IN THIS ISSUE:

* A Great Conference, Spring 2005!

* eLearning Update/Announcement of Webinars

* How Secure Are You?

* TIS RFP Update

* MiCTA's Website is New and Improved!

* Information Resources for Legislative Matters

* Nonprofits Exempt from Federal and State Sales Tax on Telecommunications Services

* Welcome Jeanne Rhode to MiCTA

* Share Your Experiences/Successes with Colleagues

* Welcome to New Members

* Request to Update Member Contact Information

* Gateway Special

* Brodart Special

* Just for Fun!

A Great Conference, Spring 2005!

The 2005 Spring Conference is now behind us. This year’s conference featured the following three tracks: Technology Issues, Technology Challenges, and Vendor Programs. Through the technology and generosity of MiCTA Endorsed Vendors Sprint and Innovative Communications, Inc., select presentations from Day 2 including the keynote presentation were streamed live and remain available on the MiCTA website. If you missed these presentations, please take a look on the website www.micta.org.

eLearning Update/Announcement of Webinars

Member participation in new MiCTA contracts with e-Learning vendor partners is beginning to grow at an encouraging rate. Blackboard and Desire2Learn are enjoying both new sales to members and renewals of existing contracts with a new MiCTA discount. We are pleased with this increase in participation, and feedback from members is positive. If you are interested in learning more about special MiCTA pricing on e-Learning packages, please contact Jerry Hartman at ghartman@mictaservice.com.

In keeping with MiCTA’s mission, both organizations are sponsoring educational webinars designed to inform members about e-learning and help educators deliver a high quality educational experience to all learners. Here’s a schedule of the webinars. Join in if you get a chance.

D2L, Achieving Learner Success , An Up Front and Interactive Glimpse at the Latest e-Learning Technologies Tuesday, June 14, 2-3 pm ET Advance registration is required. Sign up by visiting www.Desire2Learn.com or call 1 888 870 8677

Blackboard, K-12 Introduction to the Blackboard Academic Suite , May 11 and May 18. Sign up for this webinar and learn about others at http://blackboardevents.webex.com.

How Secure Are You?

University CIOs are leveraging new people, policies, and professional tools to ensure network security.

by Joseph C. Panettieri

The following article was provided by University Business-The magazine for College and University Administrator

Douglas Boudreau is the type of student universities fear most. Boudreau is serving five years probation for identity fraud, intercepting wire communications, larceny, and unauthorized access to a computer. These are crimes he committed while a student at Boston College; where in 2002 he installed so-called "key-logging" software on more than 100 campus systems. The software recorded students' keystrokes, allowing Boudreau to gather names and passwords to networked systems. Boudreau pleaded guilty to multiple charges in mid-2003, and was sentenced in April of that year to five years' probation. Though the culprit wasn't behind bars, college officials breathed a qualified sigh of relief--after all, they knew other BC hackers could be in the making.

But it was "good old detective work and audit trails" that allowed the college to catch Boudreau, says David Escalante, director of Computer Policy and Security at BC. "Boudreau went from computer hacking to stealing by altering student ID cards," says the security chief. "His misuse of these cards was detected, investigated, and determined to be fraudulent. The misuse of the computer systems," he adds, "became apparent in the course of the investigation of the misuse of the cards."

Although Boston College nabbed their hacker, other universities and businesses aren't ordinarily as fortunate. On a typical day, the famed Computer Emergency Response Team (CERT) at Carnegie Mellon University (PA) documents 400 Internet-related security incidents around the globe (see "Security Alert"). The incidents range from minor attacks that probe individual Web sites, to major strikes that rattle thousands of systems.

January's MyDoom virus, for instance, was a single incident that clogged the Internet with some 100 million infected e-mails in its first 36 hours, prompting the FBI to launch an investigation, according to the news services. But even smaller outbreaks can wreak havoc. The Blaster virus epidemic of mid-2003, for instance, was a single incident that infected more than 500,000 computers, including hundreds of systems at Temple University (PA). "While Temple's network did not go down, network degradation...reached critical levels, making total loss of the network a definite possibility," wrote Temple Chief Information Officer Ariel Silverstone, in a memo to staff, faculty, and students during the outbreak.

Still--although there's no silver bullet for IT security--there are measures that can be taken to protect any institution, say the pros. Savvy universities, like many institutions in the corporate sector, are taking these three steps to protect their networks:

• Recruiting and training dedicated IT security professionals
• Devising, communicating, enforcing, and updating security policies
• Implementing/maintaining the latest security technologies, e.g., personal firewalls and (previously abandoned) smart cards

Who's in Charge?

Enter the CSO. Within most universities, CIOs, chief technology officers (CTOs), or chief financial officers (CFOs) typically oversee IT security. But that's changing as more and more universities hire the dedicated chief security officer (CSO).

Even three years ago, however, CSOs were a rare breed on university campuses. Then anywhere, anytime computing came on the scene, and triggered heightened security needs. Wireless Internet access, online registration, distance learning, Web-based tuition payment, and other applications have forced many universities to buttress their CIOs with fulltime CSOs who live and breathe security.

Boston College , for instance, hired Escalante shortly after the Boudreau incident. "Assigning security to the CIO, CFO, registrar, or someone else is perfectly legitimate," says Escalante. "But over time, I suspect these already busy people won't be able to deal with all the nitty-gritty details of security and will feel more comfortable delegating this responsibility."

Escalante is dead on target. At Johns Hopkins University (MD), for instance, CSO Darren Lacey now reports directly to CIO and Vice Provost/Vice President Stephanie L. Reed. "Darren's a talented attorney with a vast array of credentials that make him extraordinarily well suited for this position," says Reed. And in fact, Lacey moved into the CSO slot in mid-2003 after serving as executive director of Johns Hopkins' Information Security Institute (ISI), a nationally acclaimed research center. Lacey's top priorities now include working with the Johns Hopkins HIPAA office. (HIPAA--the Health Insurance Portability and Accountability Act--requires healthcare organizations to comply with various security standards when handling patients' printed and electronic medical records.) And the university's IT department also has designated experts who manage network security, application security, access and authentication, and physical data center security.

Though more and more universities are hiring CSOs, not all institutions can afford another C-level executive. A typical CSO earns a base salary of $100,000 to $350,000, depending on an organization's size, according to CSO magazine. Factor in budget crunches, enrollment challenges, and reduced government aid, and hiring a CSO often becomes prohibitive.

Sticking to the traditional. "I'd estimate that less than 10 to 15 percent of universities have dedicated CSOs," says Chris Meaney, director of Secure Network Solutions for Siemens AG's Information and Communication Networks (ICN) division. "Most appear to still have traditional CIO and CTO functions where security architectures are defined."

In many cases, however, network security is a shared responsibility. Such is the case at Delaware State University, where Network Manager Hank Classe oversees IT security with close assistance from three peers: a database administrator and two IT experts from Academic Computing. (The foursome reports to the CTO and assistant provost for Technology & Information Systems.) As far as administrators at Delaware State are concerned, the more security pros on board, the better--after all, the university is situated near Dover Air Force Base, one of the largest U.S. military bases, and DSU's science department has conducted classified research for the federal government.

Hacker schooling for IT folk. Some universities, eager to polish their security skills, are sending their IT managers to hacker school. Security vendor Foundstone Inc. ( www.foundstone.com) offers a popular four-day course entitled "Ultimate Hacking: Hands On." The course, which typically costs $7,000, teaches security students to use hacking tools like AntiSniff and Big Brother. After each session, students apply their knowledge by trying to break into computers in the rear of the classroom. (Never fear: Foundstone monitors each classroom system to make sure students aren't attempting to hack outside networks as well.)

David Raikow, a lawyer and IT security expert in San Francisco, has completed Foundstone's course. "Generally speaking, university managers who complete the class are better equipped to find security holes within their own networks," he says.

Technology companies such as Cisco Systems Inc. ( www.cisco.com) also offer security certification, but most universities prefer technology managers who have hands-on experience locking down operating systems, network hardware, and online applications.

Put It in Writing

Defining policy. Once a university has security experts in place, it's time to define security policies for all staff, faculty, students, and campus visitors. At many universities, the policies are updated and communicated regularly (via e-mail and printed memos), typically on a quarterly basis. In addition, more and more universities are requiring students to sign policies stating that they use antivirus software. At Temple University, notes CIO Silverstone, students and faculty members are frequently directed to the university's Information Security Web site ( www.temple.edu/cs/security). The site includes security alerts, the university's security policy, how-to information for novice computer users, and simple instructions for reporting security incidents.

Delaware State University , as well, takes similar steps to enforce security. All faculty, staff, and students sign a security policy before receiving user names and passwords to approved network services. DSU posts the policy in all campus computer laboratories and on the campus Web site ( www.desu.edu/it/acc/security_policy.pdf). The university also e-mails the policy to all users several times during the academic year.

Despite their value, however, security policies place many universities in a technology paradox: Even as universities strive to provide anywhere, anytime information access, they must fiercely patrol every network resource. That's a tricky balancing act, notes Johns Hopkins' Reed.

"Research universities need to drive innovation, create new knowledge and explore uncharted territories," she says. "But those priorities require a degree of autonomy and creativity that sometimes conflict with structure, discipline, and boundaries."

Sharing breakdown information. Interestingly, where businesses (particularly publicly held companies) rarely disclose network security breakdowns, fearing negative publicity, the opposite is true of many institutions of higher education. Progressive universities disclose security problems as soon as possible in a quest to protect students, faculty members, and partners from digital harm.

Silverstone stands among those who promote information sharing. In mid-2003, he dispatched several electronic memos to all Temple network users, warning them that the Blaster/LoveSAN worm had infected hundreds of university systems. The memos also provided detailed, easy-to-follow instructions for combating the virus.

Know Your Network

Personalization. At John's Hopkins, Reed's recipe for security success includes firewalls, antivirus software, intrusion detection tools, and close monitoring of internal and external network environments (see "10 Steps to Security," right). But she is coy when asked about new security tools at Johns Hopkins. On the other hand, there are universities eager to show their hand. At DSU, for instance, every student and faculty member now carries a personalized "smart card" (from Siemens; www.siemens.com) that provides entry to approved buildings and network services. And the cards are truly multipurpose: A magnetic stripe on the card also allows students to make bookstore and food service purchases; a barcode reader connects students to legacy library applications; and an embedded chip manages user identification when accessing DSU's enterprise resource planning application. (All new PCs purchased by the university now include readers.) Via personalization, the CFO's smart card, for instance, permits access to financial systems that student smart cards can't access. And in most installations, the cards authenticate to network directory services--such as Microsoft's Active Directory or Novell Directory Services. This provides users with seamless access to approved printers and applications on the university's network.

Smart cards come back. Since their advent in the mid- to late '90s, smart chip card implementations have encountered some serious roadblocks on U.S. campuses, not the least of which have been high cost issues. And in truth, most universities have yet to deploy smart cards. But given the current specter of security dangers, that's changing, insist security pros.

"Smart cards are relatively young," concedes Meaney of Siemens, which assists DSU's security efforts. Although smart cards have a rocky history in the higher education sector, Meaney points to growing adoption rates in public usage in general, and states, "They're definitely moving into the mainstream."

And if higher ed is looking to mainstream America to gauge the growing importance of smart cards, they might just look to Dell Inc. ( www.dell.com). In November 2003, the PC giant introduced smart cards for its corporate notebooks, desktops, and workstations (all of which come with readers). As a general rule, Dell only enters markets that generate massive unit sales and immediate profits. The Dell smart cards, which are designed by Axalto ( www.axalto.com; formerly known as Schlumberger Smart Cards & Terminals), allow IT managers to track users as they attempt to access network services. The cards cost about $50 each, but volume discounts are typically available. Schools can absorb the cost, or pass it on to the students. Users can be specific campus groups or subsets (such as students who need to access a specific, secure lab), or, for smaller schools providing laptops to all incoming freshmen (for instance), cards could be offered to all recipients of new reader-equipped computers.

Mobile Protection

Universities also are exploring new ways to protect mobile systems, such as notebook computers. Although firewalls and antivirus software for e-mail servers shield university PCs and workstations from external threats, those security measures don't defend notebook computers that move outside of the university network.

According to Charles D. Fletcher Jr., CTO and assistant provost for Technology & Information Systems at Delaware State, "The growth of e-business applications and online services has pushed security to the mobile user and home user." As a result, universities are now deploying so-called "personal firewall" software on individual notebook computers. Much like a roadside security checkpoint, the software inspects inbound and outbound data as it attempts to move onto a notebook or out to remote servers. Nefarious code is blocked before it can launch attacks against more systems. Best of all, personal firewalls ($50 or less per system) protect notebooks regardless of their physical location--on campus, at home, on the road, or within a public wireless (Wi-Fi) network, notes Craig Plunkett, managing principal of technology consulting firm CEDX Corp. ( www.cedx.com). What's more, companies such as Symantec Corp. ( www.symantec.com) and Network Associates Inc. ( www.networkassociates.com) design their personal firewall software to work alongside their respective antivirus applications, delivering a powerful one-two punch that can knock out worms before they infect systems. Generally speaking, universities are increasingly preinstalling the firewalls on notebooks before they are issued to staff, much in the way that antivirus software comes preinstalled on notebooks. In the case of students, schools typically direct them to a specific antivirus/firewall provider Web site, so that they can purchase and activate the security software.

Looking Ahead

Sending in the scouts. Most recent Internet attacks have involved annoying software worms and viruses that choke PCs, servers, and networks. But experts fear that these attacks are merely "test strikes" that allow hackers to identify and exploit weak points in the Internet's armor. In the future, they say, hackers could use the information they gather to launch more aggressive attacks that shut down entire power grids and transportation systems, or steal personal information of a highly sensitive or classified nature--even on a mammoth scale.

During a National Security Cyber Summit in November, Department of Homeland Security Secretary Tom Ridge offered an ominous warning to attendees: "Terrorists know that a few lines of code could, ultimately, wreak as much havoc as bombs. The enemies of freedom use the same techniques as hackers do. We must be as diligent and determined as hackers are."

Certainly, college and university CIOs are aware of the risks, and more than aware of their mandate to face them, head on. According to DSU's Fletcher, "The world of technology is continuing to grow more innovative, creative, invasive--and threatening. But as a technology innovator and user, I wouldn't want it any other way." Translation: Bring on the hackers.

Joseph C. Panettieri is editorial director at New York Institute of Technology. He has covered Silicon Valley since 1992. He can be reached at joe_pan5@yahoo.com.

Related Information

TIS RFP Update

Next week the TIS RPF Evaluation Committee will meet via a conference call to review and discuss summary materials, and determine if vendors will be offered an opportunity to submit a Best and Final Offer (BAFO). As the process moves through the final evaluation phase, the committee will rank the vendors based on their proposal offerings, and make award recommendations that will be delivered to the MiCTA and ATAlliance Boards for review and approval. With Board approval of these recommendations, MSC will enter into contract negotiations with vendors. All executed agreements will be announced to the membership via the MiCTA website and ListServ, and through announcements by each individual ATAlliance compact to their respective members. For questions regarding this RFP initiative, please contact Clancy DeLong, Vice President Program Development / TIS RFP Project Coordinator, at 888-870-8677 x203 or cdelong@mictaservice.com.

MiCTA's Website is New and Improved!

Recently, Gene Curtiss and Chang Hang have completed a comprehensive makeover of the MiCTA website. The new design is intended to provide better and timelier information with improved navigability and response time. Please visit the new site at www.micta.org and let us know what you think.

Information Resources for Legislative Matters

The member page on the MiCTA website at www.micta.org/members has a number of useful resources, including a link to the ACUTA Regulatory News and Issues page and Law Media-Michigan Telecommunications Report courtesy of Clark Hill. The ACUTA link is in the upper right hand corner under “member links” and the Michigan Telecommunications Report is under “member resources” in the lower right hand corner. This is a convenient way for you to stay current on these important issues.

Nonprofits Exempt from Federal and State Sales Tax on Telecommunications Services

Nonprofit organizations are indeed exempt from federal sales tax on telecommunications services. Also, in at least 31 states, nonprofits are exempt from state sales tax on telecommunications services. If you are unsure if your state offers this exemption, you should contact your state's Department of Treasury.

Each carrier may handle the process of having the tax removed from your bill differently. Some have a special form, and others will simply ask for a copy of your “tax exempt certificate”. While you may have to do this annually, and check your bills regularly, it will be well worth your trouble.

Welcome Jeanne Rhode to MiCTA

Jeanne Rhode is the brand new receptionist at the MiCTA office in Mt. Pleasant, Michigan. We are pleased to have Jeanne working in the office now, and ask that you help us welcome her. Jeanne will be pleased to take your call, answer your questions and direct you to the appropriate resource. Give Jeanne a call at 888-870-8677.

Share Your Experiences/Successes with Colleagues

Do you have a recent experience that would be valuable to share with other MiCTA members? Do you have, or have you recently seen a great article or case study? If so, please let us know, so we can share with the membership. We’ll be pleased to give recognition to you, and/or your organization.

Please contact:

Kim Ellertson
Kellertson@mictaservice.com
888-870-8677 X103
989-400-6429

Welcome to New Members

Cornell College
Diocese of Pittsburg
General Council of Assembly of God
Konokuk Ministries
St. Anselm School
St. Joseph College

Request to Update Member Contact Information

To ensure useful and timely distribution of MiCTA communications, the staff is now working to update member contact information. We are asking that each member email Jeanne Rhode , jrhode@mictaservice.com at the office. Jeanne will return to you, the data sheet for your organization. We ask that you review the data sheet, update appropriately and return to Jeanne. If you have questions, please give Jeanne a call. Your help with this important effort will be greatly appreciated.

Jeanne Rhode
(888) 870 8677

Brodart Special

Acrylic Displayers: 20% Off!

Convenient, economical tabletop display with Acrylic Displayers from Brodart!

Brodart has durable, scratch-resistant, easy-to-clean Acrylic Displayers, super clear and colored acrylics, for every type of media – from bookmarks, brochures and books to magazines, newspapers, signs and artwork. Choose from single-pocket, multi-pocket, multi-tiered and everything in between, or ask about our custom sizes. Remember, only Brodart Acrylics have softly rounded edges that won’t damage your display materials or cut your fingers! See our complete acrylic selection on pages 491 to 505 in our full line catalog. Or, go online at

http://www.shopbrodart.com/catalog/Literature_Media_Display&Storage/e&td.htm

For more information on products and services for MICTA members from Brodart:

Call: 1-800-233-8467 ext. 4338
Click: www.shopbrodart.com/pricing/micta/
Fax: 1-800-578-1064
E-Mail: supplies.quotes@brodart.com

Just for Fun!

PREVIOUS MICTA ALERTS

• April 2005

• March 2005

• February 2005

• November 2004

• October 2004

• September 2004

• July 2004

• June 2004

• May 2004

• April 2004

• March 2004

• February 2004

• January 2004

• November 2003

• October 2003

• September 2003

• August 2003

• June 2003

• May 2003

• April 2003