Cyberattacks: Special risks for U.S. higher-ed institutions
chief operating officer, Enzoic
In early April 2019, Georgia Tech announced that it was the target of a cyberattack that infiltrated its databases and stole personal information of up to 1.3 million current and former students, employees, and applicants. Although the details of this attack are still developing, the announcement comes on the heels of charges filed in 2018 for a massive hacking scheme perpetrated against 144 US colleges and universities by a ring of Iranian hackers over a five year period.
Higher education institutions in the US and abroad are increasingly becoming the target of cyberattacks. As high-profile attacks continue to make headlines, higher education IT departments must prioritize their budgets and personnel deployment to maintain effective security measures and heighten incident response. Understanding the special risks that face higher education is critical.
Student data = valuable data
Higher education institutions are significant targets because of the massive volume of data they maintain, especially student records. Reliance on digitized student records have given cybercriminals multiple avenues to access student information. The risk to individual students is high: a breached student record delivers a comprehensive view of a student’s life including personal demographic data, academic records, financial information, and in some cases, even confidential medical data. Compounding these risks is the fact student records are retained for years after they graduate or leave the institution . Further, students themselves can be a source of potential data breaches. They may not be as familiar with cybersecurity hygiene principles, using old and outdated software programs and sharing login credentials with friends and other students.
Constituent data also at risk
- Employee data. Most universities hire a wide range of employees; from traditional full-time and part-time employees to term-to-term employment arrangements for student employees and adjunct faculty members. Each of these statuses requires some form of access to institutional IT systems. The sheer variety and variability of employment statuses can create issues for IT departments who are charged with tracking and maintaining appropriate access for all employees as well as conducting cybersecurity awareness and training programs to prevent cyberattacks.
- Affiliate data. College and universities also keep sensitive data about applicants, parents, alumni, and donors.
- Research data. Sensitive data relating to government and corporate grants are most often housed in the departments that receive those grants or even on the devices of individual professors and graduate students who play key research roles. Institutions with large research programs tend to maintain proprietary information and data from external sources as well, including private companies and government entities.
A plethora of personal devices
IT system users–especially students–are often unaware that they are risking their school’s data security when downloading sensitive data to personal devices that are typically less protected than institution-owned computer systems. In addition, students may bring a number of devices to campus with the intent of connecting to the school’s network, including cell phones, tablets, gaming systems, and personal computers. Once connected to the school’s network, each of these devices pose additional vulnerabilities to the institution’s systems and many authentication solutions can only run on certain devices or devices that have certain technologies (like biometrics). Even if an institution has robust security measures in place, the number of access points introduced by individual devices may unintentionally expose sensitive data.
To accommodate the student, employee, and research needs, most higher education institutions maintain relatively open, accessible networks and systems. This presents a conundrum many schools: how to balance security needs while facilitating academic activities. Most universities have tried to strike this balance by creating decentralized data storage and housing sensitive data in many different locations, including departments, colleges, and central administration. A decentralized structure also means that different stakeholders are responsible for maintaining security measures. Unlike corporate environments, most higher education institutions do not have a large IT budget and may lack an IT structure that can mandate implementation of new safeguards.
How credential screening can help
Credential and password screening is a critical part of a higher education institution’s security portfolio. Ongoing monitoring of passwords is also critical. Using the right credential or password screening process helps institutions strike the precarious balance of maintaining secure systems while preserving access to IT systems for academic pursuits. Currently, numerous higher education institutions use credential screening to:
- Comply with NIST 800-63 new rules for password-based authentication.
- Seamlessly screen passwords or full usernames and passwords to identify compromised credentials at the point of user login, password reset or account creation. Continuosly monitor passwords to detect if they are subsequently detected.
- Encourage users to select better passwords when they reset their password.
- Alert users to their exposed credentials with immediate notice.
- Provide a definitive risk result: entered credentials are either compromised or not
- Support a flexible, site-defined response when compromised credentials are detected.
- End or reduce system-wide periodic forced password resets- which have been found to be less secure, annoying to end users and drives up IT help desk costs.
- Align policies with Active Directory so employee passwords are compared directly against cracking dictionaries; exposed and commonly used passwords.
“Our education sector customers typically seek to improve their password policies and ensure compliance with the current NIST 800-63B authentication guidelines. Enzoic’s approach makes it easy to check when passwords are being created but also continuously monitor. This is desirable because it allows educational sector customers to reduce or eliminate periodic password resets, a helpdesk burden and frustration for students, facility and staff.” –Josh Horwitz, COO, Enzoic.