Universities are a rich target for hackers

In 2013, HALOCK Security Labs noted information security vulnerabilities at colleges and universities along with numerous challenges that plague these institutions across the United States.

Just this year, hackers have been successful in gaining access to over 740,000 student and alumni personal information records, including social security numbers, combined. The breaches occurred at University of Maryland on February 19, 2014, Indiana University on February 26, 2014 and North Dakota University on March 6, 2014.

Investigation found that 25% of 162 universities sampled were putting student and parent financial data at risk through the use of unsafe unencrypted email practices. This data included W-2’s and tax information transmitted to financial aid offices.

Universities continue to be targeted by hackers because they maintain not only a wealth of student and parent financial data, but they are also centers for cutting edge research and intellectual property.

These recent breaches highlight the reason why universities need to take security seriously and extend their safeguards beyond unsecure email. While HALOCK’s investigation highlighted a certain type of security lapse, the recent breaches underscore that universities need to consider security comprehensively.

Universities are overwhelmed by a number of issues:

Typical university cultures promote open access to information: A core requirement for information security is the classification of information and systems. And because colleges and universities are quasi-public places, they must separate their public network zones from their sensitive network zones and ensure that each are secured according to their risk.

Transient and inexperienced student workers: After colleges and universities have separated their sensitive systems from their public systems, they can assign student employees with jobs that manage the public systems, leaving sensitive information in the control of properly trained and vetted permanent employees.

Limited security and compliance budgets: While colleges and universities have lower budgets than some organizations, no organization has enough budget to address all of their security needs. All organizations must prioritize their investments using the risk assessments that are required by law.

Student hackers have ample time to target the university that is teaching them hacking skills: Especially for colleges and universities that provide information security courses, academic networks can become the “lab” for course homework -¦ in other words, when you teach information security, expect your students to hack your network for practice. Ensure that those who teach the courses collaborate with IT personnel to detect and prevent the activities that are being taught in the classroom.

Information technology changes are often limited to seasonal university breaks: Major security patches, upgrades, and security tool implementations are often held off until inter-semester periods when the risk of unavailable systems is lower. But this also means that the security risk is at its highest when class is in session. Proper change management processes can reduce your availability risks while making timely security upgrades.

Difficulty in educating the Board of Trustees or Regents on security risks: A well-constructed risk assessment will define risks, in part, by their impact to the mission of the institution. Impacts to students, faculty, research funding and the school’s reputation and finances should all be considered as factors in risk assessments. A risk statement that reads, “A breach of PHI records from the research database, which foreseeably could happen over the next year, would result in major fines and would compromise our ability to get IRB approval for future research, as occurred at XYZ University Hospital last year,” is far more compelling argument than, “Please can we buy the two-factor authentication appliance? It could prevent a breach!”


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss