Information Security Officer Krizi Trivisani could be any self-assured graduate student at George Washington University in the US. Sashaying through the hallways dressed in a white jumper, short striped skirt and funky glasses, she heads toward her modest cubicle in the subbasement of the Academic Center singing "hello" to almost everyone she sees. She isn't your typical security officer, and she knows it. "I remember sitting on one roundtable [of security experts] last year, and if you looked around the table you'd see man in suit, man in suit, man in suit — who's that chick at the end?" says the 32-year-old Trivisani. "Which one of these doesn't belong?"
The fact that she is making herself belong says much about her talents. At two reporting levels below the CIO, in a job grade that doesn't require a college degree (she has a certification for the information systems security professional, or CISSP, but has not finished college), Trivisani has none of the built-in authority of an administrator or executive, and none of the bullying power of an ex-cop. But she has something else that may turn out to be more important: She can connect with people. When she talks about security, people listen — and even understand.
That's a good thing, because a lot more is at stake than a dormitory mini-fridge chilling a few illegal Coronas. Based in Washington, DC, The George Washington University (GW) is on the front lines of the hacker battle.
"You have a fast pipe and no money to secure it," is how SANS Director of Training Stephen Northcutt sums up the famed insecurity of university computer systems. Higher education is known for having large, fast, heterogeneous, open systems whose transient users enjoy privacy protection that most corporate users only dream of. That makes them popular targets for vandals and hackers who want to launch denial-of-service attacks, store illegal files — or worse. Last spring, the Secret Service began investigating who had installed keystroke capturing software at university computer labs in at least four states — "spyware" that would allow crooks to grab personal information from any student who typed it in. Meanwhile, Purdue University, one of the nation's foremost information security training labs, was looking into whether hackers had stolen the names, addresses and Social Security numbers of 145,000 students. All this led some experts to fear that the next wave of computer crime would involve poorly secured university computers used to launch attacks on the U.S. government or the nation's critical infrastructure.
To prevent just that, Trivisani is fighting an exponentially growing number of security violations on campus. And she's betting that in the battle against online villains, awareness and education are her best — and only — weapons.
A New Kind of Fire Drill
Information security scaled its way into the nation's ivory towers in the spring of 2000, when eBay, Yahoo and other websites were brought down by a high-profile string of distributed denial-of-service (DDOS) attacks. Before, a security breach at a university usually meant that someone had pulled the fire alarm at a residence hall at 2 am. The DDOS attacks — in which hackers often hijacked university systems to overload an e-tailer's Web servers with so many bogus requests that they couldn't respond to real ones — brought to light the vulnerability of the nation's universities.
Around that time, GW CIO David G Swartz had been advocating the creation of an information security officer role, a position he had decided should be part of IT because the audit and compliance offices would provide needed checks and balances. The timing was a coincidence, but a fortunate one. "We've always leveraged the crisis," he says.
Trivisani's fascination with security traces back to a day in the early 1990s when, as a supervisor for a branch of Nation's Bank in Maryland, she recognised a woman at the drive-through who had been forging checks. Trivisani called the cops and stalled for time, telling the woman that she had to go get a roll of quarters. The police arrived and arrested the woman, but the sad tale only then began to really unfold. The woman had left her infant at a crack house as collateral for drugs. The police worked with the woman's husband, who had reported the infant missing, to get her back before raiding the house for drugs. "There are so many other people affected by security issues," she says.
After that, Trivisani got more involved with fraud prevention and information security and eventually took a security job with the IT services company EDS. Then, in May 2000, she became information security officer for GW, reporting to CTO Guy Jones, who oversees a decentralised infrastructure that includes 13,000 Ethernet data connections that hook up all kinds of student and faculty computers, 12,000 telephone connections and 30,000 e-mail accounts, and Internet connections as fast as 155Mbps, with talk of pipes that carry 1GBps. And all of this has to be secured, while giving users as much privacy and academic freedom as possible.
Trivisani started a security awareness campaign almost immediately. Now, departments are beginning to ask her for help improving their security, and her group is further boosted by the fact that it's been a year and a half since the university has had a security-related network outage. But there's still a long way to go in convincing everyone — from tenured professors to incoming freshmen to network administrators — to care about security.
If an alcoholic's first step is admitting that he has a problem, the security officer's first step is finding out how big the problem is, and Trivisani started by counting and categorising the security violations plaguing the university. Then "we block 'em, we stop 'em, we work the cases," says Trivisani, a 5-foot-8-inch extrovert with long blond hair and a distinctly casual demeanour.
Many of the violations are reported to email@example.com, a standard handle that many organisations use for security information. Others come from phone calls and system logs. All are recorded in the eight pages of metrics and graphs that Trivisani and her staff produce each month. Except in cases of severe infection, the numbers don't include viruses and worms, which Trivisani estimates are carried in (and filtered out of) 1 per cent of e-mails.
In 2001, the first year that numbers were available, the university logged 46,378 security violations. Two-thirds of those violations were minor, including port scans, blocked attempts to exploit specific vulnerabilities and suspicious activity that may be only a user error. Quite a few others were complaints about spam, a particular irritant for Trivisani, who tries to block as much spam as possible and forwards e-mails about illegal activity to the authorities. ("Spam legislation, please Lord, we need spam legislation!" she likes to exclaim, gazing up toward the acoustic ceiling panels.) Only 21 of the violations were severe hack attempts, all of which were boxes compromised by external sources and used to attack other areas. The CIO and CTO don't want to know about most of the violations, but Trivisani gets them involved with the serious ones, although she refused to give details for publication.
For 2002, Trivisani expects the number of violations to double to about 100,000 — as long as there's not another worm on the scale of Code Red, in which case that number could triple. "It's been a little while — and that is not a challenge to hackers! When it gets too quiet and nothing has come out in a while, we get nervous. You're just waiting for the other shoe to drop," she says.
Dramatic as they are, the numbers make her CIO happy in that peculiar way of those who love metrics. "Now that Krizi is on board, we have some data," says Swartz, who is heartened to find out that GW's numbers roughly mirror national estimates. "The increasing number of violations is happening nationally," he says. "I think we're far ahead of other universities. Now how do you measure that? You measure that because [at other universities] there's truly a lack of awareness of what's happening. Can you break it into the subcategories that we can? [Trivisani's] got a good handle on it, not just violations but by category."
Their Best Weapon
Of course it's not enough just to know about security violations. Trivisani and her team have to do something about them. And that's where things get sticky, because the crime-and-punishment routine doesn't tend to be popular. "We took it for granted that people wouldn't like us," says Senior IS Engineer Truyen Pham during lunch with Trivisani, CTO Jones and a half-dozen IT staffers who volunteered (or were volunteered) for security detail after Trivisani became security officer.
If the stereotypical security luncheon is filled with pale but tough-mannered men, this one looks more like a Unitarian church group, with various ages and colors. Pham worked as a doctor in Vietnam, arrived in the United States with no money and worked his way up at the university. Last spring, he won GW's prestigious Presidential Award, in part for his work setting up GW's infrastructure network, building a service for off-campus users to access GW's computer resources and installing virus filtering on the e-mail servers. During dessert, he dumps a spoonful of cappuccino onto his ice cream, then squeezes a lemon garnish over the concoction. He gives a sly grin and says that the job takes creativity. If someone's computer is attacked, don't blame her, he says; help her. Someone else can worry about who's at fault.
"It's not our job to come in and punish people," Trivisani explains. "We're here to protect." She passes on details about serious security violations to the appropriate group — usually the university police department and sometimes student services — and doesn't want to know what steps are taken from there.
Overall, she's trying to protect her users with a burgeoning education and awareness program — the "human firewall" concept advocated by a council with that name, of which she is a member. The idea behind Trivisani's philosophy and that of the Human Firewall Council is that users, not technology, are the best line of defense in information security.
That's why, on a muggy summer morning, you're just as likely to find Trivisani at technology orientation for new students as you are to find her poring over policy or budget issues. At one session in late June, a couple dozen students and their parents showed up at 10 a.m. to an air-conditioned auditorium in the student union. The only questions were from parents trying to figure out what kind of computer to buy for their children, but Trivisani was unperturbed as she waited around afterward in case anyone had questions, using the time to encourage university staff members who had addressed the group. She wants to make herself accessible. "We've put a lot of processes in place to protect folks, but letting them know that we're out here is very important," Trivisani says. She also organises educational sessions for the university groups she works with, including the university police department, student services, the legal department and network administrators from across the university.
Along the way, GW is working toward Level 3 — the level recommended for universities, in the security assessment framework specified by the National Institute of Standards and Technology. "We're not at that best practices level," Swartz says. "We aspire to be there. At some point you go too far, and there's a negative reaction. They're all tenured out there." For instance, when the university started mandating password changes, "you would have thought you'd killed their dog given the way they reacted," he says. "It was something we needed to do, and we did it, despite the political reaction to it. The second time there was less reaction. And it gets easier each time."
Not a Superpower
As people-focused as Trivisani is, her casual style makes it difficult to imagine her doing something like addressing the board of regents about increasing the security budget. And while she spends a lot of time educating users about, say, logging off e-mail when they leave the computer lab, she says most of the real security problems are caused by people outside the university. Maybe she's playing to her strengths by focusing on student and staff education, an area where her age and accessibility work to her advantage. Or maybe GW is illustrating just how far the CSO role has to go before the officer quits worrying about fire drills and takes on a truly strategic position.
Trivisani insists that she has all the authority she needs. "We've been building really good relationships with all the departments," she says. "If a CSO walks onto campus and basically says, 'I am God, everybody bow down and do what I want you to,' it's not going to work."
The question is, once Trivisani finishes her degree — she's working on a combined bachelor's of business administration and master's in information systems from GW — will the university grow the job with her, or will she be tempted back into a more lucrative and powerful job in financial services?
"In financial services, information security has all the authority it needs. If it needs something, it's done," she says, a nod to the fact that sometimes the good people of GW just don't get it. "In a university, we're about balancing security with freedom and openness and sharing ideas. I like that. I've never wanted information security to be Big Brother."