Looking for some unusual entertainment?
When pressure encounters a vacuum
Trouble can happen when the high-pressure of university openness meets the content vacuum of the world-wide-web. The vacuum results from web environments that never fill up. There are few incentives to limit the content that well-meaning employees publish on their organization's web sites. In fact, there are significant pressures to document, publish and display everything possible.
Turning campuses into vaults of secrecy is not the answer. Rather, common sense and the lessons learned from 9/11 are probably more to the point. Some middle manager may have been rewarded for the flight simulator idea. Turning a cost-center into a profit center is usually a worthy business objective. "Need to know" was probably never considered.
Examples of bad sense abound
But what about the U.S. Navy? One can only imagine that anyone with a real need to know the location of an aircraft carrier would be able to get that information without clicking on a publicly available website. Perhaps I was the only one surprised to find out that the week after September 11th, the U.S. Navy stopped posting the location of the USS Carl Vinson ("America's Favorite Carrier" according to their home-page) on the web.
The inexorable pull of the content vacuum led to the rash display of information. After all, what good would an aircraft carrier's web site be without lots and lots of good data about its mission, position and other fact, trivial and otherwise? Meanwhile, recent visitors find the Carl Vinson's "facts" page "Currently Not Available."
Around the same time, the Department of Energy decided it would remove the GPS coordinates of all the nation's nuclear reactors from the web-site. Certainly, there may be real estate developers who truly and fairly want to know how near their proposed subdivision is to a power plant. Does that mean such information should be posted on a web site for the world to see?
Limited only to the government?
Chalking the problem up to military SNAFUs and federal government incompetence might lead one to believe the problem isn't widespread. It is. Here's a small sampling of what's available on some .EDU web pages..
It doesn't take a psychic or a PhD to predict how such information could be leveraged against those campuses. But one may say that perhaps those weaknesses aren't weaknesses at. Perhaps they're "honey pots" - targets too good for an intruder to pass up, strategically placed to help track, trap and apprehend intruders. As of yet, not likely so. Higher educations has not made extensive use of such techniques.
Don't make the attacker's job easier
Of course, all but the most junior bad-guys can snoop most of your server and network information surreptitiously. However, do more than be an inviting target. To be sure, removing ignition keys and locking a car door, may not cut down the crime rate. But it can shift the crime to an easier target. And volunteering to be a victim by making it easier for attackers is a very bad idea. On some campuses, data security responsibility falls somewhere between internal audit groups and IT security offices, while physical safety lies with campus police departments. However, in this era, data security is too important to be left to the experts.
So where does the prudent administrator draw the line? How does he or she protect both the safety and security of the campus while not damaging the sense and purpose of open collaboration and information sharing?
Know your data
Universities have become pretty good at dealing with controlled access to their structured data that is used in and managed by campus business systems. Structured data is granular and controllable by embedded access rules.
On the other hand, unstructured data resides outside of relational databases. It is embedded in documents, spreadsheets, diagrams and pictures. Diagrams and pictures contain very few words and thus foil even the best content searches. The only way to determine if sensitive information is contained in an Adobe Acrobat (PDF) document is to search the document. Worse, a Visio network diagram or PowerPoint architecture diagram must be read with comprehension to evaluate its content.
Take this test
Before calling in the white-hats (hacker good-guys) to do a friendly penetration test of your technology assets, a few common-sense action items are in order.
Content management helps enforce policies when adding or changing web pages. It also helps maintain site quality and consistency. It may cause some items to go through multiple levels of revision and approval prior to posting. I don't like it. You won't like it. Content contributors hate it. Get used to it.
Richard Jacik is president and co-founder of Information Methodologies, Inc., higher education's leading enterprise web integrator. Contact him at 703.435.0370 or via eMail at firstname.lastname@example.org.
This article originally published by The Greentree Gazette.