At Columbia University, the 40,000 or so students who use the university network are responsible for fixing their own computers once they are suspected of being compromised. Their computers are taken off the network right away – and the students are left with little choice but to act on their problem themselves.
“I believe in behavior modification as a security technique,” says Joel Rosenblatt, director of the university’s computer network security.
“The first time it happens, you will be annoyed at me. The second time, you will be mad at me. The third time, you’re going to have learned your security lesson and you are not going to allow yourself to be compromised again,” he says.
By contrast, if students simply got their computers fixed by others, they would only go back to the same direction that got them into the problem in the first place. “It did not cost you anything to get it fixed. There was no pain involved,” Rosenblatt says.
Going to school – and staying there
Rosenblatt entered Columbia in 1973 as a student of metallurgy and material science, solid state physics, electrical engineering and computer science. He has not left the place since.
In the beginning, Rosenblatt took odd jobs helping professors do research for their classes, and eventually helped at the university computer center. On the day he graduated, he was offered a full-time position.
He worked on mainframe systems for the next 20 years, but when the time came for Columbia to move to Unix-based systems, he pondered where next to go.
At that time, nobody was doing security as a specialization in the university space. But he had been thinking about how people were doing exactly the same crimes that they did before computers existed: Stealing money, stealing identities. “The only difference was that the bad guys did not have to be in the same state or country as you. They can steal your stuff and you never have to see them. Crime was not going away,” he says.
Rosenblatt believed this concern could only grow with time and increasing computer use. “It turned out that I was right!”
The business of education
Columbia is both a business and a university. “The interesting thing is that we operate very much like a city,” he says. “We have people, we have the police, hospitals, food vendors. There is a lot of stuff we have to protect here.”
But Rosenblatt’s team must do all this in a way that does not affect the mission of the school – allow people to do research. “They’ve got to enjoy access to the Internet, to everything. We have to do it without interfering,” he says.
This has led Rosenblatt to believe that in security, one size does not fit all. “You have to do different things for different people depending on their objectives.”
Slowing down stupid
There was a time when people used mainframes to do the real work. And then computers started getting more powerful. “Once the Internet came online, people did not really have an idea where all the computing was happening. Many don’t know what is going on behind the screen,” Rosenblatt says.
But now that people can get apps to work on their phone without having any knowledge of programming or networking, the bad guys are having an easier time. “If you don’t understand what is happening, and somebody is spoofing something that you use on a regular basis, and you are not paying attention, you can be taken advantage of.”
Bad guys these days are no longer just bright kids fooling around and seeing what they could get away with. “These days it’s a flourishing business; hacking is what they do for a living. They are well-funded, and they are well-educated.” They covet the highly credible “.edu” addresses. They get into systems and redirect automated payroll payments to their own bank accounts. They keep on changing the format of their emails to get past filters that security people set up in order to catch them.
Rosenblatt says it is of utmost importance to recognize when somebody is trying to phish you. Companies provide training for their employees to make them less vulnerable to such manipulation. Still, “no matter how much you train people, if they don’t pay attention to the training that you give them, they will still accidentally do bad things. They will click on links and give away information they are not supposed to make public.”
Taking these into consideration, Rosenblatt has helped develop systems to try and prevent people from doing mindless things. “You can’t stop stupid…but you can slow it down.” For example, he is a fan of two-factor authentication. “It’s not perfect, there are still ways to get around that, but it’s difficult to do so your chances of getting your accounts compromised if you are using TFA dramatically goes down.”
Another intervention is that they replace malicious links in emails with legitimate links when they see one in an email. “People will be safe even if they should not have clicked on the link in the first place.
A log-ical benefit
Users log into computer systems all the time, but what most people do with logs is put them in a hard drive and never look at them again.
Rosenblatt believes however that logs are a treasure trove of information. When the logs are correlated, they paint an accurate picture of the user’s behavior. They say, for instance, where the user logged in, which door he swiped, how long they stayed, what the user did before and after. When somebody’s device or credentials are stolen, they can easily track them. They also give signs when somebody veers off a pattern and does something different, altogether.
It’s the essence of a system unique to Columbia called GULP – Grand Unified Logging Program. Because there is a single sign-on for everything, student behavior can easily be drawn from the information – and the anomalies therein.
“There is a lot of info in logs that people are missing, just because they don’t process them. Logs should be regarded as something that gives you information as opposed to something that you have to keep by way of compliance,” he says. He says this is good not only for universities like Columbia, but also for other types of organizations. “Why aren’t they doing this? It does not cost a lot to do.”
The good thing about universities is that they are big on sharing information on how they keep their environments secure.
“We get together on a regular basis and share what we are doing. If one university comes up with a really good idea, we are not afraid to share so that other can benefit as well.”
Rosenblatt also likes going around and speaking about behavior analytics as a powerful security tool. Indeed, while he has stayed in the same organization for the past 45 years, his career has been dynamic and proactive: a state of constant education – learning and sharing and learning some more.