Keeping college networks secure

Morris Altman is the Director of Network Services and Internet Security Officer at Queens College, a senior college of the City University of New York. Queens College is the third largest university system in the US in terms of enrolment, with a faculty and staff of 5,000 and student population of nearly 20,000.

In this interview he talks about his job, the biggest challenges and threats his team faces, exchanging knowledge, and more.

You are the director of network services and Internet security officer at Queens College. How long have you held that position? Tell me a bit about your team, your responsibilities, and the peculiarities of your job.
I’ve held the position of director of Network Services and Internet Security at Queens College for the past 10 years. As far as my team goes, I manage the Network Infrastructure team, which currently consists of two people; the telephone services team, which currently consists of five full-time and five part-time staff; and the Server Administration team, which is four full-time and one part-time staff.

In addition, I utilize engineers from both my server and infrastructure groups to maintain our security appliances and assist me with investigations. Currently, we do not have a dedicated security team. However, I am looking to bring on a full-time security engineer, as we are really outgrowing our ad hoc approach to managing our security resources and applications.

In regards to the peculiarities of my job, there are a few specific things that really set us apart from a security team at, say, a large corporation. It really revolves around academic freedom. By this, I mean freedom for our researchers and students conducting research who are looking at things that they wouldn’t be able to in a corporate environment. For example, perhaps someone needs to look at pornography for a course in Human Sexuality or one person is doing research on computer hacking. The former could result in potential situations including a hostile environment lawsuit, while the latter could expose our sensitive IT resources to breach. Of course, that particular type of research would be isolated on a separate network, so researchers could safely visit sites that pose known threats to IT resources and sensitive data by exposing us to different types of malware and cyberthreats.

What are the biggest challenges and threats you and your team currently face, and what have you done about them?
At the top of our list is the phishing attack. These attacks are ever-evolving and constantly target our faculty and staff. To address this problem, we hold a range of IT security classes that cover topics such as phishing, and more importantly, how to detect phishing emails. We also send out regular correspondence about phishing and how to avoid them compromising our networks and data.

Another key challenge are the credential compromises by botnet. Zero-day malware is being used to join computers to botnets and then steal users’ credentials. This has recently become a common problem. However, by deploying a combination of FireEye and ForeScout network security solutions, we’ve been able to prevent our computers from calling home to the botnet command and control servers.

Finally, a further challenge we are currently addressing is students and staff using their personal or college endpoints outside of the network. We are looking into an effective solution for this.

Queens College is part of the CUNY system, which includes 19 colleges and over 100 research facilities. Do you and the security officers at these institutions have a system in place to share knowledge about the dangers your networks and systems face?
Yes, we meet quarterly and also have a list serve that we post observations and questions to. In fact, we’ve had teamwork discussions dealing with a wide range of issues affecting our IT infrastructure. A key topic of late is phishing scams.

We’ve also had numerous discussions focused on the most effective ways to configure our anti-virus software and have held team trainings around this as well. Sometimes we are able to reach consensus on new processes and establish them as CUNY standards, and other times, they become more of a best practice recommendation, as opposed to hard standards.

Additionally, we discuss new security products and get recommendations from colleagues who’ve had real-world experience with these solutions. We also bring in vendors who will deliver presentations on new solutions.

How about on a national level – is there a formal (or informal) collaboration effort made by educational institutions?
Educause is a national association of colleges and universities with special interest groups in most areas of IT, including security. In particular, there is a security special interest group within Educause that I’ve attended a meeting for. However, I am not as involved with this group.

That being said, there is a very strong local group that I am involved with known as the New York Higher Education Technology Forum, or NYHETF. Originally formed by a number of local NY CIOs, this is an excellent group and does not allow vendors to attend meetings. Among the topics we focus on are operation methods, products that are proven effective in addressing our IT challenges and problems with other products.