Slashdot Mirror

← Back to Stories (view on slashdot.org)

UC Berkeley Cleaning up its Security Act

Posted by ryuzaki0 on from the case-studies-in-self-evaluation dept.

Bob Brown writes "UC Berkeley recently issued a scathing self-assessment of its IT department, which has been under fire in the wake of a couple of high profile security lapses at the school. NetworkWorld has a review of what the school's top networking guy says is being done to both secure and strengthen UC Berkeley's computer networks."

3 of 79 comments (clear)

  1. The Article by zaguar · · Score: 4, Funny

    Security... NEXT PAGE
    has lapsed... NEXT PAGE
    but we are... NEXT PAGE
    doing our best... NEXT PAGE
    trying to... NEXT PAGE
    improve. END ARTICLE

    --
    "Sure there's porn and piracy on the Web but there's probably a downside too."
  2. Re:Link to print version by Whiney+Mac+Fanboy · · Score: 4, Informative
    God, that was silly of me! (didn't check the URL before posting)

    Here's the article text, moderators, please mod the parent into the ground!

    Securing UC Berkeley's network

    School looks to shore up security in wake of breaches.

    Linda Leung,Network World,04/24/06

    The University of California at Berkeley has made a name for itself in networking, with innovations such as Unix, Berkeley Internet Domain Name, Smart Dust and SETI@home. But the school has made headlines over the past few years for some things of which it is less proud, namely a couple of security breaches (a stolen laptop containing personal information on graduates and a compromised database of California residents).

    At the start of this year, the university published a scathing self-study of its Information Systems and Technology department. It acknowledged the school's advanced IT network and talented professionals but recommended radical changes to the IT department's governance and structure (read the report).

    Clifford Frost, director of Berkeley's Communications and Network Services (CNS), recently spoke with Network World Senior Online News Editor Linda Leung about what the university is doing to ensure that when people think of the school, they think "innovation," not "infiltration."

    How has IT evolved at the university?

    It's been haphazard. In the case of the network, it's been pretty organized. Back in the '80s, there were campuswide committees that said networking is going to be important so let's start building it up now. The campus financial and administrative systems are pretty advanced. But campus student systems [such as online registration and course catalogs] are less well-funded and organized because there has not been a single high-level sponsor. This is one of key things the campus is open to addressing in the reorganization.

    Also: What makes Harvard's net tick

    What is your security plan?

    Every networked device has to have its operating system kept up to date with security patches - Windows 95 is not allowed unless you buy a separate firewall device and stick it in front of [Windows 95]. There are microscopes controlled by old operating systems - [the owners] have to put a firewall in front of them. We have software that people can use for free - they don't have to buy their own firewall or anti-virus software.

    Having a policy only goes so far. McAfee's Foundstone scanner allows us to scan the network continuously for vulnerabilities. [If something is found] we tell [the device owners] to fix it or we turn off their access. Departments can log in and scan their own nets.

    How else do you secure the network?

    We do intrusion detection at the border of the campus network and more and more inside the network. We monitor to detect when systems have been broken into or are being broken into or about to launch an attack, and we can turn them off. We use McAfee IntruShield Snort, Nessus and Bro Intrusion Detection System. [Intrusion detection] is a big issue because we've had some pretty big security breaches on campus [see stories hereand here]. There is a big thrust in getting people to encrypt data on their desktop or laptop.

    How do you get ahead of the security challenges?

    The latest thing we're doing is getting people on campus to audit their systems, and the recommendation is to remove [sensitive i

    --
    There are shills on slashdot. Apparently, I'm one of them.
  3. Re:Faulty Password Protection by LilGuy · · Score: 4, Insightful

    You know, having so many rules might narrow down the crack time as well, if you know what they are. Obviously if you can get a huge dictionary, you won't need to try any combination of characters with a word in it. You won't need anything less than 8 characters, and you'll have to try at least one capital letter and a number, but most people will probably use two. People tend to like symmetry even in their passwords because it makes it easier to remember one half of something and then just spit it out again backwards. The non-alphanumeric character is kinda the stickler though. My best guess is that it will either be in the middle of the password or at the very end... probably by someone getting frustrated on their 10th attempt to set the password and finally figuring out what a non-alphanumeric key is.

    But I'm not saying it's not a good idea. I just wanted to point out that the more rules you have to make your passwords secure, the less secure they may become.

    --

    You're nothing; like me.