Brian Dean, 4/16/2014

Data Breaches Continued Unabated in 2013 and into 2014
In the US and worldwide, colleges and universities continue to be attacked by hackers and to lose data by unscrupulous employees, as evidenced by 725 US breaches exposing over 14.5 million records over the past 8 years. This stat is all too real for students at the University of Maryland, when 287,580 records including name, SSN, and date of birth were reported stolen on February 18, 2014. In the first of many press releases, the University of Maryland President, Wallace Loh said, “We are not alone. In the past couple of years, some 20 large universities across the country have also reported major data breaches.” Loh went on to say, “The University thwarts thousands of potential cyber-attacks daily.” Why are institutions of higher education being targeted, why 1000 of attempts each day, is there evidence to support the risk is increasing, and what can security professionals do to better insulate themselves and avoid being the next college or university to craft such a press release?

Despite universities’ continued commitment to securing sensitive information, they struggle with budget constraints, disparate university technologies typical of college environments (e.g., College of Arts and Sciences managed separately from College of Business), and IT staffs comprised of a few fulltime IT resources and a handful of often full-time students, part-time IT staff. But why attack higher education’s thousands of sensitive data records, when bigger targets like big box stores offer millions of records, which can be far more lucrative? The short answer: hackers typically seek weak targets. Large department stores often have more sophisticated security programs and staff dedicated to monitoring. Therefore higher education is typically a softer target, albeit with a potential smaller payload.

Monetizing Stolen Data
But are colleges and universities really softer targets? It’s been our experience, working with small colleges, mid-sized universities, and some of the largest universities in the US, that they often are unable to keep pace with well-funded business IT Security. For example, colleges comprising a major university each have different budget and therefore upgrade cycles. So the college of Arts and Sciences may be running older operating systems and security software than the College of Education. The often understaffed IT team is tasked with managing multiple environments—an IT team typically comprised of a few IT staff, plus a rotation of students just learning security, between their class loads.

Statically, threats are increasing, as evidence by the increase in reported breaches. Not surprising, those nefarious individuals stealing the data have figured out how to monetize stolen data within a few days. In other words, stealing data is lucrative. Credit Card data stolen from Target in November was already being posted for sale on the black market within days!

If lucrative exploits can be executed fairly anonymously, it is low risk and high reward. Until that equation can be altered, expect breaches to continue. Businesses seeking to protect data must be painfully aware that even the most well-funded, diligent information security experts cannot stop a persistent attack. Given enough time, they will eventually exploit a vulnerability or entice credentialed employees to grant inappropriate access (e.g., phishing attack). So the goal should not be a bullet proof security program, but instead a risk based program sufficient to dissuade would be attackers and entice them to seek an easier target. This is accomplished by executing a thorough risk assessment, prioritizing your security resources, implementing effective controls, testing those controls, and constantly training your team. Breaches will continue, including higher education. Our goal as security professionals should be sufficient layered security that would be fraudsters seek an easier target.

Data Breach Stats’ Source:

Brian Dean, CIPP/US, is currently the privacy officer and manager of the Audit and Compliance Team at SecureState, which provides management consulting information security services for companies internationally. Dean is PCI-SSC as a Qualified Security Assessor, PCIP-certified, CISA certified, and previously certified by the Project Management Institute as a Project Manager Professional (PMP).