New policies to stop hackers

About five years ago, information technology professionals noticed something strange.

More people were trying to hack into the University’s computers.

A lot more.

“It went from a period where a break-in was a rare thing to (a point where) the chatter that a system monitors for a network is constant and incessant,” said Stan Waddell, executive director for information security.

“Our systems are constantly under attack,” he said.

Brian Payst, director of information technology in the division of student affairs, said the increase was so dramatic that he had to change his alarm system settings so that they alerted him only of the more serious hacks.

Since then, the University has fought the hacking threat by stressing vigilance and the creation of several layers of protection to defend against threats to the University’s sensitive information — including Social Security numbers, medical records and credit card numbers.

About 30,000 attempts to hack into University computers occur every day, said Larry Conrad, vice chancellor for information technology and chief information officer.

The spike in the level of hacking activity was due to a change within the hacking community, Waddell said.

“Back in the old days, guys did these things for bragging rights. Those people have been replaced by people who’ve realized you can make money from this,” he said.

Culprits are largely members of organized crime from overseas, Payst said.

Administrators were reminded of the ever-present hacking threat last week when an information technology maintenance mistake allowed Viagra spam to replace University institutions’ caches, the text under the link on search engines, on Google.

Payst said he requested that Google strip all student affairs websites of caches, a change that will persist into the foreseeable future.

In early July, Conrad sent a formal e-mail to employees informing them of eight new policies to be implemented in all departments.

One of the new policies mandates that all servers and other computing devices be encrypted, a barrier Waddell said the average thief cannot break.

The University defends against hackers through a decentralized power structure, with large campus institutions generally protecting their own information, administrators said.

“There’s no way that any one person or one group would be able to address (the hacking problem),” Conrad said.

The University’s overarching strategy is called “defense in depth,” or creating several levels of defense to combat hackers, especially the high and rising level of automated hackers, Payst said.

Information security is improved mainly by reacting to new hacking methods, which Conrad said are becoming increasingly sophisticated.

“It’s an arms race,” he said.

Waddell said students can take action to improve their own information’s security by keeping current with software updates.

Hacking programs survey systems for gaps in security, and software updates fill these gaps, he said.

There are inherent limitations to how much the University can do to keep hackers out, Payst said.

“The University is a very large, very open environment and it needs to be,” he said. “You can really tighten down in a corporation. You can’t really do that at a University.”

Contact the University Editor at udesk@unc.edu.