Reports of university data breaches are becoming almost commonplace. Last month the University of Maryland reported its system had been hacked for the second time in four weeks.
Indiana University’s server was breached in February, potentially exposing personal information of 146,000 students and recent graduates.
And earlier this month a systems breach at North Dakota State University compromised the personal information of more than 200,000 students, faculty and staff – but the hackers never took any of it. These attacks are likely just the beginning.
Universities are easy targets because of their open structure and long information retention periods.
For modern hackers, breaching a school’s data system is relatively easy. Today’s hackers are tightly run criminal organizations operating in countries that are hostile or indifferent to U.S. interests.
While 100,000 or 200,000 identities from a university’s data center would be a nice haul, that’s a pawn shop smash-and-grab job compared to the 100 million people affected by the attack on Target stores.
The true motive in hacks like those targeting UMD, IU and NDSU may lie in potential in-roads to other information pipelines.
Cybercrime is not new, but the sophistication and intensity of these attacks are increasing at an alarming rate. The FBI recently issued a confidential three-page report that predicted continued growth in malware attacks even as the scope, scale and reach of recent data breaches remains unknown.
Hackers attack open systems wherever they can find them. Just like predators on the African plains, they ignore the strong and well-protected, instead going after the weak and the old. Once one system is compromised, hackers can use it to vector into others.
That’s how criminals infiltrated Target’s systems, by cracking a small HVAC subcontractor and pipelining in from there. Universities are often soft targets.
They are inherently decentralized, complex and intentionally open.
Their IT departments must balance security with a need for openness and academic freedom. Many public universities have also been facing significant budget constraints, which limits the technology and security investments they can make. And universities tend to keep information for a long time. The University of Maryland’s first breach affected people tied to the university as long ago as 1998.
When hackers do target universities, they can find a treasure trove of information assets. Beyond payment data and student records, schools manage a significant amount of other sensitive information, including employee records, patient health information, scientific research data, and even information from classified government programs. Some of this information can be far more valuable than just credit card numbers.
In fact, financial motivations are not be the prime consideration for all – or even most – attacks.
An information security officer at one of the universities my company works with has been alarmed by the number of incidents originating from overseas. Since many faculty members work collaboratively as staff at classified research organizations, the general feeling is that the universities are being targeted as part of a broader attack regarding researchers working with national security secrets.
For parents, one of the scariest aspects of the NDSU attack is that the compromised server included information from 1,300 applicants. High school seniors often apply to six or more schools, meaning their personal information is being stored at colleges they may not even visit, let alone attend.
University officials need to understand the scope of the risks they face. A well-tended firewall is no longer enough. Many recent breaches have been executed with sophisticated, zero-day malware exploits that were undetectable by antivirus solutions. If hackers beat one control, we need to catch them with the next – or the one after that.
This is also why the current debate over “smart” chip-and-pin credit cards doesn’t go far enough. This technology will help retail locations – which includes on-campus sandwich shops or bookstores – significantly reduce fraud stemming from counterfeit plastic, but that’s really just one layer of protection covering one aspect of potential loss.
All good security programs are based on the principle of “defense in depth.” For example, when we leave our homes for vacation, we stop the mail, turn on some lights, lock the doors and ask neighbors to check on things while we’re gone.
We might also use a home security or video monitoring system for extra protection. The same principle applies to colleges that are serious about protecting student, faculty and staff information.
University security administrators need to improve their monitoring programs and do comprehensive risk assessments that give them an understanding of their information assets. The good news is that more universities now recognize the threat they’re facing and are devoting significant resources towards security, compliance and enforcement. The bad news is that the breaches keep happening and security is a constant process, not an end state.
Given the scale of recent breaches and the impact of the attacks on consumers and shareholders, it’s time for some fresh thinking and decisive executive action.
Cyber-attacks are not simply a loss prevention problem – they are the single biggest consumer protection issue of our time.
Rick Dakin is CEO, co-Founder of Coalfire, an IT governance, risk and compliance firm.