If the Death Star’s plans could be stolen by a bunch of young rebels, what about the strategic data of your educational institution? Is it safe enough?
Schools and universities are highly connected environments, every day there are hundreds, or even thousands, of students, academics and employees, walking around and using their laptops, tablets and smartphones, accessing institutional data every single minute.
Unfortunately, we can’t hire a group of the most ruthless bounty hunters of the galaxy, or a 10,000 stormtroopers army to secure our data and devices (although, that would be beautiful).
Hacker attacks and data leaking are also exciting growth opportunities for the IT industry. We have the chance to build our own rebel alliance against external and internal threats. In fact, Gartner consultants, quoted by CNBC, recently stated that “the evolution of cloud and mobile technologies, as well as the emergence of the ‘Internet of Things,’ is elevating the importance of security and risk management as foundations. Smartphones present the biggest risk category going forward. They are particularly attractive to cybercriminals because of the sheer number of use and multiple vectors of attack, including malicious apps and web browsing.”
That’s why computer security has grown as a rallying cry for IT Jedi knights in schools and universities, and solutions such as mobile tracking software, device protection, geofencing, and laptop security, amongst others, have become essential tools to face and prevent cyber attacks, laptops theft, and data leaking.
(How to destroy a new Death Star is still under development. Too bad!)
But before implementing any security software on campus, IT teams in educational institutions need to first analyze and determine the main threats that their data and devices are exposed to.
The Sans Institute developed a survey of the current computer security landscape in junior colleges, community colleges, and universities, gathering inputs from nearly 300 IT professionals. The results clearly show what the main threats are, and what assets educational institutions should protect.
Primarily, IT Jedis are mostly concerned about the following issues:
- 70% of respondents were concerned about administrative systems that handle student and financial records.
- 64% of respondents were concerned about faculty/staff computers (both laptops and desktops).
This shows that current IT management is more concerned with internal issues but less worried about endpoints that could be weak points vulnerable to hacker targeting in order to deliver an attack. Because of this, IT professionals have underlined these main computer threats for educational institutions:
(When they talk about “things” they mean all equipment related to computers, such as printers, copiers, scanners, laboratory data acquisition devices, surveillance cameras, door access controllers, and vending machines.)
Of the 11 attack vectors listed in The Sans Institute survey, six are related to “the capability of the institution to patch its internal systems’ external-facing applications”:
- Exploits against internal database systems and servers, malware delivered to staff endpoint
- Exploits against websites or servers, exploits against other critical applications
- DNS server exploits and malware delivered to student endpoints
As a result, they assert that patching and vulnerability management are critical to protecting against these types of risks.
The other five vectors not deemed by the survey respondents as critical for protecting “are initiated by the user and could be addressed with a security awareness program and policies for supporting, allowing or denying specific forms of student traffic.”
What IT Managers at educational institutes should try to avoid
Unfortunately, schools, colleges, and universities are very attractive targets for data hackers and device theft. Cyber attacks have been on the rise in higher education.
“Higher education is particularly vulnerable because—in contrast to hacking targets like banks—college and university computer networks have historically been as open and inviting as their campuses,” Fred Cate, Jedi Master Director of the Indiana University Center for Applied Cybersecurity Research told UniversityBusiness.com.
Sith hackers are also aiming educational institutions because they contain massive valuable databases and studies from prominent officials such as board members, researchers, and academics or key alumni information.
As academia has become the hub and repository of critical applied research in science, business, and technology, the threat to intellectual property is higher than an undergraduate student might think.
Remember that Facebook, perhaps one of the most widespread cloud-based applications whose business value lies on sharing personal information was spawned inside the walls of Harvard University. But in 2015 their campus suffered “a modest attack” affecting user credentials in eight of their schools, caused only a “little surprise”.
The same happened at Rutgers University, which spent millions to strengthen its security in the wake of a series of denial of service (DoS) attacks against its networks and servers.
Last year, several other renowned universities in the United States were victims of hacker attacks. According to Educause, Penn State University’s entire Engineering School had to be taken offline for an extensive investigation and clean-up of its network and systems. That incident was followed in August by similar news from the University of Virginia (UVA) of a targeted cyber attack against two officials whose work was connected with China.”
“The news about these incidents isn’t a surprise –Educause says- because schools across North America are under a relentless assault from malicious actors of all kinds, from script kiddies looking to grow their skills to large organized cyber criminal syndicates to nation-state entities. According to the New York Times, Penn State alone dealt with more than 20 million hostile attacks on an average day last year.”
What other issues for IT in educational institutions concern you? Do you see any other threats?