Want good campus IT security? It all relies on you. Bob Ono explains

Did you receive any of the seven or eight phony "UC Davis" emails this year? The ones with tilted grammar that warned of trouble, sent from concealed sources that asked for your email account name and password? Phishing messages like those are one reason why the campus employs Bob Ono. Helping to deter online fraud is one of his responsibilities as coordinator of information technology security at UC Davis.

Bob  Ono  in  his  office Bob Ono, in his office.

Ono knows the campus pretty well. He earned a bachelor's degree in health-care administration (an independent major) here in 1976, worked in the ASUCD Coffeehouse, was elected to the student Senate, lives in Davis, and is the husband of one alumna and the father of another. But he was hired eight years ago from the Sacramento Municipal Utility District, where he was information security officer, for what was then a new position at UC Davis, because of his skills in IT security.

He says, in his quiet and engaging style, that IT security is everyone's job. Its strength at UC Davis relies on collaboration, from consulting with faculty, staff and students on security programs, policies and priorities; to individuals choosing strong passwords; to Ono sharing information and resources with campus IT peers nationwide so that all of them can more easily anticipate the threats and challenges ahead.

UC Davis is a major research center, so IT security here requires more than a tight defense. It requires a secure but generally open computing network, accessible to faculty, researchers, students, employees and affiliates around the globe. In late summer, Bob Ono talked a bout the work with IET senior writer and editor Bill Buchanan.


How is UC Davis doing in IT security?

Higher education institutions attract a lot of unauthorized activity. We have fast networks, many computing hosts on the network, and tremendous amounts of disk storage. Research programs have traditionally encouraged open networks. They're all essential to higher education technology, and also attract individuals who would like to use such services for mischief. So the cards are stacked against us a little.

With our campus cyber-safety policy and security program, we have looked at how best to address the security threats. Our security program is based on four components: prevention, through policy, standards, and use of security technology; quality assurance; incident investigation and detection; and recovery.

I think, with our very comprehensive program, UC Davis is doing pretty well.

The security of our computing systems and network will continue to improve. With a security program, you're never really done.

How do you keep up? The computing system here is complex, and used by people with vastly different needs, skills, and security habits. Online crime evolves. Tools improve. How do you focus?

We look at the threats and assess the risks. Our cyber-safety program has 16 security standards that all campus units must satisfy. Even with the 16, we identify which ones have higher priority. We can't address everything. We focus on the threats that pose the highest risk.

That's one way of helping to define where we go. The other part is working with campus units to help determine where to place our attention. Much of the computing and security at UC Davis is decentralized. Getting input from campus units on the threats and risks that people are seeing is vital, so we can determine h ow to move forward as a campus.

UC Davis also participates in national forums for security incidents. We receive and share information with other institutions of higher education.

What are the biggest current threats?

One would be the zero-day exploits. They occur when computer vulnerabilities are under attack and the vendor responsible for fixing the problem has been unable to release a corrective patch. A zero-day exploit could let a virus run wild or allow malicious traffic to enter the campus network. We've deployed network sensors to help us repel many serious zero-day attacks.

Another would be the phishing schemes that have been hitting campus. These email messages often appear to come from help desk or email administrators. They encourage the recipient to respond to a fictitious account problem by sending their campus account and password to another party's email address.

Despite our best efforts to inform campus account holders that UC Davis never requests account and password disclosure, some individuals still read the message, are concerned, and out of that concern respond to the phishing message. Unfortunately that's what the sender wanted, and then the sender harvests their account and password. The sender can then use the account to generate thousands of new spam or phishing messages, or some other bad use.

We try to identify campus email accounts that have responded to known phishing messages. One thing we struggle with is, once we find individuals who have responded to the messages, what do we do? Our records show only that they responded. We don't know how they responded.

It matters whether they sent in their password, or told the sender to get lost.

Right. When an account holder has responded, the most effective security response is to disable the account from further use and ask the holder to reset his or her password. You can see the issue. If you disa ble the account of someone who provided their account and password, they're very thankful, perhaps. But if we disable an account from an individual who said 'get lost' to the message originator, they're not so pleased.

We're strengthening the campus security awareness program to emphasize that these phishing messages aren't always caught by the spam filters, and that the university never asks account holders to disclose their computing or email account and passwords.


What are your goals for 2008-09?

Despite our budget constraints, we have a rather aggressive security program. One major project is working with the UC Davis Health System to develop and implement an identity management system. We're looking to help consolidate information about individuals' electronic identities--who they are, where they work, what roles and responsibilities they have.

To function, every application on campus needs these key components to some degree. Identity management systems can help gather and place that information in one location, so that every application on campus doesn't need to develop that same capability. Applications can then query the central identity management system and determine what the individual, or account holder, can do within the constraints of that application.

Right now, no one system will do that? The work is done by different systems?

Right. Several systems manage identity information. That adds security challenges, because it creates more identity-related systems to protect from unauthorized access.

But an identity management system would centralize that task, so people could work more easily across the campus network.


We're at the beginning. The project's tasks, resources and budget are being defined. The project will bring new identity management tools to UC Davis and the Health System, and take several years to implement. It's extremely complex, but very rewarding to the university. It also offers significant benefits in cost reduction, security, and ease of use for campus units that develop applications.

Another program for 2008-09 is administering the cyber-safety policy. In September we released our annual cyber-safety survey.

That's where you ask people how they're doing in respect to meeting the cyber-safety security standards.

We ask through an online survey. After receiving the completed surveys, we prepare an analysis by each college, school and large administrative unit.

The survey helps colleges, schools and units to evaluate how well their security program has improved. It gives me information about campuswide security challenges, as well as common needs for security solutions. Finally, the survey information is used to report back to the chancellor and provost on the state of information security at UC Davis.

You're also working on a forensics project this year.

We're developing a proposal for a collaborative systemwide computer forensics program. Computer forensics can help us investigate security incidents and preserve the integrity of digital evidence.

We don't have quite enough workload for full-time staffing in this function. But systemwide, perhaps we could find enough work for up to two people full-time. So I'm collaborating with my security peers at the other UC campuses to develop a proposal for how UC Davis might develop this service, and offer it to other campuses, while providing some individual campus cost savings.


What were some big accomplishments last year in IT security?

One is the virtual private network (VPN) for electronic library references.

What's a virtual private network?

The term typically refers to a private network connection over a public network, such as the Internet. During fall 2007, a VPN was created to make it easier for UC Davis students, faculty and staff to remotely access library resources over the Internet.

The University Library licenses electronic content, such as research journals, that faculty or students need to access--sometimes from off campus. But the license holder for the content often restricts download access to requests from a campus IP [Internet protocol] address. If you're working from home or an Internet cafe, easily gaining that IP address is an immediate challenge.

We implemented a VPN that lets university affiliates use their Web browser, which just about everyone has on their home computer or laptop, to make a private connection over the Internet between their computer and the UC Davis network. This connection gives the end-user a campus IP address and, thus, access to the licensed material. To the electronic content provider, the end-user appears to make the content request from UC Davis. It's a tremendous benefit.

So if you can use a browser, know the library VPN's Web address, and have a campus computing account, that's all you need. Before, you had to reconfigure your browser on your remote computer.

The project was a collaboration between IET and the University Library.

The campus also upgraded its network security alert system last year.

That was another major accomplishment. Previously, our security alert mechanism used intrusion-detection technology. It could report on intrusions, but had limits as to what it could do to prevent them.

The hardware for the detection system was nearing replacement age, so we upgraded the campus security alert system with in trusion-prevention sensors. They have been placed at critical points on the campus network, and can detect and terminate malicious traffic before it enters the network.

The gain seems obvious. You've gone from detecting an intrusion to preventing it.

The system can look at the traffic as it comes through, and if it meets certain criteria, block it at the campus border. Some UC medical centers use the same approach. It's expensive technology, but it affords us a tremendous advancement from where we were. We also identify malicious traffic as it leaves the campus, which can help alert a system administrator to a potential problem.


Whom do you work with most on campus? Mostly technical people?

I communicate with technical staff, but my job is much broader than that. The security program requires an open communication channel to students, staff and faculty.

Students have received phishing messages, and we're stepping up our alerts to students about this threat. They have security responsibilities, as everyone does, in keeping their systems patched, and selecting a strong password. Staff and faculty have many computing systems, and those systems have maintenance issues as well.

I also work with the campus community to help move the campus security program forward. This collaboration often involves the Technology Infrastructure Forum [TIF], Campus Council for Information Technology [CCFIT], and Senior Advisors Group. The TIF consists of senior technologists from throughout campus. CCFIT, which has academic, administrative, graduate student and ASUCD representation, advises the provost, and the vice provost of IET, on technology use. The Senior Advisors Group has senior staff representatives from throughout UC Davis, and provides guidance to the chancellor and provost on administrative topics.

Members of the Academic Senate play an important role in the security program. For example, a cyber-safety oversight committee helps guide the direction of the campus cyber-safety policy and security standards. Professor Scott Stanley is the Academic Senate appointment to this committee. In addition, faculty members and researchers are consulted on measures to reduce security threats and risks.


If you could tell every faculty member, employee and student one key message about campus IT security, what would it be?

That security is everyone's job.

It is not just the sole area of your technical staff member or IT help desk. Everyone has some role, whether it's applying patches, using anti-virus and keeping it up to date, selecting a reasonable password that can't be easily guessed or detected, or not responding to phishing messages. Everyone owns the security problem. That's the basic message. For an idea what to do, visit the security Web pages. We have material on recommended security practices, plus instructional guides. They provide useful advice, for computers at home or at work.

We also give security software to campus technology users. Of particular note is the free Sophos AntiVirus software for campus and home use, software tools for whole-disk encryption, and software scanners that can identify electronic personal identity information stored on a disk.

A starting point would be the basic instructional guides.

Is there a No. 1 tactic, like 'have a good password'?

The tactical message is, no one security practice will protect you, unfortunately. You have to do a number of things to secure your computing system. A good password is key, but keeping your system up to date, and using up-to-date anti-virus, i s equally important. We frequently find compromises from people who haven't patched vulnerabilities in their computing system. A password won't protect you against that problem.

Computer security practitioners call the need for multiple security layers a 'defense in depth' strategy.

So there's no one thing.

No one thing.

Read more about campus IT security, including practical advice that will make your online life easier and safer, at security.ucdavis.edu. See an award-winning UC Davis student video on the subject here.