Colleges and universities are prime cyberattack targets: what’s behind the threat?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lexology.com/library/detail.aspx?g=1d633f94-4293-42e9-bb42-98eb6ff50bc5

When it comes to cyberattack targets, many think of retailers and
associated credit card transactions or customer information, or perhaps
healthcare providers with their ever-increasing storage and transmission of
electronic information related to patients. But colleges and universities
are increasingly under siege from hackers. In fact, the education sector,
according to recent reports, comes in third place, right after the
healthcare and retail sectors, in the number of security breaches.

Recent statistics reveal that from 2006 through 2013, over 500 universities
reported a data breach (and many more attacks may have been unreported).
The trend continues in 2015, when already hackers have targeted large
universities in Pennsylvania, Virginia, and Connecticut. In the
Pennsylvania incident, over 18,000 students and faculty were affected. So
what is behind the targeting of educational institutions?

Many universities conduct sophisticated research, whether in engineering,
the sciences, or other disciplines. Schools can be a proving ground for new
or emerging technologies and innovation. These sophisticated research
programs often partner with U.S. government agencies or industry.
Accordingly, schools can serve as a beachhead for other nations and foreign
companies seeking to gain competitive advantages, whether economic,
political, technological, or militarily. By hacking into university
systems, not only can the attackers gain access to sensitive data held by
the schools, but those systems can also be used as a jumping point into
government computers or corporate networks.

According to an FBI white paper titled “Higher Education and National
Security,” the systems and open environment of U.S. college campuses may be
misused in order to:

- Steal technical information or products
- Bypass expensive research and development
- Recruit individuals for espionage
- Exploit the student visa program for improper purposes
- Conduct computer intrusions
- Collect sensitive research

The FBI’s white paper reports that attackers use various methodologies to
conduct computer intrusion, including sending phishing emails with malware
attached and exploiting social networking sites. Computer hackers,
including foreign governments, are capable of breaching firewalls and
exploiting vulnerabilities in software used by universities. According to
the FBI, U.S. universities receive large numbers of unsolicited requests
for information and millions of hits on their Web servers on a daily basis.

To combat these trends, colleges and universities should look to strengthen
the security of their networks and deploy sophisticated monitoring and
auditing tools. Schools should also be prepared to respond to the
inevitable data breach by identifying where sensitive information is
stored, prioritizing resources to protect that information, documenting an
incident response plan, and rehearsing response strategy and scenarios with
their incident response team.

And it is not just research or industrial secrets that are of concern. Once
attackers are inside the school’s network, they may be able to move freely
within it, accessing other systems that contain student, faculty, and staff
information such as Social Security numbers, credit card information, and
even academic records. Of course, access to this information can run afoul
of federal regulations, such as the Family Educational Rights and Privacy
Act (FERPA) as well as numerous state data breach notification laws.
Although schools may be difficult targets to defend due to the open nature
of campuses and less strict control over hardware and software that
students and faculty use, in the wake of a data breach regulators will
still look to see that schools had in place appropriate technological and
administrative safeguards to protect sensitive information.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!