Colleges and universities experienced something of a wakeup call in 2010, when hackers breached an Ohio State University system containing the social security numbers, dates of birth and physical addresses of 760,000 people. Though it was unlikely that data was released, the investigation and remediation effort was massive and incredibly costly, including offering 12 months of free credit-monitoring for each affected person. The problem continues—a similar attack occurred at Michigan State University this fall.
Higher education institutions may not be the first to come to mind when you think of potential targets for hackers. Yet, a UK study found that 87% of universities have been the victim of at least one cyberattack, and other research has shown that many institutions face thousands of hacking attempts per day.
Colleges and universities often have more to lose and greater vulnerabilities than they realize. For instance, in addition to personal data, universities may have high-value research information, and unlike pharmaceutical or defense industry companies that can maintain a tight grip on their network, the educational environment necessitates a fairly open policy for a large number of people.
As a result, there is no single solution that can provide absolute protection for colleges and universities. Instead, a “defense-in-depth” strategy is required: layering multiple, often overlapping, solutions to provide the strongest possible defense.
In addition to the usual profit-driven cyberattacks, colleges and universities face another threat: students hacking servers to change grades. For example, in March 2013, two students from Ohio’s Miami University hacked into the school systems and changed the grades of more than 50 students. Though less costly than a massive breach of personal information, this type of attack represents a real threat to the core of any university: its academic integrity.
An example of layered security
One step to block such attacks is network segmentation: placing the systems hosting sensitive data on protected networks with firewalls to block unwanted activity. However, in today’s highly connected environment, a complete quarantine is essentially impossible. Another layer that can be helpful is a data loss prevention (DLP) system, which monitors files and applications, and blocks transmission of any data matching a certain pattern or keyword (for example, anything that looks like a social security number).
There are known weaknesses to DLP systems, so it’s wise to use them in conjunction with a data classification framework and systems that can monitor activity. Data classification is putting all data into categories such as “unclassified,” “official,” “restricted,” or “confidential.” More sensitive categories can have more severe network restrictions. Of course, classification frameworks have their weaknesses too, but using all these systems together is an example of a robust layered defense.
Perhaps the most important layer, however, is often overlooked: the human element. Whether it’s tricking someone into giving up their password or leaving a virus-infected USB drive lying around hoping someone will plug it into the right machine, most hacks involve an element of deception. The person who unwittingly enables a hack doesn’t necessarily have to be someone who handles confidential data—there are examples, for instance, of students hacking professor’s computers to obtain test data and cheat. The best defense is preparation. Regularly reviewing cybersecurity best practices with all staff members is essential, and some schools wisely include cybersecurity training as part of student orientation as well.
Sometimes, merely thwarting an attack isn’t enough. Most campuses have some sort of open-access computer lab, and it’s no secret that these sites can be used for illegal activity, which can create a liability for the institution. Solutions for detecting such activity are well-known, but detection can take weeks. Systems are often then erased and returned to normal, potentially eliminating forensic evidence of the crime that prosecutors might need. A digital forensics platform can recover the data from erased hard-drives and provide a crucial aid to investigators.
Students expect full access to the internet from their personal computers, and there’s a scholarly argument to be made for allowing access on a college campus to even the darkest corners of the internet. However, this access doesn’t need to be afforded to everyone in every place.
Residence halls—where usage is somewhat less public—may have a more open policy than machines in computer labs, where a web proxy (essentially, a computer between the student and the web) can block use of questionable sites such as gambling sites, or forums where illegal drugs are bought and sold. Additionally, most modern firewalls come with built-in content filtering. While similar, these solutions have subtle differences, and using them together increases their effectiveness.
Man the watchtower
Just as human error is the greatest enabler of cyberattacks, human eyes are the best defense. Many larger universities have a security operations center (SOC) that is staffed around the clock and armed with sophisticated software to alert university staff if something is unusual. For smaller institutions, who likely will find it impractical to build their own SOCs, there are several independent SOC providers. Monitoring your cybersecurity is one of the final layers in a sound defense-in-depth strategy for the modern college or university.
Matt Kozloski is vice president of professional services at Kelser Corporation, a technology consulting firm based in East Hartford, CT.