<cfoutput>#PageTitle#</cfoutput>
University of Illinois at Urbana-Chamoaign logo Crop Sciences Intranet Banner Image

Comprehensive Campus Computer and Network Security

December 6, 2001

To: Unit Heads
University of Illinois at Urbana-Champaign

From: Peter M. Siegel
Chief Information Officer

Re: Comprehensive Campus Computer and Network Security

I would like to ask each of you as unit heads in departments, college offices, or other campus units to take responsibility for the security of the computers and networks in your units. Attacks on university systems and networks are now commonplace and there is reason to believe that attacks will become more automated and more malicious in intent. While thus far, we have been lucky, other leading campuses whose student records or college information were compromised have been highlighted in the press. There is also discussion in Washington that in order to receive federal grant funding, universities will be required to certify that their campus has complied with computer and networking security measures.

I am asking you to take the following pro-active steps to increase the computer and network security in your units which will result in better campus security:

  • Please verify the technical or managerial security contact(s) for your unit that was recently sent to you via campus mail. The CIO security office will assume that the person you identify will respond definitively and take necessary action when a security notice is sent to the contact list. The information sent to the list may be of a confidential nature, so choose individuals who will be both responsive and discrete.
  • Ensure faculty and departmental staff have installed the patches and updates appropriate for their systems, including desktops and servers. While units are responsible for being proactive, the CIO Security Office will endeavor to notify your security contact of significant identified operating system weaknesses.
  • Ensure faculty and departmental staff have installed virus protection software with automatic updates on their desktop computers. This software is available at no-cost to faculty, staff and registered students on a Web download site.
  • Do not allow people to share passwords.
  • Do not allow systems to be accessed without a password.
  • Train your technical staff in security methods. Basic training will be provided at no cost to your unit by the CIO's Office.
  • Educate everyone in your department about the campus-wide importance of a secure network. Insecure systems that are compromised may have data destroyed or modified, or may be used to launch attacks on other campus or external systems.
  • Require your administrators to respond quickly when notified of a security problem and require them to fix the problem as soon as possible.

The University of Illinois community has access to very fast and very high-capacity networks, supercomputers, servers, and powerful desktop machines. These types of resources make campuses with strong IT infrastructures an enticing target for hackers from all over the world. The National Infrastructure Protection Center warns that educational institutions are among the most popularly targeted sites. Large research universities have always been a target for hackers but the intensity of attacks from outside (and within) universities is increasing. Examples are the Nimda worm, Code Red, Code Blue, I LOVEYOU, Melissa, or Denial of Service. Just as important, such attacks can modify or destroy important research, administrative, or personal data, share that data outside the university, or install programs that will run at a later time to cause similar mayhem.

More details about campus IT security efforts, along with links to virus software and operating system patches can be found at http://www.cio.uiuc.edu/security/

Some data points about recent campus security incidents were included in the paper copy of this memo that was sent to you earlier this week. Those data do highlight that the campus is vulnerable and needs to be more proactive about IT security.

The CIO Security Office and CITES (formerly known as CCSO) have worked diligently to try to prevent these IT security attacks or minimize their impact after they do occur. Among our most important security improvements to date, we have:

  • installed a campus firewall that slows down traffic that fits a particular profile,
  • filtered IP addresses that have attacked our systems via Denial of Service Attacks or SPAM,
  • run scans on all computers on the network to search for known vulnerabilities so these could be fixed and we have encouraged network administrators to run their own scans,
  • established a security working group to outline a more comprehensive campus security plan, and
  • purchased a campus-wide license for free virus protection software.

Intruders regularly scan the campus network to identify security holes. The CIO Security Group has begun running proactive scans on the network to identify problems and work with administrators to fix them before a department or the campus network is compromised. We will continue to run the scans and ask that your units respond appropriately, and quickly when a problem is found.

The study, Cyber Protest: the Threat to the US Information Infrastructure, October 2001, predicted that the danger posed by hackers continues to escalate. By following through on the requests listed above we can minimize the number of mischievous or malicious attacks on our network, as well as their severity. The basic security steps are relatively pain-free and I urge you to take the quiet vaccination approach rather than having to deal with a public epidemic later.


Please report any bugs and send all questions/suggestions to the Webmaster