An explanation of the rationale for the Security and Accountability Project submitted to the IUPUI Faculty Council leadership by Garland Elmore
Security on the Internet
Every computer connected to the Internet is probed daily by unauthorized persons (mostly by automated programs). These probes identify flaws in operating systems or other software. The flaws are then exploited to gain unauthorized access to the computer. Once an unauthorized person has access to a computer it can be controlled remotely and used for illegal and unethical purposes. The persons instigating these probes are sometimes merely looking for “trophies,” about which they can brag to other hackers. In fact, most worms cause no material damage, and fall into this “mischief” category. Yet 451 malicious programs were identified as being released since January 1, 2004. They propagate and consume network and machine resources, and suggest a wave of more destructive worms.
Probes also look for flaws in computers containing financial and personal data so that hackers can steal credit card numbers or a person’s identity. They look for flaws in computers on which they can store illegal materials such as bootleg movies. Intruders also launch probes looking for computers to support organized crime and terrorism, or to launch attacks against computers elsewhere. Very fast computers on very high-speed networks are obviously most desirable for all of these illicit purposes. Higher education environments are particularly attractive: they offer traditionally open environments (technically and culturally), high-end computers, high-speed networks, diverse technologies, diverse user communities, and generally fewer resources allocated to cyber defense.
The IP Address Security and Accountability Project
The IT Policy and Security Office gets many thousands of reports each year (from within and outside the university) of IU computers behaving badly, indicating that they are very likely compromised. These machines may be attacking other machines or bombarding servers with so many requests that legitimate users are denied access. Until an offending computer is identified and repaired, damage being caused continues unabated. Many times it takes hours to locate the device physically and determine its owner. If several hundred or thousands of computers are involved, as has been the case with several recent security events, it may take days to identify the owners. If the owner cannot be identified very quickly, we must block the computer from the network in order to protect other computers at IU and elsewhere. It is critical that we reduce this time, as the threat and number of reports increase. We must better associate computers with the persons to whom they are assigned and to the persons assigned to maintain them. In addition, we must also be able to provide proactive assistance to users and technicians in identifying and repairing problems on their computers, in order to avoid the compromises. To do these two things, we need to be able to register all networked devices. This device registration process is already in place for student residences at IUB and IUPUI and is the purpose of the IP Address Security and Accountability Project.
Concerns About the Project
Systems and network administrators, especially within UITS, have always monitored performance of servers and networks. This monitoring is necessary for technicians to maintain services. The network device registration will not provide any new capabilities to these staff or any additional information about the users or their uses of computers. Access to user devices, user accounts, or monitoring network traffic is strictly governed by the university’s Policy on Privacy of University Information Technology Resources (IT-07) (http://www.itpo.iu.edu/policies.html). Any violation of trust and the policy would be dealt with immediately and harshly.
Some faculty may have the mistaken belief that the IP Address Security and Accountability Project will introduce new UITS privileges and that data would or could be logged regarding Web sites visited, the time and date information was received or sent, records related to connections to specific devices on networks, or other information that might be used to identify or associate a user with content of communications or access to information. As indicated above, this is not true. The IP Address Security and Accountability Project will register limited meta data only, including 1) identification of the computer connected to the IU network, 2) the person who is responsible for its support, and 3) an owner who can be notified if the computer should be compromised and if it is threatening other computers, IU systems, and the network.”