ITD offers new threat analysis service

Donna Price is coordinator of communications for the Information Technology Division

Pearl Harbor.” “Babe.” “Ghost.” Just a list of movie titles? No, they’re also computer viruses. From Ada to Zulu, viruses populate the netherworld of information technology, bringing bits and bytes of chaos to the orderly progress of the workaday world. They pose a serious—but not the only—threat to the security of electronic information at Emory.

The number of reported security incidents at the University last year rose nearly 97 percent, ranging from enterprisewide threats to user errors, to worms and viruses, to spamming and hackers. How do you know if your data, software and hardware are adequately protected from threats of accidental or intentional disclosure, modification or destruction?

A significant point of vulnerability is server security. Put simply, servers are the hardware used to store and share files and applications that multiple people can access remotely when connected to a network. There are web servers, file transfer protocol (FTP) servers, Telnet servers, e-mail servers, file servers and so on. Millions of servers are connected to the Internet.

At Emory, there are currently about 160 e-mail servers, 300–400 web servers, streaming servers to convey digital video and audio files, and many others, adding up to more than 1,000 servers across campus. These are administered by departments, divisions and schools, as well as by the Network Communications and Information Technology divisions.

In most cases, servers don’t exchange viruses, but people accessing data from them do. For instance, a piece of infected mail or a document may be sitting on multiple servers in a holding mode. John Smith connects to the server, opens the infected file and the virus spreads. Everyone who uses e-mail is more than familiar with this pattern of events, but servers are vulnerable to security breaches in other ways.

For example, take the recent Code Red worm attacks. What made them such serious threats was that, once the worm identified a vulnerability in a server and attached itself, it immediately started looking for other machines with that vulnerability where it could spread. Code Red II installed a program on infected machines that allowed unauthorized access to files on that server. Anyone, anywhere, through a Web browser, could change permissions or change and delete files.

“The Code Red II backdoor was only a moderate danger at first because it required would-be hackers to give victims individual attention,” said Rob Poh, ITD security analyst. “That all changed with Nimda, a newer worm that automated the exploitation of the Code Red II backdoor.”

Thousands of threats like these are posed every day to information technology resources.

“Security is an issue for the entire Emory community to address,” said Donald Harris, vice provost for ITD and chief information officer. “In an environment where there are more servers purchased and maintained outside the central

IT units than within, all must be proactive in finding security weaknesses and taking appropriate action. A critical part of this work is making sure system administrators have adequate security training and are using available software and expertise to identify problem areas.

“The bottom line,” Harris said, “is that a poorly maintained server puts everyone at risk.”

To aid the campus in maintaining IT security, Emory now offers a free security threat analysis to divisions, departments and other campus groups through local support and network administrators.

Administered by ITD, the system uses Internet Security Systems Internet Scanner software to help detect vulnerabilities. Scanning is performed on request or may be offered by ITD when a security incident is identified. Since its inception, 34 departments have used the service for more than 170 threat assessments.

The analysis identifies weaknesses that could be exploited by intruders. Selective probes search for 980 known vulnerabilities—including the most recently developed methods of attack—in network communication services such as operating systems, routers, e-mail, web servers, firewalls and applications. Results are summarized in a management report that includes remediation advice and specific steps to secure vulnerable computers.

For more information, contact ITD at SECURITYTEAM-L@listserv.emory.edu. To submit a vulnerability scanning request, contact your local support administrator or make the request directly at www.emory.edu/ITD/IRM/SECURITY/HACKS/ISSReq.html.