Colleges and universities, by design, are open environments that promote
access to and sharing of information within the institution and amongst out-
side groups. Historically, they haven’t been early adopters of security solutions.
However, I’ve actually seen an increased level of interest in security among
university systems over the past two years. Security for them is often an
afterthought, except perhaps around sensitive areas of research. When it comes
to the general student population using network resources, accessing the
Internet, or otherwise interacting with computers, it is still pretty much an
untamed environment run fully or partly by students.
Because of the turnover in administrators and users, the university envi-
ronment is incredibly dynamic. Whenever there is high turnover in any orga-
nization, security becomes more difﬁcult. As a result, universities are popular
targets for attacks from outside and within, and are popular staging areas for
attacking others. When I ﬁrst started working in security, I recall my manager
telling me that if I saw malicious trafﬁc, and it turned out to come from a
university, two things were likely. One, the university was probably the victim
of a compromise—their systems were being used without their knowledge—
and two, even if we contacted the university about the events, nothing would
or could be done. I don’t agree with this today, but universities certainly had a
black mark at the time.
Over the last two years, there have been several incidents of academic
institutions’ systems being broken into. Here are some that made headlines:
The University of Texas at Austin’s system was broken into, and a stu-
dent was ﬁned one hundred and seventy thousand dollars and sen-
tenced to ﬁve years of probation. A year later, two hundred thousand
records containing information on students, alumni, faculty, and staff
were illegally accessed.
The University of Notre Dame in Indiana investigated an apparent
hack that exposed conﬁdential data belonging to an undisclosed
number of donors to the school.
Ofﬁcials at California State University, Chico, announced that that
they were victims of hackers who had broken into a computer
system that contained information for around ﬁfty-nine thousand
current, former, and prospective students, as well as faculty and staff.
146 Chapter 10 • Rapid Remediation—A University in the United States
424_Wtr_Clr_10.qxd 7/27/06 1:40 PM Page 146