Security | Feature
Top IT Security Worries
It's a dangerous world out there, with IT shops hard pressed to protect their institutions and users. CT looks at the 4 biggest security worries--and how IT can fight back.
Over several months last summer, hackers cracked the Northwest Florida State College network and stole the personal information of more than 300,000 people affiliated with the school, including their names, addresses, birth dates, social security numbers, and bank account numbers. Armed with this information, the hackers took out loans, extracted money from direct deposit accounts, and applied for credit cards. In May, the University of Nebraska was luckier: It learned its network had been breached within hours of an attack and quickly shut it down. The school warned affected users to monitor their accounts, but there is no evidence that any information was transferred.
These are not isolated events. In 2012, 61 educational institutions reported data breaches, involving more than 2 million records, according to the nonprofit Identity Theft Resource Center. Talk to enough university IT professionals and you'll hear one resounding message about security: The battle never ends. Schools are in a constant arms race to stay ahead of hackers who have become increasingly sophisticated in their efforts to breach the battlements of university networks, where vast amounts of personal and financial data are stored.
The challenge facing schools is to find ways to foil these attacks without resorting to the kind of total lockdown that makes it impossible for universities to conduct research, innovate, and collaborate freely. As Jesse Davis, director of research and development at Progress DataDirect, points out, the original internet protocols were meant to share information, not restrict it. With only limited resources to keep their systems and their constituents safe, IT administrators are battling on four major fronts: phishing, BYOD, data management, and privacy in the cloud.
Northeastern Illinois University has been battling targeted phishing attacks for years. Hackers get into the system by tricking users into providing their account information and passwords. Once inside, they create online forms or send e-mails that appear to come from the school--even from the IT department--featuring details such as the school's logo and links to the help desk.
"Most of the time they were just sending out spam," explains CIO Kim Tracy. "But in the last year they became more hostile, using those accounts for identity-theft activities."
While spam at first seems more of an irritant than a threat, Tracy's department spent 40 to 50 hours every month trying to mitigate the effects--effects that can be costly. Because spam e-mail appeared to be coming from NEIU, for example, major providers such as Yahoo and Comcast repeatedly blacklisted the school.
In a bid to fight back, NEIU launched a two-pronged response. It initiated an ongoing effort to educate its network users not to share their account credentials, and it implemented Symantec Email Security.cloud, a cloud-based e-mail filtering system that protects against spam and viruses.
The effect has been like turning off a faucet, says Tracy. Now NEIU has just an occasional drip, with a plumber at the ready. Because Symantec's business is to secure thousands of organizations through its cloud offering, it has the tools to categorize and head off phishing attacks. Plus, Symantec is able to quickly identify and shut down compromised accounts. And if spam does get sent out, it looks as if it's coming from Symantec, not NEIU.
"We don't get blacklisted anymore, because Symantec has trusted relationships with all these ISPs," says Tracy. Another benefit of filtering messages in the cloud? It frees up bandwidth on the network.
Looking ahead, Tracy is contemplating moving the school's whole e-mail system to Gmail or Microsoft Windows Live. "I'd like to just outsource the whole problem," he notes. "Let those companies handle it. They can do a much better job at e-mail than we can."
Preying on user trust is one way to get into a school's system. But sophisticated hackers are happy to take advantage of network vulnerabilities caused by the enormous influx of BYOD devices on campus, all tapping into a school's network. Peter Trimarchi, technical director at New York Law School, has a list of the biggest BYOD culprits: laptops that haven't run software updates or carry stale antivirus and spyware protection; external devices such as USB thumb drives or hard drives; and cell phones that are "rooted"--a process of exploiting a security weakness to get around a device's carrier and manufacturer-imposed limitations in order to run specialized apps or gain privileges not available to regular phone users. Throw in non-managed devices such as PlayStation, Xbox, or Wii consoles, and schools face a hot mess of access control and network security.
"BYOD brings a huge challenge," notes Trimarchi. "Phones can be hacked, stolen, left behind, easily viewed by passersby, or shared at home with family and friends."
Like most schools, New York Law attacks the problem on several fronts. Trimarchi's department trains users on security protocol, initiates periodic user password changes, and runs ForeScout CounterACT for network-access control. CounterACT allows the school to unify user or system authentication, check for vulnerabilities, prevent host intrusion, and enforce antivirus and network protocols. With CounterACT, "we got visibility into the network that we didn't have before," explains Trimarchi. "Now we know if machines have a secure connector installed along with updated antivirus and current Windows patches; if not, we automatically block their network access."
3) Data Management
While it's easy to focus on the devices that students and faculty bring to campus, it's vital that schools recognize that their own systems can be a weak link, too. "A poorly patched router or an access via the internet that did not have proper update and security tools is like leaving your front door wide open and posting a big neon sign saying, 'Please rob me,'" says Paul Christman, vice president of public sector sales at Dell.
For Christman, the problem isn't just keeping ne'er-do-wells outside the perimeter, but establishing the right protections inside a college's system. "One of the hardest tasks schools face is identifying and classifying the risk associated with data itself, and then assessing how they should protect it," he says.
In higher education, where research is collaborative, the problem is made trickier because of the need to provide access to users from other institutions. One solution is to assign roles or create classes of users. That way, for example, sensitive health and academic data is restricted only to those employees who are supposed to see it. And students staffing IT help desks aren't given the keys to the kingdom in the form of inappropriately high security access.
Dell designs systems to allow for this kind of privileged account management. "There's a workflow up front that's customizable," Christman explains. "This might say, for example, that five designated people must authorize a user to have access. And access can be granted in a way that keeps the system admin from ever seeing the password. Users are granted the access that a particular task entails, for a particular amount of time, or to a particular set of systems."
By adopting this approach, the castle wall isn't the only protection for an institution's data. If a hacker gets past the perimeter, he can't go wild on the inside.
Encryption serves the same purpose. Encrypted data is gobbledygook to anyone who steals it, yet user habits around encryption are woefully lax. DataDirect, a driver company that's been connecting applications to databases since the '80s, regularly tries to get the encryption message out to software architects.
"We find that people forget to encrypt, or they realize the need for encryption only after they've reached the end of a project, instead of from the beginning," says Davis. The key, he adds, is to understand that there's no safe time to keep data unencrypted: Data in motion needs to be encrypted as well as data that's stored.
"People can hack info out of your RAM when your machine is running, so that's information you need to encrypt all the time," he explains. "When you use our database drivers and send us your logins, you need to encrypt them before you even send them to us. Then, as the data goes through the drivers, use SSL (secure sockets layer) and the encryption supplied by the back-end database. All that information is flowing through our product and we encrypt it as soon as you log in and we encrypt the data in motion. That way, someone sniffing packets gets only nonsense."
The ability to encrypt data is already built into most software that's implemented on campus. It's just a matter of enabling it.
4) Privacy in the Cloud
Moving to a cloud-based e-mail system is an attractive option for those who, like Tracy, are looking to get out of the e-mail business. Not only do cloud-based e-mail services cut down on spam and bandwidth issues, but they are generally cheap or free to universities. Nevertheless, cloud-based e-mail can cause legal headaches, particularly with respect to the Health Insurance Portability and Accountability Act (HIPAA).
For schools such as Thomas Jefferson University (PA), an academic medical center, protecting patient information is paramount. "You have to know how the data is stored and where it's stored," notes Doug Herrick, TJU's chief information officer. "You have to be able to audit and to have accountability for it."
E-mail, which is used to communicate with and about patients--as well as to send patient files--falls under these restrictions. "When you outsource something to a cloud--and you don't really know where it is or how it's being managed--you need formal service-level agreements and contractual agreements, and accountability," says Herrick.
Herrick found the assurance he needed with Microsoft Office 365. The software suite includes a Business Associates Agreement (BAA), a HIPAA-compliant contract that covers an entity that "creates, receives, maintains, or transmits protected health information on behalf of another business associate." When TJU was unable to get a BAA from Gmail, its existing student e-mail provider, it transitioned both faculty and staff to Office 365 in late 2011.
While the BAA was a vital component of TJU's embrace of Office 365, other privacy features appealed, too. "We track the chain of custody of data so that customers know it's not tampered with," explains Cameron Evans, chief technology officer for Microsoft Education. "And we don't commingle data with Bing or with other schools. Those things never meet."
Microsoft also addresses one other issue that keeps CIOs up at night: where the school's data is stored. The company assures customers that their data will be stored in the country of origin, removing any risk that it will be subject to another country's data laws.
Audits Help Uncover Security Risks
To save money and improve security, schools are recognizing the benefits of auditing tools. One of these, Tools4ever's User Management Resource Administrator (UMRA), enables administrators to quickly identify user accounts that should no longer be active or have incorrect permissions.
It's a common problem in higher education. Because schools have such huge numbers of students coming and going, their networks can become clogged with users who no longer belong. "Students graduate, they drop out, or they were added as prospective students but went somewhere else," explains Dean Wiech, managing director of Tools4ever. "Years go by, and you end up with 30, 40, 50,000 records in your network, but maybe only have 5,000 active students."
That's a potentially huge number of people with no business accessing a school's network, yet who still have access privileges. Run daily, UMRA checks the current database of enrolled students against the school's network, and determines which students are still enrolled and what major they're pursuing. Those who don't belong on the network are kicked off.
For those who do belong, the tool checks that the access rights and group memberships are set appropriately for their majors, and makes any needed updates. This helps avoid situations where students who switch majors retain access to the systems and coursework from their previous major.
Running these kinds of scans can save schools money, sometimes in unforeseen ways. First, purging the system of thousands of unenrolled students frees a lot of hardware resources. Second, if a department knows a student is no longer enrolled or has switched majors, it might affect how many software licenses it buys.