Open to Attack?
An emphasis on the open sharing of ideas makes higher ed more vulnerable to network attacks than corporations. How can schools mitigate the risks while still preserving their academic freedom?
- By Sue Marquette Poremba
- 05/02/12
Who hasn't received mail from a company notifying them that their personal information may have been compromised? No organization--not Amazon, not the CIA--is immune to cyberattacks, and higher education is no exception. In 2011, 48 institutions reported data breaches, according to TeamShatter, the research arm of Application Security.
Indeed, colleges and universities may be even more susceptible to security breaches than their corporate brethren, and the security threats they face are likely to get worse. With the proliferation of mobile devices, the number of attacks is expected to soar in 2012 and beyond.
"Attacks have changed," says Paul Judge, chief research officer and VP at Barracuda Networks, a security firm that works with both schools and businesses. "We are no longer a society where only high-value companies are targeted. Now, any type of organization is prone to attack, including universities. We need to change the mindset within colleges, and we need to take the same approach to protect students. Schools should want to step up their efforts to control their networks."
Higher education institutions are vulnerable for a variety of reasons. For starters, campuses provide hackers with access to high-speed networks and lots of computers, making them an attractive target.
Second, colleges and universities are perceived--correctly, in most cases--to be easier prey than corporations, because they tend to have a very different mindset when it comes to protecting data. It's not that they don't care about security; instead, the level of risk tolerance is higher on college campuses than it is among corporations, for one simple reason: Freedom of ideas and information is central to the mission of higher education.
Perils of Freedom
"In higher education, you have this environment of free sharing of ideas and information," says Alex Jalso, director of the Office of Information Security at West Virginia University. "You have to have a balance between free-flowing information and securing the information that's considered sensitive from a legal point of view. In a business environment, on the other hand, you are working to increase shareholder value, so you always make sure your operations are as efficient and secure as possible."
It's a point echoed by Dan Han, information security officer with Virginia Commonwealth University. "Should higher ed have the same level of security as big business or government agencies?" asks Han. "Probably not. That's not to say that higher ed shouldn't focus on information security, because at universities--especially large research universities--there is a lot of sensitive and proprietary information, as well as personal information of faculty and students. But my take is that the risk posture and the risk tolerance between education and corporations need to be different."
Judge says that another key difference lies in who controls the equipment. Businesses usually own the devices and resources attached to the network, allowing them to dictate what software can be installed and what websites accessed. "Campus IT departments have less control than a corporate IT department," notes Judge. "In corporate IT, you can take a more stringent approach. You don't have that same kind of control in education. And there has to be open access to the internet for the students."
To allow for an open environment in academia, campus IT departments often operate security at minimal levels. According to Judge, there is less use of firewalls, antivirus protection, and web filtering at universities than in business. "A conservative approach is needed to avoid any appearance of censorship," he explains. "But that makes it difficult to control the balance between security and freedom of access."
Judge is quick to point out that there is no perfect security solution. It all depends on which side institutions decide to err: having looser security and not catching everything, or having tight security where they can end up with a lot of false positives. "Corporate environments will err on the side of safety and security, and they don't care if they are blocking the newsletter from your favorite shopping site or preventing you from getting your sports updates," Judge says. "University environments tend to err on the side of an open environment."
The third factor making schools susceptible to attack is the students themselves, who come to campus with brand-new laptops, smartphones, and tablets. "For many students, college is the first time they've owned their own computer," says Judge. "Students don't always do smart things. They don't keep up with the software updates on their computers. They leave the computer turned on and logged into the network all day while they are at class."
Such inattention gives hackers easy access to computers that haven't been upgraded to close vulnerabilities. Once they control the student computers, the hackers use these machines to hack into the university network, which is the really valuable target.
So is higher education doomed to suffer a barrage of damaging hacking attacks that its corporate brethren can fend off? Not necessarily. It's important to remember that many of the university departments that deal with sensitive information--payroll, personnel records, and financial details, for example--play no role in the debate about academic freedom and discourse. As a result, they can--and should--benefit from many of the same security measures employed by corporations.
It's not even a choice, really. Colleges and universities have to comply with federal and state laws governing data privacy. "Following the Family Education Rights and Privacy Act (FERPA) is our primary concern," says Jalso. Because WVU houses a medical school, Health Insurance Portability and Accountability Act (HIPAA) regulations must also be followed, while financial transactions are subject to banking regulations.
Strength in Silos
The best approach to campus security, in Judge's opinion, is to develop separate approaches for each unique segment that needs to be protected. Institute more control on the business side of the university, for example, by employing a security strategy similar to that of a corporation. At the same time, provide a more open approach to security for students and faculty. "After all, the student network is already different from the faculty network, which is different from the business networks," notes Judge, who concedes that his proposed approach would also increase staff workload and maintenance costs.
It's a strategy that applies equally to certain research areas. "Research-based information also needs to be secured so intellectual data isn't lost or at risk," says Jalso. "What you're doing, really, is putting security into two different operations."
The threat to research institutions should not be taken lightly. A 2011 report to Congress, titled "Foreign Spies Stealing US Economic Secrets in Cyberspace," noted that universities have been among the targets of Chinese cyberattacks aimed at stealing research.
"The internal operational side of the university has some of the biggest risks of any organization in the world, even more so when you break it down into the research areas," says Judge. "Consider engineering schools, where many departments are doing research for the government or biomedical technology. These environments have the same concerns as federal agencies."
"The need for security is the same, but you have to go about it in a different way when you focus on a college environment," counters Darren Shimkus, senior vice president of marketing with Credant Technologies, which specializes in data protection. To make his point, Shimkus compares a privately owned biotech company involved in sensitive research with a university whose faculty are doing similar research. In the private biotech firm, he says, security measures will come from the top and be strictly controlled. In universities, researchers have more latitude to do their research without strict security controls.
The reason for the differences in approach? In universities, there is often no unified voice at the top that dictates policy. "Universities are generally decentralized when it comes to management," says VCU's Han. "A lot of the IT departments on campus are also decentralized." His office, for example, acts more as a consultant to the other departments across campus.
Matrix, Not a Silo
In Han's opinion, the best way to provide a more secure environment in higher education is to eliminate the disconnect between campus departments and security staff. "There are certain functions that can be centralized," he says. As an example, he cites server use, noting that if data are stored on central servers, as opposed to department servers, security measures could be made much tighter.
Unlike Judge, who advocates separate security solutions for different areas of an institution, Han thinks that a one-size-fits-all approach can bring schools closer to a corporate-style security solution. "Administration controls should be applicable to all," he says. In his view, a matrix can be designed that will provide institutional control from a single office, but with controls that can be tweaked to fit the needs of individual departments. After all, a faculty member who must comply with HIPAA regulations will have different security needs than a freshman.
Even if the business component of any institution can be walled off, administrators are still left with the far more unpredictable world of students. Judge believes schools have a responsibility to keep these young adults safe online, ensuring that they don't fall prey to financial fraud or have their personal information breached.
For his part, Jalso says higher education has to do a better job of educating students--and faculty--about information security. "I discovered that if we can demonstrate the impact of a vulnerability to a class or to the operation, the better the understanding for the need to adopt security practices," he says. "Some folks don't believe that universities can be targets of an attack."
Few administrators are willing to bet their network on educational measures alone, however. At WVU, Jalso and his colleagues use IBM's Rational AppScan tool as a quality-assurance tool to ensure that any app going into production across the enterprise won't put the university into a liability situation. The university also uses the tool for triage when an application has been compromised. Students are encouraged to run AppScan during a regular maintenance cycle.
"We're trying to make security a part of all operations and to approach it proactively, rather than reactively," says Jalso. "When it is approached proactively, you have some control over an event. When you react to an incident, the event controls you."
Some colleges are taking an even more hands-on approach to students and network security. Fitchburg State University (MA), for example, has developed a security policy that institutes tight control over student devices. Before they connect to the university network, all students are required to register their devices using an Ethernet media access controller, so the security department can monitor them.
On average, Fitchburg State has 10,000 devices a day attached to its network. About 2,000 are actively controlled by the security department (i.e., office computers). The other 8,000 are laptops and other devices brought to campus by students or adjunct faculty. "All of the devices that use our system are accounted for," says Tony Chila, the school's network manager.
And the university is aggressive in monitoring that all these devices meet security protocols. "We have no idea what students are going to bring to our campus, so we scan their systems," says Rodney Gaudet, network security administrator. "We make sure all the upgrades are up to date. We make sure they have an antivirus system on their computers. We make sure their systems aren't infected, and we block peer-to-peer access." Any faculty bringing their own devices for use on the network must also follow this procedure.
The reason for the tight security on these devices is simple. "Security breaches are big news," says Chila. "We want to make sure the students and the network are protected."
Calculating the Cost of Attack
As in the corporate world, the likelihood of a hacking attack against a college or university is generally proportional to its prominence. High-visibility targets, such as Fortune 500 companies and universities in major athletics conferences, are attractive targets. In January, for example, Arizona State University reported a breach of 300,000 records, according to TeamShatter, the research arm of Application Security. And, in 2011, Yale University (CT) was the victim of an attack in which 43,000 records were compromised.
But smaller schools shouldn't feel lulled into a fall sense of security. Hackers may see such schools as more vulnerable; in some instances, too, an attack may be carried out by a disgruntled student or employee. Already in 2012, the City College of San Francisco (CA) the University of North Carolina at Charlotte, and Central Connecticut State University have reported breaches.
Whether a school is large or small, cleaning up after a breach is a very expensive proposition. Deciding what level of security to impose on sensitive campus information boils down to cost analysis. "It all comes down to whether or not you can afford the risk of something happening," says Patrick Vandenberg, program director with IBM Security.
In March 2011, the Ponemon Institute released a study, "US Cost of a Data Breach," that estimates universities spend about $112 per record to mitigate the damage caused by a breach. If accurate, the cost of cleanup for Virginia Commonwealth University, which reported a breach of 176,467 records on Nov. 11, could reach nearly $20 million.
While there was a dramatic drop in the number of records affected in 2011 compared with the previous year, don't expect this trend to continue. The rapid growth in the use of mobile devices is opening up a whole new path of attack for hackers.
"In 2012 we have already seen some sizable breaches reported," says Alex Rothacker, director of security research at TeamShatter. "While exact data on the number of records compromised is not official, we estimate that this year's total has already exceeded that of 2011."
|