University Breaches: A Continuing Trend

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/university-breaches-continuing-trend-a-6660

One month after the University of Maryland reported a breach that affected
288,000 students, faculty and staff, the institution has suffered a second
cyber-intrusion.

The intrusions are the latest in a long string of cybersecurity incidents
at U.S. colleges and universities.

For example, in April 2013, hackers unlawfully accessed an online database
containing student admissions records for Kirkwood Community College in
Cedar Rapids, Iowa, affecting a reported 125,000 personal records.

In February, Indiana University reported that information on approximately
146,000 students and recent graduates was compromised after the data was
accessed by three automated computer data mining applications (see Indiana
University Reports Breach).

And the University of California San Francisco has reported three breaches
tied to computer thefts in the last six months.

Ellen Giblin, privacy attorney at Ashcroft Law Firm, equates universities
and colleges to "little cities" that contain vast amounts of financial,
healthcare, academic and personal information.

"They are, in fact, easy targets because data security has not had a
champion in the past," she says. "Currently that is changing; privacy
officers are being hired that understand the workings of the academy."

The Latest Incident

On March 15, the University of Maryland learned of unauthorized access to
its network, and, within 36 hours, worked with the FBI, U.S. Secret Service
and the university police department to mitigate the intrusion.

In a letter sent to university officials, Ann Wylie, university interim
vice president and CIO, says the FBI confirmed that the latest intrusion
did not result in a public release of any information, except for personal
data about one senior official. The breach appears to be unrelated to the
Feb. 18 incident, Wylie says.

As a precautionary measure, the university moved a number of its websites
offline. "These sites are in the process of being transferred to a
different Web hosting environment to provide additional levels of
security," Wylie says. "This strategy was already in place prior to the
intrusion."

The Feb. 18 breach involved a "sophisticated computer security" attack that
affected a database containing records for individuals who had been issued
a university ID at the College Park and Shady Grove campuses since 1998,
according to a Feb. 19 letter from Wallace Loh, the university's president
(see Univ. of Maryland Reports Major Breach).

Information exposed in the Feb. 18 incident included names, Social Security
numbers, dates of birth and university identification numbers. No
financial, academic, health or contact information was compromised, the
president's letter said.

As a result of the incidents, Loh established a taskforce on cybersecurity
that will:

- Evaluate cybersecurity consulting firms to assist the university in
strengthening its intrusion prevention systems and conduct penetration
testing;
- Identify sensitive information in university databases to determine
whether they are needed and how to better isolate them;
- Examine cybersecurity policies, procedures and best practices to
establish an appropriate balance between centralized security and broad
access on university networks.

The university did not immediately respond to a request for additional
information.

Breaches in Academia

Academic institutions' security strategies vary widely in their level of
maturity, says Alan Brill, senior managing director at the security
advisory firm Kroll Solutions. "The levels of security we see vary from
very strong ... to institutions where security was much weaker," he says.
"Like any other organization, they can be vulnerable to a range of issues.
Do they adequately divide their networks? Are the devices in the network
properly hardened?"

Securing a university's systems and processes is complex, Brill says. "It
requires the institution's management to show a commitment to achieving and
maintaining a commercially reasonable level of protection," he says.

Another issue is the number of incidents occurring at colleges and
universities that go unreported. "The real question is how many breaches
have never even been noticed by the school," Brill says. "In a corporate
setting, this is not infrequent. Would you expect a different result in the
higher education sector?"

Colleges and universities are prime examples for why perimeter security is
ineffective, says privacy and security attorney Ronald Raether of Faruki
Ireland and Cox PLL. "First, colleges and universities are transient by
design," he says. "User credentialing and having good user authentication
systems are even less effective than in other verticals.

"Think of all the things we shared in college and the decisions we made in
terms of trust. Now think about sharing passwords, changing passwords,
clicking on links from unknown senders."

Information security and privacy specialist Rebecca Herold says academic
institutions offer a treasure trove of information of interest to
cybercriminals. "Data is like gold to cybercrooks," she says. "Universities
are like Fort Knox to them."

Areas for Improvement

Colleges and universities, like other organizations, need to adopt a
defense-in-depth approach, Raether stresses. That includes data
segregation, improving network architecture, and increasing the hardening
and patching of systems.

Brill says fixing the problem needs to start with senior executives.
"[They] need to make it clear that information security is important to the
institution," he says. "It's not just an IT problem, but it affects
everyone in the university community."

Top executives need to determine whether the institution has the necessary
tools to detect breaches, as well as the resources to respond, Brill adds.

Having a breach response plan is critical, he points out. "We recently
completed a table top exercise for a university," he says. "In a half-day
session, we were able to simulate a couple of scenarios and see how the
plan worked. Until you do something like this, you can't really know how
effective your response is going to be."

Herold, who's been an adjunct professor at Norwich University in Vermont
since 2005, says that the funding to support an effective information
security program is often lacking at academic institutions. "If the schools
would pump even a fraction of the money necessary into funding information
security and privacy programs that they typically do into the major sports
programs and the associated coaches' salaries, that would make a
significant improvement," she says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!