NACUBO

My NacuboWhy Join: Benefits of Membership

E-mail:   Password:   

 Remember Me? | Forgot password? | Need an online account?

Business Officer Magazine
Loading

Bar the Data Door

A cyberattack holds serious threats for campus operations. Minimize the damage by understanding the risks of a data breach, mobilizing quickly, and protecting information.

By Sandra R. Sabo

In 2015, the University of Maryland, College Park, routinely blocked about 500,000 cyberattacks per day at the border of its network. Now, less than 18 months later, the institution typically fends off nearly 11 million attacks daily. "That's a 2,000 percent increase in the volume of attacks we're dealing with," notes Eric Denna, vice president and chief information officer at the University of Maryland. "And those attackers only have to be right once to get in—we have to be right every single time to keep them out."

Ever-persistent cyberattackers look for any network vulnerability to exploit, as the University of Maryland experienced in 2014. That's when a security breach resulted in the theft of birthdatesand Social Security numbers for more than 300,000 current and former students (see sidebar, "Responding to a Breach"). But it's not just the potential theft of personal data related to students, parents, faculty, and employees that keeps CIOs on edge. Cybersecurity breaches can also tap into confidential institutional information, such as proprietary processes or scientific discoveries, and have the potential to significantly affect operations. Colleges and universities, for instance, routinely amass financial and business data subject to being stolen or manipulated for harm. Many maintain medical records containing confidential information that could be released publicly or used to perpetrate fraud. And at institutions where faculty members conduct research, a database breach could mean the loss of intellectual property that might have been converted into future patents or profits.

Institutions that don't sufficiently protect data as required by numerous and broad laws could be subject to fines.

In addition to the legal and operational costs associated with recovering from a security breach, such an event might have regulatory repercussions, points out Mark Dobrow. "Higher education institutions must juggle a wide variety of data, held in different forms, stored on widely divergent platforms, and in areas where different laws apply," observes Dobrow, vice president and consultant for Segal Select Insurance Services Inc., Chicago. Institutions that don't sufficiently protect data as required by numerous and broad laws—including HIPAA, FERPA, data breach notification laws at the state and federal levels, and the Fair and Accurate Credit Transactions Act—could be subject to fines.

Even if their data are not breached, institutions must deal with the annoyance and frustration campus stakeholders feel when IT operations are interrupted. Within the past two years, for example, Rutgers—The State University of New Jersey experienced several distributed denials of service (DDoS) attacks, in which someone intentionally overwhelms the commodity services that connect the university to the Internet.

"One such incident was fairly traumatic because the external Internet service was down for almost a week during the school year," says Michele Norin, senior vice president and chief information officer at Rutgers. Subsequent DDoS attacks affected the network for hours rather than days and are now rebuffed in a fraction of the time. Still, the perpetrator, who has never been apprehended, made a point of bragging on social media how adept he or she was at bringing down the university's network.

From Dobrow's perspective, a loss of reputation may be the biggest hit an institution takes when a cybersecurity incident occurs. A major breach, theft, or disruption naturally raises "How could this happen?" questions about operational effectiveness and oversight. "Suddenly, you may have all these alumni donors who are now nervous about their information not being protected," Dobrow says. "That could lead to a reduced number of applicants, a backlash from students and faculty, and a diminishing of the institution's overall brand."  

An Attractive Target

Most data breach surveys identify retail and banking as the top two sectors targeted for cyberattacks, notes Dobrow—probably because they hold many credit card numbers. The health-care industry, with its valuable medical records, typically ranks as the third most common target. Next comes higher education, which maintains a veritable treasure trove of information about students, parents, faculty, staff, alumni, donors, and patients—credit card numbers, health data, financial records, and the like—often dating back decades. 

Resources Worth Reviewing

Commonly known as REN-ISAC, the Research and Education Networking Information Sharing and Analysis Center (ren-isac.net) is a consortium of higher education institutions that identifies and shares information about potential vulnerabilities. Although membership is required to access most materials, REN-ISAC issues some public alerts and advisories, particularly those related to popular phishing schemes.

Through its Higher Education Information Security Council (HEISC), EDUCAUSE sponsors a cybersecurity initiative aimed at helping institutions improve their information security practices. On the organization's website (www.educause.edu), you can find links to a free tool for assessing your institution's information security program as well as the free Information Security Guide, which includes resources such as detailed checklists and a breach notification toolkit. HEISC also offers 12 months of ready-to-use communications for promoting data privacy and cybersecurity awareness on college campuses.

"Higher education has become a tempting target for cybercriminals, not only because of all the sensitive information we handle but also because of our culture of trust and openness," says Stephen Landry, chief information officer at Seton Hall University in South Orange, N.J. "Our students and faculty want to conveniently connect to our networks, our library databases, our student information system, and our computing facilities using one set of credentials and their own devices—and they want to do it from anywhere in the world."

Maintaining that wide-open culture, while protecting the valuable data being accessed, makes information security particularly challenging in higher education. So does the industry's penchant for decentralization. The schools, departments, offices, and functions scattered across a campus multiply the number of places for people to store, access, and control data. Legacy or shadow IT systems further complicate the situation, as they often have not been updated to address today's security threats. The more places and people involved in accessing or using institutional data, the greater the risk that one could provide an opening for a cybercriminal—no matter how unwittingly. 

"People are quite careless at times with their devices, not keeping them current with security patches or using the latest versions of operating systems," says Denna. He likens a cybersecurity breach to a public health crisis: Once one person becomes infected, a disease can rapidly and exponentially spread. As Denna explains, "All an institution needs is one professor to come back from another country with a bug on his laptop, and the infection spreads through the entire network—and it can be very hard to detect."

Just one unsuspecting professor, clicking on one bad link, could grant a hacker admittance behind the institution's perimeter firewall and possibly provide unauthorized access to a host of employment, financial, medical, and personal records. In fact, the behavior of humans—whether faculty, staff, or students—is exactly what cyberattackers prey upon, and institutions often struggle to influence. "Hackers aren't targeting our systems so much as targeting our people—because people are the weak link in IT security," observes Landry.

Growing Sophistication

"We often think of a hacker as a disheveled young male living in a basement all by himself. But in some countries, hacking is a 9-to-5 job. It's a business," Landry continues, adding that stolen credit card numbers might each sell for $1, while medical records might fetch $10 apiece. "These cybercriminals are very patient, spending months or even years in our networks doing analysis and research. And they're organized, with teams set up to break in, infiltrate the data, and then sell the data on the black market."

Like other colleges and universities, Seton Hall has restructured its once-flat network to be highly segmented, with multiple zones and firewalls protecting its core administrative systems. Undeterred by the more-restricted access, cyberattackers have upped the ante; in the last several years they have taken increasingly sophisticated approaches to obtaining passwords or account log-in credentials from campus users.

Based on research conducted by EDUCAUSE, the biggest IT concern identified by the higher education community is phishing—sending fake e-mails to elicit personal information from recipients. Unlike in the past, however, those e-mails are not clumsily written form letters full of grammatical errors. Instead, they are almost perfect "spoofs" of legitimate and personalized communications, complete with institutional logos and signatures. Some cyberattackers even take the time to craft specialized messages aimed at particular users—communication otherwise known as spear-phishing.

Norin explains, "If you look carefully at the details, the message might be coming from a different address than expected. But when people are rushing or only glance at the e-mail, there is the opportunity for someone to maneuver them into giving up their credentials." 

"Institutions are also seeing threats of extortion and ransomware—that someone will restrict access to your own resources unless some type of ransom is paid," adds Joanna Grama, director of cybersecurity and IT governance risk and compliance programs for EDUCAUSE. A cyberattacker, for example, might infiltrate and encrypt an institution's data, essentially holding the data hostage until the institution pays to obtain the decryption key. In that way, observes Landry, a Social Security number potentially worth $1 on the black market might bring in $10, if sold back to the institution from which it was stolen.

On the Defense

A risk assessment typically looks at the institution's entire system—not just hardware and software but also how people interact with systems.

As Eric Denna looks at the higher education landscape, he sees only two types of CIOs: those who have been hacked and those who will be. "Much of what contributes to the risk profile of universities is just sheer ignorance of what the risks really are," he believes. "The hope is that we can mitigate the biggest risks and minimize the impact of a hack."

Here are some strategies for accomplishing both of those goals:

Continually assess risks. "If you don't make a deliberate effort to understand the risks, both technical and human, and put strategy and strong governance around the process, then you're just asking for trouble," observes Denna. Because IT represents an evolving landscape, the University of Maryland conducts annual assessments of its IT risks, he adds, noting, "Every year we find something more we need to do."

Conducted by an independent third party, a risk assessment typically looks at the institution's entire system—not just hardware and software but also how people interact with systems. The assessment involves testing the effectiveness of the controls in place and making recommendations, which may include having a designated privacy officer, purchasing cyberliability insurance, or conducting more network penetration testing.

"We went through a thorough risk and security assessment within the past year and now have a road map to hardening and maturing our security management practices," says Sharon Pitt, associate vice president and chief information officer at Binghamton University in New York, as well as co-chair of EDUCAUSE's Higher Education Information Security Council. "Our consultant also helped us have a campus conversation about information security being a shared responsibility. Every individual and department, not just the IT organization, needs to be engaged in making sure we have a better security environment."

Review your incident response plan. Based on the type of threat, the plan should spell out who must be contacted (internally and externally), what needs to happen when, and how the response and recovery processes unfold. The steps required will depend upon laws that vary from one jurisdiction to the next. Some states, for example, require notification of all parties affected by a data breach, whereas others may have minimum thresholds before disclosure is required.

"In a breach, you are under fire—you typically have a very short time to respond and do the right thing. Without a detailed and updated IRP that includes access to pre-arranged vendors—such as legal, forensic, and public relations experts—administrators often find that they will be tripping all over themselves," cautions Mark Dobrow. "Plus, an improper breach response is often an open invitation for a liability suit from the affected individuals or parties."

Strengthen internal practices. As its first defense against cyberattacks, Seton Hall focuses on keeping its systems patched and anti-virus software up-to-date. One university policy requires the installation of an effective and updated anti-virus program on any device brought onto campus, while another mandates multifactor authentication for the institution's most sensitive systems. To verify their identity, users with access to the sensitive information must install a special app on their cellphone or respond to a text message sent by the system. Stephen Landry explains, "That way, if someone in finance or the registrar's office falls victim to a phishing attack and gives away university credentials, the bad actor still won't be able to get into our systems because he doesn't have the correct cellphone number."

One activity on Pitt's to-do list is designing tabletop exercises related to potential security breaches, which would give Binghamton's IT staff the opportunity to craft a response plan while not experiencing an actual attack. Similarly, Rutgers recently initiated internal conversations about handling ransomware. "We are wondering how we might best recover our own data without having to pay a ransom," says Michele Norin. "We're also thinking about how to create more manageable footprints within our environment, so we can more readily and intentionally protect critical information in a core area."

Awareness as a Deterrent

Trained staff can be an important front-line defense against cyberattacks and information breaches. Binghamton University, Binghamton, N.Y., takes a low-key, but effective, approach to raising awareness, offering security tips on posters and social media sites and celebrating National Cybersecurity Awareness Month each October.

Conduct awareness training. When EDUCAUSE recently surveyed members of its Higher Education Information Security Council, respondents identified end-user awareness and training as a critical need in the IT area. "Students really need training on information security tasks that will also work for them in real life, such as knowing how to make strong passwords and restrict access to personal information," says Joanna Grama. "Staff and faculty need that same information, plus training on how to comply with university policies related to the use of IT resources."

Seton Hall, for example, requires all employees to take an online course on information security awareness every two years. Incoming freshmen must also complete the one-hour course that covers topics such as how to spot and report phishing attempts and what information should not be shared with others. "Last summer, to reinforce the messages, we started sending test phishes to our campus community. If the recipient clicks the link or opens the document, he or she is invited to another training opportunity," Landry explains.

Rutgers has not yet launched any phishing expeditions itself, although the idea is under consideration. The university has, however, convened a task force to raise campus awareness of phishing. "We brought in our marketing people who, along with our IT folks, are crafting motivational yet catchy and informative messages that will convey do's and don'ts about phishing," says Norin. Rutgers plans to distribute its messages through e-mails, face-to-face forums, print publications, and log-in screens.

Binghamton takes a similar low-key approach to raising awareness, offering information security tips on posters and social media sites and celebrating National Cybersecurity Awareness Month every October. Last fall an IT staff member ventured onto campus with a large supply of fish-shaped candy and crackers in hand—treats for any students who took the time to chat about how best to protect their personal information as well as the institution's. 

Beef up the budget. Data gathered by EDUCAUSE show spending on information security and IT staffing has remained relatively flat for the past three years. Grama reports, "About 2 percent of total institutional IT spending is spent on information security, and there's only about one central IT security staff person per 10,000 students, faculty, and staff at any institution." In addition, EDUCAUSE's research shows a short supply of candidates for information security management positions—and they are commanding higher salaries. Investing in personnel, technological tools, and more secure practices can be a tough sell on today's budget-conscious campuses. On the other hand, says Grama, "The risk is that you do the job poorly if you don't have enough resources—and doing it poorly could lead to adverse results."

For Landry, making information security a top priority at Seton Hall meant reallocating responsibilities when IT positions opened up. Five years ago, the university did not have any employees devoted full time to information security. Now, without changing its level of staffing, Seton Hall has two to three people working on information security at any given time. Both Rutgers and the University of Maryland have seen an infusion of budget dollars in the information security area, for incident mitigation and strengthening their programs going forward.

Share concerns as well as strategies. Higher education's open culture, which helps make it attractive to hackers, can also be a boon to stopping those hackers in their tracks. Joining a formal consortium of institutions or participating in informal groups enables CIOs, CFOs, and other senior leaders to share information about common phishing attempts, potential vulnerabilities that might be exploited, and best practices to implement. Such candor might prevent a malicious attempt at one college or university from being repeated at another.

Lastly, advises Joanna Grama, never let a cybersecurity breach go to waste. "Whether it's your own information security event or someone else's," she says, "capitalize on that moment to understand why the problem happened—and help your institution figure out how not to let it happen again."

SANDRA R. SABO, Mendota Heights, Minn., covers higher education business issues for Business Officer.

^ Top

Responding to a Breach

The University of Maryland made headlines in February 2014, when hackers accessed the personal information of more than 300,000 students and alumni. We went public the day after the breach was discovered, explaining that the hackers gained entry into our network by taking advantage of a vulnerability in a platform used to develop Web-based applications. Then, patiently and methodically, the hackers had searched the network, eventually finding an obscure database that people on campus had all but forgotten about.

In response to the breach, we launched a four-pronged strategy:

1. We identified every point in the network where sensitive or regulated data reside. That effort included deploying a tool called Identity Finder—a piece of software that crawls through data looking for a specific pattern of information, such as a birthdate or credit card number. More than a few surprises popped up. For example, we found e-mail attachments of spreadsheets containing Social Security numbers, which the university had once used as student ID numbers. Although the spreadsheets had long been deleted from e-mail files and folders, they were still cached in the e-mail system.

2. We developed policies regarding the storage of student information. We isolated that information within the university's data center, where we can provide more protection.

3. After isolating that top-priority data, we encrypted it.

4. We established monitoring so that we can see, in real time, which IP address is accessing what piece of data within our network. Unfortunately, there are still times when people manage to obtain someone else's credentials. We don't specifically look at content but rather at patterns, keeping detailed logs to help with any forensics work, if we determine a particular IP address belongs to a bad guy.

On occasion, we use consultants to test the ability to penetrate our system from the outside. The security team is always aware of these attempts and monitors the activity. Another step we've taken recently is to form "red" and "hunter" teams, using students who are studying cybersecurity for their academic program. The red team actively looks for vulnerabilities within our network, while the hunter team tries to find and determine the activity of the red team.

The biggest repercussion from the data breach was the reputational hit we took. Understandably, many people were very upset about what happened. For those whose personal information was compromised, we paid for credit monitoring service for three years. Since the 2014 breach, we have hired more IT staff; including student employees, the staff has just about tripled in size. We are now on par with other universities of our size and complexity.

ERIC DENNA is vice president and chief information officer at the University of Maryland, College Park.

^ Top