has its own security issues just as they have their own configuration, interoperability, and performance issues. The product expert's expertise and responsibility must not be limited to getting it running, improving its appearance, or making it easy to use and support. They must make sure it is running safely. Here are a few generic issues to consider:
- Are authentication credentials protected sufficiently? How?
- Is data adequately protected against unauthorized access? How?
- How will backups, upgrades, and system monitoring be accomplished?
- Is the service protected against malicious user supplied data?
- What are the known threats against this type of service and how can the risk of those threats be minimized?
The only person ultimately in control of each of the 14,000 desktop computers on this campus is the person in front of the keyboard. That person has the freedom to run any code they want and communicate with anyone around the world. As long as we want to continue to have relatively open computing and communications choices, each one of us must do his or her part to help ensure the integrity of our network by operating our computers safely. We must all R.U.N.S.A.F.E.