June 27, 2013

Eric Smith, chief information security officer for Bucknell, Susquehanna University and Franklin & Marshall College

Please note: You are viewing an archived Bucknell University news story. It is possible that information found on this page has become outdated or inaccurate, and links and images contained within are not guaranteed to function correctly.

[X] Close this message.

By Matt Hughes

LEWISBURG, Pa. — In a world where nearly everyone maintains multiple online identities, a single cyber breach can have a far-flung ripple effect.

A 2012 attack on the social networking site LinkedIn exposed the password hashes, essentially encrypted passwords, of millions of users, some of them Bucknell students and employees. Those hashes can be easily untwisted by the tech-savvy, and Eric Smith wonders how many of those affected used those same passwords to login to Bucknell servers.

"How many dozens of sites do you have the same username and password," Smith questioned. "People tend to reuse credentials."

Smith, a Bucknell employee since 2004, was named chief information security officer in March for Bucknell University, Franklin & Marshall College (F&M) and Susquehanna University. Smith called the new collaboration a unique position in the world of higher education internet security. He is developing common security procedures, policies and an incident response plan for the three institutions, whose networks collectively are accessed by some 25,000 devices daily when school is in session.

For him, the LinkedIn breach exemplifies the need for all organizations to make constant and evolving efforts to secure data on their networks, and demonstrates why the University is partnering with two other institutions to do so. || Read Smith's thoughts on social networking and privacy in Bucknell Magazine.

Similar needs, similar concerns
The partnership makes sense, Smith said, because the three institutions have similar security needs and share other commonalities. They are all private liberal arts schools with significant portions of the student body living on campus, and are geographically close to each other — Susquehanna is in nearby Selinsgrove and F&M is about 90 minutes south of Bucknell in Lancaster. Security plans and procedures will need to be custom-tailored to each institution, but there are more similarities than differences, he said. Officials at the partner schools agreed.

"Enhanced information security was a need that all of the institutions had identified, and this partnership is a great opportunity for us to share knowledge and resources quickly and easily," said David Proulx, vice president for finance and administration at F&M. "We are always looking for ways to collaborate with other colleges and universities, and this shared position helps all of us maximize our resources and provide additional needed service at a minimal cost."

Mark Huber, chief information officer and director of information technology for Susquehanna University, compared Smith's role to that of a personal trainer; he reminds Huber and his team of the things they know they need to do, keeping them to an overarching security plan.

"The benefit of having Eric in this role is not only having his expertise, he can also look at best practices among the three schools he's working with," Huber added. "There is a real consortial emphasis on this role."

Furthering collaboration
The three schools are also hoping to learn from others. They have joined a "cohortium" hosted by EDUCAUSE, the foremost organization for IT professionals in higher education, to investigate the use of multifactor identification in college networks. Multifactor identification can be defined as a combination of a username, password and a third element — typically something the user must physically possess, according to Smith. For example, a physical USB "key" a user carries, or a smartphone app that generates a number tied to a cryptographic token saved in the phone. To login, the user must enter a password and plugin the USB key or enter the cell-phone-generated code. Both options greatly reduce the risk of overseas attacks, Smith said.

Smith believes a three-factor system may be necessary because people tend to use the same usernames and passwords at multiple websites.

"Our security here could be Fort Knox, but if you're just giving out the same password to some third party, who then doesn't take care of that data as well they should, and somebody sees a Bucknell email address and a password, what's the bad guy going to try?" he questioned.

Smith said teaming up with the EDUCAUSE project allows the schools to learn from other schools experimenting with the system.

"There are much larger institutions that have 30,000 students that are thinking about doing this," Smith said. "So getting their help and advice, and seeing how they might manage the logistics of something like this, we can scale it down to school like Bucknell or Susquehanna or F&M."

The timing of the partnership also makes sense for Bucknell, Smith said, because the University is a charter member and network hub of the just-completed Pennsylvania Research and Education Network, a high-speed fiber-optic network linking networks at colleges, universities and other non-profit institutions across the state. || Read more about the network.

"Sharing data back and forth really lends itself very nicely to this security role," Smith said. "If we're going to keep cooperating in this IT space, let's keep it going."

Preparing for the threat
The risk certainly isn't disappearing. As internet security has grown more sophisticated, so too have threats from hackers, Smith said.

Direct attacks on servers and worms assimilating their way through internet-connected computers have largely faded from the security scene as internet firewalls and antivirus programs have become more sophisticated and universally implemented. Today's threat, Smith said, largely comes from insecure software on machines at the periphery of networks. The security community labels it "spear phishing."

As Smith explains, "They send an email to a receptionist or somebody at the edge saying here's the purchase order you requested for whatever, and it's an infected .pdf file, or it contains a link to a Java exploit or something like that, so now that machine is compromised. Now they have a foothold in a network and they can wriggle their way in through that. So that's a big concern, and we see that here at Bucknell, especially with student machines."

As smart devices become the primary gateway for internet users, networks face new challenges. Imagine, Smith suggests, that a faculty member stores grade information on a smartphone that is then lost or stolen. The professor may have unintentionally leaked personal information that the University has a legal obligation to protect.

"Even though you can argue it's not the University's fault, it's the University's data, and it's our job to protect it," he said.

Smith described the cat-and-mouse game of hackers and security pros as "a constant arms race," which is why it's important the three schools implement a system — of both technology and  — that not only addresses current threats but is nimble enough to quickly adapt to future ones.

Imagining and preparing for the worst is key to having that flexibility, Smith said, and it's what he's working on in his new position. He is developing an incident response plan he likened to a fire drill.

"The idea is to flesh this all out ahead of time in easy to follow steps, so that in the midst of a crisis you're not scrambling to find phone numbers, you're not scrambling to find who you should be contacting," he said. "Everybody knows what to do."