Recent Wave Of University Hacks Underscores Continued Security Concerns

April 9, 2014

Universities a Rich Target for Hackers

SCHAUMBURG, Ill., April 9, 2014 /PRNewswire/ — In 2013, HALOCK Security Labs noted information security vulnerabilities at colleges and universities along with numerous challenges that plague these institutions across the United States. More breaches may come to light if higher education institutions do not rethink their security measures.

Just this year, hackers have been successful in gaining access to over 740,000 student and alumni personal information records, including social security numbers, combined. The breaches occurred at University of Maryland on February 19, 2014, Indiana University on February 26, 2014 and North Dakota University on March 6, 2014.

HALOCK Security Labs’ 2013 investigation found that 25% of 162 universities sampled were putting student and parent financial data at risk through the use of unsafe unencrypted email practices. This data included W-2′s and tax information transmitted to financial aid offices. Universities continue to be targeted by hackers because they maintain not only a wealth of student and parent financial data, but they are also centers for cutting edge research and intellectual property.

These recent breaches highlight the reason why universities need to take security seriously and extend their safeguards beyond unsecure email. While HALOCK’s investigation highlighted a certain type of security lapse, the recent breaches underscore that universities need to consider security comprehensively.

Why aren’t schools and universities taking the necessary steps to safeguard sensitive information? “Universities in general have limited budgets for information security, and therefore struggle to comply with the numerous laws and regulations regarding the data in their custody,” says Terry Kurzynski, Senior Partner at HALOCK.

Universities are overwhelmed by a number of issues:

    --  Typical university cultures promote open access to information: A core
        requirement for information security is the classification of
        information and systems. And because colleges and universities are
        quasi-public places, they must separate their public network zones from
        their sensitive network zones and ensure that each are secured according
        to their risk.
    --  Transient and inexperienced student workers: After colleges and
        universities have separated their sensitive systems from their public
        systems, they can assign student employees with jobs that manage the
        public systems, leaving sensitive information in the control of properly
        trained and vetted permanent employees.
    --  Limited security and compliance budgets: While colleges and universities
        have lower budgets than some organizations, no organization has enough
        budget to address all of their security needs. All organizations must
        prioritize their investments using the risk assessments that are
        required by law.
    --  Student hackers have ample time to target the university that is
        teaching them hacking skills: Especially for colleges and universities
        that provide information security courses, academic networks can become
        the "lab" for course homework ... in other words, when you teach
        information security, expect your students to hack your network for
        practice. Ensure that those who teach the courses collaborate with IT
        personnel to detect and prevent the activities that are being taught in
        the classroom.
    --  Information technology changes are often limited to seasonal university
        breaks: Major security patches, upgrades, and security tool
        implementations are often held off until inter-semester periods when the
        risk of unavailable systems is lower. But this also means that the
        security risk is at its highest when class is in session. Proper change
        management processes can reduce your availability risks while making
        timely security upgrades.
    --  Difficulty in educating the Board of Trustees or Regents on security
        risks: A well-constructed risk assessment will define risks, in part, by
        their impact to the mission of the institution. Impacts to students,
        faculty, research funding and the school's reputation and finances
        should all be considered as factors in risk assessments. A risk
        statement that reads, "A breach of PHI records from the research
        database, which foreseeably could happen over the next year, would
        result in major fines and would compromise our ability to get IRB
        approval for future research, as occurred at XYZ University Hospital
        last year," is far more compelling argument than, "Please can we buy the
        two-factor authentication appliance? It could prevent a breach!"

According to Kurzynski, “Universities need to get serious about securing their environment. They need to be sure that they are following security standards, as well as the laws and regulations that require the protection of personal information.” Some find this challenging especially when budgets are tight.

Universities that implement a risk management framework often find it easier to reach compliance. “Under this framework, organizations invest in security so that they manage the likelihood and impact of breaches,” says Kurzynski. “Securing information according to risk becomes much more manageable than might have previously been imagined.”

About HALOCK www.halock.com:

Founded in 1996, HALOCK Security Labs is a hybrid security services firm that strives to balance both business needs and information security requirements. HALOCK’s philosophy of “Purpose Driven Security” focuses on defining and implementing just the right amount of security; not too much, not too little. HALOCK’s services include: Security and Risk Management, Compliance Validation, Penetration Testing, Incident Response Readiness, Security Organization Development, and Malware Defense Strategy & Solutions.

Steve Lundin: BIGfrontier

312.391.8007 Email

Lauren Mieli: HALOCK Security Labs

847.221.0203 Email

Read more news from HALOCK.


Source: PR Newswire

comments powered by Disqus