Every year, Whitman hires a security audit firm to try to break into its computer network.
Aside from trying to hack in, the company also tries to gain confidential information from individuals. Company workers will do this in a variety of ways, including pretending to be Whitman College Technology Services (WCTS) staff, bargaining for passwords and looking to see if passwords are written on sticky notes in various offices. After conducting a comprehensive investigation, they then deliver Whitman a report as to how secure their network is.
“The quote that we got from the security people last time is that we’re better than most banks and hospitals,” said Director of Network Technology Kevin Kelly. “While all that’s good, we still don’t want to let down our guard.”
The security audit firm is just one of the ways that WCTS works to keep Whitman’s network secured.
“Security is a never-ending process … it’s a loop where you constantly reevaluate and reapply,” Kelly said.
WCTS protects network-connected computers by using five or six firewalls, Kelly said.
Kelly also said that Whitman uses three kinds of virus scanning: local virus scanning, virus software provided for every college-owned computer and student-owned computer on campus and POSTINI, a program that checks all e-mail into campus from outside sources. POSTINI also checks incoming e-mail for spam, and students can choose to activate or deactivate the spam filtering and to adjust its level of aggressiveness.
“You don’t want to have just one single thing that’s supposed to stop a particular attack,” said IT Services Consultant Matt Pearson. “You want to have multiple things, so if one barrier breaks, hopefully the next barriers will stop it.”
Another barrier that Whitman uses to protect its security is by separating the network into about 40 different sections. Only certain administrative computers have access to certain sections, which may include confidential information such as financial and medical records. Because these parts of the network are separate, they can be given a higher level of protection and monitored more closely, said Middleware Analyst Mike Osterman.
Students using Whitman’s wireless network have safeguards set up for them, too, said Kelly.
A wireless network uses a radio transmitter, enabling other people to potentially capture the “conversation” between a computer and a network. But all Whitman Web pages containing sensitive information: passwords, grades, medical records, etc.: are encrypted. This means any outside source viewing these conversations will essentially see only gibberish. An encrypted Web page is indicated by “https://” in the address bar and a lock symbol on the bottom of the page.
“We’ve been working to get to get all that information encrypted for five or six years now. It’s actually quite a long process,” Kelly said.
The WCTS staff is less concerned about computers being broken into or contracting viruses than about people falling for scams or “phishes.”
Phishing involves aggressors contacting would-be victims with fraudulent situations, requesting money or personal information. A common phish involves an e-mail pretending to be from a bank, requesting that the recipient follow a link and supply their bank account and pin number.
“We’ve had one staff member that we know of who has had their bank account emptied here, about a year ago,” Kelly said, describing the chilling consequences of phish scams.
Shannon Callister, Director of IT Support Services, said that just last week she received an e-mail claiming to be from the Whitman support team, asking for her log-on password.
“Be highly skeptical of everything you get in an e-mail,” Kelly said. “There is absolutely no reason to give personal log-in information to anybody, any more than there would be a reason to give people a copy of your home key.”
There are so many different ways people ought to stay safe on the Internet, said Kelly, that “you can write a book or have a year-long class on how to do all this.”