4. Conclusions

Spread education and alerts

Education about security issues must continue, so that everyone is aware of the potential problems. Not only must the latest security alerts reach the people whose systems will be affected by new vulnerabilities, but they should be aware of the general guidelines for secure systems (and bear them in mind when purchasing new software and equipment).

Develop local security policies

When anyone chooses to apply a particular security solution, they are necessarily deciding on a security policy, although they may not realize this. We need continued debate about security solutions to keep the policies of different parts of the University consistent; what happens in any area of the network has consequences far beyond that limited area, particularly when security issues are involved. Cooperation is obviously vital if we are to have any University-wide security services (key repositories, MAC address databases, etc.).

Gather evidence of security compromises

Many people are already recording audit traces and log files that show security violations, both successful and unsuccessful, but no one is looking at this information from a campus-wide perspective, and there are no long-term archives of information that could serve as reminders of known threats, or to identify any trends through time. We need to combine our data, and place at least some of them in a long-term incident archive.

Create a local incident response team

Someone has to be responsible for disseminating security information, gathering reports, and responding to emergencies. We need an incident response team for the University, similar to the ones that exist at the national level (and at some other universities). This will necessarily generate an institutional security policy, so we should have a strong interest in ensuring that it meets our requirements and isn't simply imposed by administrative decree.

Ethical context for all this activity

All security activities need to be placed in an ethical context, from the most general institutional policies down to the responses of the individual system administrator. It's all too easy to get lost in the technicalities of specific attacks and defenses, while naively categorizing everyone involved as absolutely good or evil; but concerns such personal privacy or maintaining open access to public data need to be taken into account as well.