Campus Security Audit finds problems

[Chris Swingler]

Did anyone else see this?

http://www.thealestle.com/news/2004/04/20/Lifestyles/Audit.Finds.Inadequacies-665773.shtml

The Alestle - Lifestyles
Issue: 4/20/04

Audit finds inadequacies
By Kristen Reber

Committees and consultants are working toward improving security after an audit report found inadequacies in the university computing systems.

According to the State of Illinois Southern Illinois University Compliance Audit for the fiscal year ending June 30, 2003, computer security and disaster contingency planning seemed inadequate on both the SIUE and the Southern Illinois University Carbondale campuses.

Released March 24, the audit report stated, "The university did not have adequate security controls over its computer operations."

Firewall protection and global security settings on campus were found to be inadequate.

According to the report, a computer advisory committee is "in the process of developing procedures to correct some of these weaknesses."

The audit report also stated routine password changes for systems, such as the student information system and the payroll system, were not mandatory.

"We were surprised about our security plan. We've had fairly good security, but as far as our disaster plan, we were not as surprised," Lovejoy Library Dean Jay Starratt said.

According to Starratt, the inadequate disaster plan findings could be attributed to a disorganized wording of the university's disaster plans.

"(A disaster) could be anything that keeps you from operating in a normal way," Starratt said. "For instance, a power surge could fry the main frame (and that would be a disaster)."Improvements are already taking place.

"For the disaster plan, we've hired a consultant to help us finish up, and we have a pretty good plan," Starratt said.

The report stated a university-wide information technology operations committee "has also been established and has been discussing disaster recovery issues."

Plans for changing access to the network may take shape in the future.

"Some of the most important systems have to have an account and password (to sign on)," Starratt said. "One thing we don't have is a sign-on to the network. We'd like to authenticate you as a legitimate user (signing on to the school's network)."

Other network settings, including firewalls, were discussed in the report.

"Since then, we've moved all the student information systems, such as CougarNet and things like that, behind a firewall and perimeters like that," Starratt said.

Improvement plans for security are in the works for campus, as well as planning for additional improvements.

"We are beginning to plan for a new student information system, a very robust program with a single sign-on (to places such as CougarNet and Web mail)," Starratt said. "It will take probably around 18 to 24 months to complete."


Hmmm... any insight on how they are planning to do network authentication?  Will that effect the dorms?

[William Grim]

Yeah, I read that a couple days ago in the Alestle and was like, "No freaking crap."

I've done my own simple audit of cougar a couple times in the past just for the hell of it, and once I even found /etc/fstab world writeable.  I could have pointed the file systems anywhere I wanted and completely taken over the system whenever they would have rebooted.

Also, what's up with not changing the passwords on accounts?  Real freaking good there.  And they get worried that the CS department won't be able to handle its own network security.  Please, I bet we'd do a better job than them any day, especially with someone in the CS department that cares about this kind of thing *hint* ;-)

He he, ok, enough of me blasting our school's campus security.  I'll pass it on to the next fellow now.

[Jarod Neuner]

Frankly, network security here is extremely lame. I've worked Housing Computer Support here since September, and the degree of security problems this campus' databases have are sickening. I'm not going to post any of them here, btw - I like my job~