Colleges Brace for Malware Wave

While returning to school may only be a fleeting thought for most students at this time of year, it’s top of mind for the folks charged with keeping university networks free from a host of electronic nasties.

“Fall is definitely the worst time for viruses and things wrong with computers on the network,” Tim Cantin, IT Director for Wellesley College in Wellesley, Mass., told the E-Commerce Times.

Colleges and universities have some unique security problems facing their networks, noted Andres Kohn, vice president for product management for Proofpoint, of Cupertino, Calif., a provider of anti-spam and e-mail security software for large enterprises.

Transient Population

One of them is the nature of their users. “They’re a transient population with little control over them,” he told the E-Commerce Times.

That’s very evident in the fall, Kohn maintained. “Kids come back from the summer with their laptops that have been all over the place and are usually highly infected with viruses,” he observed.

One of the first things universities try to do in the fall, he said, is track down who is infected, what they’re infected with and clean them up.

E-Mail Churn

Another challenge to the system is the churn in e-mail addresses at an educational institution in a given year.

“Every year a quarter of the students are moving on, so those e-mail addresses are no longer valid,” Kohn explained. “That huge churn creates a lot of garbage aimed at invalid addresses, which is why universities usually have a higher percentage of spam than most other organizations.”

He noted that at one of Proofpoint’s customer universities, all spam was quarantined. “When we scanned the quarantine, more than 90 percent of the e-mail in there was going to invalid e-mail addresses.”

Chafe at Uniformity

It can be difficult to impose uniform rules on a university network to beef up security, Kohn added.

“With all the different constituencies — the students, the faculty, the staff — everyone wants things done a little bit differently, so they really have to manage a very flexible system that meets everybody’s needs,” he explained.

“In companies,” he continued, “the system administrator just says, ‘This is how we’re going to do it, and you’re going to be happy with it.’ In a university, it’s a lot harder to do that.”

Centralized Control

Harder, but not impossible. At Wellesley, for instance, the college had installed a product from Cisco Systems called “Network Access Control” (NAC), formerly Clean Access.

“When you put a computer on the network, it stops you from doing anything until you log into the network server,” IT Director Cantin explained.

“Once you log in,” he continued, “it puts an agent on your desktop. That agent checks your machine to make sure it’s up to date and configured the way we want.”

He added that since last summer, the school has added another layer of security to that. It checks a machine to make sure it has one of several antivirus programs installed on it.

In addition, the university has an anti-spam, antivirus screening program running on its main mail server.

P2P Waning

Although problems caused by peer-to-peer (P2P) programs seemed to have abated, Cantin is skeptical about the lull.

“I think there’s a false sense of security there,” he said. “I don’t think that problem is going to go away too quickly. We need to keep on top of that one.”

Keeping on top of what noxious computer offerings incoming freshman may bring with them, though, can be a challenging task.

“With teenagers in any setting, no one can predict,” said David Karp, director of product marketing at Ipswitch, a software maker in Lexington, Mass. “They’re going to come up with something — the next file-sharing monster, the next Napster, the next viral site like Facebook or MySpace — and folks over 20 are just not going to see it coming.”