Tech training for inmates a risky undertaking
IT managers at Two Rivers Correctional Institution here last month celebrated their first anniversary of running one of the most technologically advanced medium-security prisons in the country. But giving prisoners access to PCs to conduct legal research and learn computing skills -- even on nonnetworked machines -- makes modern prisons a constant proving ground for IT security systems.
The adversarial relationship these facilities have with prisoners as IT users requires them to implement rigorous security policies and technologies, said Lloyd Thorpe, regional manager for the information systems and services division at the Oregon Department of Corrections (DOC).
"Here, you know that a lot of your users have nothing better to do than spend their days dreaming of ways to get you," he said.
For example, inmates in one of Two Rivers' 14 housing units figured out how to broadcast messages to their cohorts in other units. They discovered a flaw in the law library application they had access to via thin-client terminals that let them broadcast messages to other terminals via IP addresses. According to Thorpe, the prisoners immediately embarked on illegal activities related to gangs and contraband.
The episode came to a quick halt because correctional officers inside the housing units had been trained to recognize how the application should look and feel, even though they don't use it. When one of them noticed the broadcast text, he notified Thorpe's staff, who fixed the application.
"IT security is not just about technology. It's mostly about training people and keeping their sense of security heightened," Thorpe said.
Steve Morrison, education director at the National Corrections Law Enforcement Training Center in Moundsville, W.Va., agreed. "You can't depend on technology to cover your butt," he said.
However, Morrison said, there are some specific design steps IT managers in security-sensitive areas can follow, especially when it comes to a network cable plant, which should always be wall-mounted in metal conduits so it can't be tampered with.
Peripherals and applications need to be carefully guarded as well, said Peg Ritchie-Matsumoto, who spent the past five years as chief technology officer at the Ohio Department of Rehabilitation and Correction. She is now deputy director at the Border Research and Technology Center in San Diego, a research firm that targets corrections technology staff located on the Mexican and Canadian borders.
Ritchie-Matsumoto pointed to instances where prisoners were caught creating false release papers with software such as CorelDraw. "Inmates will manipulate technology for their own purposes," she warned.
Perhaps the most important security measure prisons can take with their wards is to let them access only stand-alone machines, Ritchie-Matsumoto said. And if the machines are on a network -- like Two Rivers' shared-access network to its law library -- keep it isolated, she added.
"Anything that touches an offender doesn't touch our network," said Clint Branum, manager of the IS unit at the Oregon DOC. The prisoners' LAN is isolated; in fact, it's a Token Ring network, while the staff's network is Ethernet-based.
But giving prisoners access to computers is a necessity, said Glenn Riley, assistant director at the Oregon DOC, where inmates are trained in areas such as computer-aided design and manufacturing, computer repair and HTML. But they never get access to the Internet.
"We're trying to prepare folks for the outside world," Riley said. "It makes no sense not to expose them to computers, because they're an important part of the real world."
Prison IT managers are always evaluating technologies to secure their IT systems, said Branum.
Two Rivers uses biometric palm readers, smart cards and other security apparatus. At a cost of less than $70 per biometric device, it's foolish not to use them everywhere possible, Morrison said.
But no matter how much IT security a prison installs, inmates will explore it and manipulate what they can.
"Remember 'Spy vs. Spy' in Mad Magazine?" asked John Taylor, a technical support analyst at the Two Rivers facility. "That's what it's like to work here sometimes. They constantly probe; we always defend."
» posted by ITworld staff
Computerworld
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
VMware ESX Server in the Enterprise
By Edward L. Haletky
Published Dec 29, 2007 by Prentice Hall.
Enter now! | Official rules | Sample chapter
Green IT
By Toby Velte, Anthony Velte, Robert C. Elsenpeter
To be published Oct. 10, 2008 by McGraw Hill Professional
Enter now! | Official rules | About the book
