Nowhere in the United States is the ground more fertile for security breaches than at colleges and universities. The confluence of enormous stores of identity data, atmospheres of freedom of information, and ready-made teams of socially motivated hackers chosen from the best and brightest, make this claim close to a certainty.
A study by TeamShatter, Application Security’s research arm, saw 14 reported higher-education breaches in the first quarter of 2011, covering 81,835 records. The largest to date: University of South Carolina, which may have exposed 31,000 records because of a computer security problem hitting eight university systems that maintain data on faculty, staff, retirees and students.
Even with the forces of the storm working against a college or university, survival (avoiding a breach) is possible. Education institutions should consider options for defending themselves against these security breaches.
Stores of Identities
As far as higher education is concerned, the question is not "What information do they have in their databases?" but rather, "What information do they not have?" One doesn’t just sign up for college with a name and address; there is data about scholarship information, class placement, ethnic and religious backgrounds, medical conditions, placement tests, parent info—the list may seem endless. Financial aid requests require in-depth information gathering of the most intimate financial and personal information regarding a student’s family.
It gets better, or worse. The collection of student identities from years back will have transformed itself into a collection of business professional identities, because most students will have made their way to the business world.
A higher-education student database is an identity thief’s dream come true. Here are some steps that a higher-education institution can take to avoid an IT security breach:
•Purge. Even if basic medical data (e.g,, childhood diseases and immunizations) were needed at some point, it may not be needed once a student has graduated. Build IT systems so that certain data are purged automatically after reaching a certain age. If it is automatic, unneeded data won’t lie around waiting to be stolen.
•Encryption. Database encryption is fast, easy and inexpensive. An encrypted database, even if stolen, cannot be used maliciously. Institutions should encrypt anything that is remotely private. And, make sure encryption practices are solid—use the latest algorithms and safe storage of encryption keys.
•Backup. The primary problem that surrounds the security of higher-education data and information is the depth and breadth of access. Often the huge databases of student, facility, alumni and student parent information are managed by older IT systems that were developed before cyber-security became vital. Education institutions often will grant access to these fragile systems to users who, from a security standpoint, have no business having access—perhaps because the surrounding culture supports this mode of operation.
Therefore, institutions should make sure they are periodically backing up their databases in case a breach occurs and the information is maliciously altered or destroyed. Database backups always should be saved to an offsite location in an encrypted format (this can be done easily and is free with most commercial backup software).
•Limit access. The primary target of cyber crime is the access of information—financial (credit cards, bank account), identity (social security numbers, names, addresses) and government and commercial (product information, plans, strategies). The primary goal of security protection is to prevent unauthorized access.
Special care needs to be taken with regard to who has access to this information. User access to any information system should be only to the level of the user’s need. A clerical person at a university bookstore should be able to look up a class assignment of a student, but has no need to see the student’s social security number. IT systems need to be engineered to support multi-leve
Educate Staff and Students
In a recent poll on the social-engineer.org website, 86 percent agreed that social engineering is the worst threat to security today. This just states the obvious fact that an understanding of social engineering is extremely valuable to anyone with access to computer systems and that it makes sense to educate college and university workers about the mechanism and hazards of social engineering.
Regardless of the security problems that face education institutions, their security focus should be no less than that of corporate America. The three security fronts that need to be addressed include internal information systems, limited access to identity data and awareness of social engineering attacks. Given the enormous profit that can be derived from cyber crime and the well-established organizations at the root of cyber attacks (e.g., organized crime and sophisticated hacker groups) limiting security risk wherever possible should be high on the agenda of every college and university.
Although nowhere as insecure as even a few years ago, education institutions still need to update and fortify their information systems to prevent access by professional hackers, hacking students and script kiddies. Inexpensive and easy preventions should be put in place—system updates and patches should be done as soon as available. All sensitive data should be encrypted, server rooms should be physically secured, and robust password rules should be put in place.
Colleges and universities are at the center of the perfect security storm. They contain billions of dollars of identity information (if used or sold on the cyber black market), encourage cultures of information freedom and compete for the opportunity to enroll students who may turn out to be some of the best hackers in the nation. They also may have underfunded IT departments with employees who may be part of the hacker community or who are easily fooled into giving up computer system information.
The ramifications of a successful data breach are far wider than just bad press. The costs of leaking data are large, often including payment for subsequent personal-security monitoring and the need for expensive, immediate-reaction security teams to determine and remediate security issues.
However difficult it might be, institutions of higher learning need to think like businesses; they need to consider the enormous financial and reputation risks that would result in a data breach. Unlike many businesses, where hackers just have not gotten around to testing security safeguards, colleges and universities are under constant attack, from within as well as externally.