By DONOVAN HARRELL
The Computer & Information Technology Committee meeting on March 19 revealed that there are potential security vulnerabilities in Pitt systems still running Windows 7, which Microsoft stopped supporting in mid-January.
This was especially alarming for Chief Information Officer Mark Henderson since this means Microsoft will no longer send updates to block potential hackers or viruses. It’s been known for over a year that these security vulnerabilities would exist when Microsoft announced they would no longer patch these systems, he said.
“My concern as the CIO for the University is what kind of risk is the rest of the University put in for those who didn't for over a year, mitigate this or at least work with the security group to look at other options for mitigation?” Henderson said.
The last thing Pitt needs are security issues as it shifts to online learning due to the coronavirus pandemic, he said.
CHIEF SECURITY OFFICER TO RETIRE
On Thursday, Chief Information Officer Mark Henderson has announced that Joel Garmon, the University’s chief information security officer, will retire this July. Since joining Pitt Information Technology in 2017, Garmon has been instrumental in spearheading University-wide cybersecurity threat prevention and compliance with security and privacy regulations related to computers and networks. This includes security of faculty, staff, and student information and Pitt’s extensive research.
Prior to joining the University of Pittsburgh, he was director of information security for Wake Forest University and the chief information security officer for Wake Forest Baptist Medical Center.
Pitt IT plans to conduct a nationwide search to quickly filling this position.
“We need to have as few vulnerabilities in our environment,” Henderson said. “We now are calling on our faculty, we're calling our staff, we're calling on our students to work remotely. And so for that to happen, all of our IT infrastructure has to be hitting on all cylinders. And so the last thing that we need would be to have some of our doors open for bad guys to do mischief in the midst of all of that.”
Joel Garmon, Pitt's chief information security officer, said Pitt IT has worked to take 300 outdated devices offline over the past two weeks and that most Pitt IT-managed servers are on track to be updated by the April 1 deadline.
However, as of March 18, 262 devices across the University are still running Windows 7 and 98 are using Windows Server 2008, which also will stop being supported. April 1 is the deadline before those devices are shut off from the Pitt network.
The Pitt IT team also doesn’t have a full picture of the number of desktops the team doesn't manage that are still using Windows 7, Garmon said, but most departments are “really getting on top of it.”
The IT team has coordinated with department IT staff to get these vulnerabilities repaired, decommissioned or to file an exception, Garmon said.
Most of these exceptions, Garmon said, are for devices that run lab equipment including microscopes and X-rays and other machines that cannot handle an upgrade to Windows 10.
Garmon said firewalls have been put up around these devices and their network capabilities are limited to mitigate the vulnerabilities.
While Windows 7 needs to be updated to Windows 10 or an operating system that Microsoft is still patching, those still using Windows Server 2008 can pay extra for patches or put it into Azure, which Microsoft will support for a fee.
Upgrades don’t need to be made in person since they can be pushed across the University’s network, Garmon said.
“Servers that are Internet accessible and are going to have Windows 2008 on them are going to be very concerning to us because I mean the bad guys are going to be out there looking for ‘em,” Garmon said.
Donovan Harrell is a writer for the University Times. Reach him at email@example.com or 412-383-9905.
Have a story idea or news to share? Share it with the University Times.