Skip to main content
Computing at CornellCIT Contact Center (HelpDesk)

System Security and Countermeasures Taken by the IT Security Office

If your computer is infected with a virus or otherwise compromised, your network access may be restricted until you have fixed it.

With Cornell's relatively open network environment and the ever increasing hostility of the Internet, it is vital that computer systems used by students, staff and faculty -- be they laptops, desktops or servers -- are maintained as securely as possible. Whether you are taking care of your own system or charged with maintaining systems for others, you need to take active responsibility for system security. A vulnerable computer connected to the Internet will inevitably suffer an infection or intrusion.

Prevention: The IT Security Office (ITSO) has developed a set of guidelines for securing individual systems.

One point that deserves especial emphasis is the necessity of keeping your anti-virus and operating system software up-to-date. In the past, due to the inconvenience, disruption or potential conflict with existing software, many people have been inclined to postpone or even forego installing updates. This is no longer a viable practice. Once vulnerabilities are detected, exploits follow quickly.

This is particularly acute with Windows systems -- think of the large campus impact of Blaster and related viruses/worms in the summer of 2003, or the very widespread worm activity (Gaobot, Phatbot, Sasser) following the vulnerabilities Microsoft announced in April 2004.

Recovery: Once a system has been compromised -- whether the cause is a virus, a worm or another type of intrusion -- fixing it can be complex and time-consuming. These days recovery is rarely a matter of just running an automated recovery tool. Sometimes the only viable solution is to rebuild the system from scratch. And you may lose important work in the process.

Countermeasures: The ITSO will take countermeasures -- ranging from a warning, to limiting connectivity to campus networks, to restricting all network access -- when a vulnerable or compromised system may pose a threat to university operations, including the integrity of campus networks.

As a general practice, we will lift the containment once the owner or administrator says a system has been remediated. If, however, a system again displays behavior indicating a compromise, we will require specific information about the steps taken to clean the system and tests performed to validate its integrity before restoring full network access. In the future, we may introduce on-line mechanisms for examining a system to determine that it is clean and secure.

Response to widespread threats: In the event of a major outbreak, the ITSO may take broader action to prevent a problem from spreading and/or compromising operations. Such measures can include: blocking certain classes of e-mail attachments; limiting traffic -- either at the border or for specific environments (such as ResNet, RedRover or public ports) -- on certain ports or over certain protocols; or even, in extreme cases, disabling the network interface serving an entire subnet.

Related Policy Links: