Colleges Face Greater Challenges in Stopping Data Breaches

• By Dian Schaffhauser
• 10/04/10

Colleges and universities face greater challenges in stopping data breaches than other kinds of organizations and are on track to experience the same number of data breaches in 2010 as they did in 2009, according to a company that sells security applications for protecting databases. According to a report from Application Security's research arm, for the first seven months of this year 32 breaches have been reported, compared to a total of 57 in 2009. Three quarters of those breaches involve unauthorized access to databases maintained on institutional servers.

AppSec's Team SHATTER (Security Heuristics of Application Testing Technology for Enterprise Research) said the proliferation of data breaches in higher ed can be attributed to several factors.

Although campus database breaches face the same exploitation techniques as companies, such as SQL injections on public-facing Web sites and unencrypted data on lost laptops, there several risks unique to higher ed:

• IT staff is often recruited from the student body, resulting in less experience and higher turnover;
• Students with limited training and supervision may have access to sensitive information;
• Open student terminals and workstations may be placed on the same networks as sensitive databases;
• A high turnover of students generates high turnover of accounts and credentials;
• Different colleges within a university may have their own IT staff and policies, inhibiting central policy management enforcement; and
• Budget constraints can lead to the use of unsupported and unprotected legacy systems.

Also, because of the number of students, staff, faculty, and parents in campus business, institutions maintain numerous databases with names, addresses, financial information, credit card numbers, Social Security numbers, and healthcare records.

On top of that, reported AppSec, students and faculty members "frequently log in and out of personal and public computers, accounts are left open, computers are left logged on, and data can be easily lost amid the day-to-day shuffle."

The most common methods of obtaining database administrator privileges, said AppSec, include:

• Exploiting weak, blank, or default access controls;
• Exploiting vulnerabilities in an application or operating system; and
• Finding a valid login and password by brute force, guessing, stealing, or with the help of a Trojan.

The company cited a 2009 Ponemon Institute statistic that found that the typical breach costs an average of $204 per compromised record. This encompasses multiple expenses related to technical, legal, administrative, and customer support.

The report offered six best practices to help counteract data breaches:

1. Conduct a database discovery to expose rogue databases that may exist on the network.
2. Classify databases to identify those that maintain personal data.
3. Do a database assessment to identify vulnerabilities, misconfigurations, and compliance.
4. Prioritize remediation issues based on the level of threat.
5. Begin the fixes.
6. Continue monitoring the databases for gaps in protection.

The report can be found here.