University Breaches: A Continuing Trend
Second Univ. of Maryland Incident Highlights Security IssuesOne month after the University of Maryland reported a breach that affected 288,000 students, faculty and staff, the institution has suffered a second cyber-intrusion.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
The intrusions are the latest in a long string of cybersecurity incidents at U.S. colleges and universities.
For example, in April 2013, hackers unlawfully accessed an online database containing student admissions records for Kirkwood Community College in Cedar Rapids, Iowa, affecting a reported 125,000 personal records.
In February, Indiana University reported that information on approximately 146,000 students and recent graduates was compromised after the data was accessed by three automated computer data mining applications (see Indiana University Reports Breach).
And the University of California San Francisco has reported three breaches tied to computer thefts in the last six months.
Ellen Giblin, privacy attorney at Ashcroft Law Firm, equates universities and colleges to "little cities" that contain vast amounts of financial, healthcare, academic and personal information.
"They are, in fact, easy targets because data security has not had a champion in the past," she says. "Currently that is changing; privacy officers are being hired that understand the workings of the academy."
The Latest Incident
On March 15, the University of Maryland learned of unauthorized access to its network, and, within 36 hours, worked with the FBI, U.S. Secret Service and the university police department to mitigate the intrusion.
In a letter sent to university officials, Ann Wylie, university interim vice president and CIO, says the FBI confirmed that the latest intrusion did not result in a public release of any information, except for personal data about one senior official. The breach appears to be unrelated to the Feb. 18 incident, Wylie says.
As a precautionary measure, the university moved a number of its websites offline. "These sites are in the process of being transferred to a different Web hosting environment to provide additional levels of security," Wylie says. "This strategy was already in place prior to the intrusion."
The Feb. 18 breach involved a "sophisticated computer security" attack that affected a database containing records for individuals who had been issued a university ID at the College Park and Shady Grove campuses since 1998, according to a Feb. 19 letter from Wallace Loh, the university's president (see Univ. of Maryland Reports Major Breach).
Information exposed in the Feb. 18 incident included names, Social Security numbers, dates of birth and university identification numbers. No financial, academic, health or contact information was compromised, the president's letter said.
As a result of the incidents, Loh established a taskforce on cybersecurity that will:
- Evaluate cybersecurity consulting firms to assist the university in strengthening its intrusion prevention systems and conduct penetration testing;
- Identify sensitive information in university databases to determine whether they are needed and how to better isolate them;
- Examine cybersecurity policies, procedures and best practices to establish an appropriate balance between centralized security and broad access on university networks.
The university did not immediately respond to a request for additional information.
Breaches in Academia
Academic institutions' security strategies vary widely in their level of maturity, says Alan Brill, senior managing director at the security advisory firm Kroll Solutions. "The levels of security we see vary from very strong ... to institutions where security was much weaker," he says. "Like any other organization, they can be vulnerable to a range of issues. Do they adequately divide their networks? Are the devices in the network properly hardened?"
Securing a university's systems and processes is complex, Brill says. "It requires the institution's management to show a commitment to achieving and maintaining a commercially reasonable level of protection," he says.
Another issue is the number of incidents occurring at colleges and universities that go unreported. "The real question is how many breaches have never even been noticed by the school," Brill says. "In a corporate setting, this is not infrequent. Would you expect a different result in the higher education sector?"
Colleges and universities are prime examples for why perimeter security is ineffective, says privacy and security attorney Ronald Raether of Faruki Ireland and Cox PLL. "First, colleges and universities are transient by design," he says. "User credentialing and having good user authentication systems are even less effective than in other verticals.
"Think of all the things we shared in college and the decisions we made in terms of trust. Now think about sharing passwords, changing passwords, clicking on links from unknown senders."
Information security and privacy specialist Rebecca Herold says academic institutions offer a treasure trove of information of interest to cybercriminals. "Data is like gold to cybercrooks," she says. "Universities are like Fort Knox to them."
Areas for Improvement
Colleges and universities, like other organizations, need to adopt a defense-in-depth approach, Raether stresses. That includes data segregation, improving network architecture, and increasing the hardening and patching of systems.
Brill says fixing the problem needs to start with senior executives. "[They] need to make it clear that information security is important to the institution," he says. "It's not just an IT problem, but it affects everyone in the university community."
Top executives need to determine whether the institution has the necessary tools to detect breaches, as well as the resources to respond, Brill adds.
Having a breach response plan is critical, he points out. "We recently completed a table top exercise for a university," he says. "In a half-day session, we were able to simulate a couple of scenarios and see how the plan worked. Until you do something like this, you can't really know how effective your response is going to be."
Herold, who's been an adjunct professor at Norwich University in Vermont since 2005, says that the funding to support an effective information security program is often lacking at academic institutions. "If the schools would pump even a fraction of the money necessary into funding information security and privacy programs that they typically do into the major sports programs and the associated coaches' salaries, that would make a significant improvement," she says.