How higher education deals with security threats

A culture of openness, two-factor authentication and incident response plans are some ways universities are dealing with security threats.

Parents have plenty of things to worry about when they send their kids off to college: money, physical safety, their happiness, empty-nest syndrome, their future. Do they now have to worry about identity theft and data security, too?

In a word, yes. Colleges and universities have been the target of phishing scams for years. And while they continue to get better at dealing with information security threats, the ways our institutions of higher learning defend themselves against cybercriminals are as myriad as the forms of cyberattacks they face.

As with most hackers, the motivation of these social engineering scammers has ranged from financial gain to accessing secure data and research information. Analyzing the tactics, techniques and procedures (TTPs) of cybercriminals will help institutions understand who is targeting them, what the criminals want, and the methods they will likely use to gain unauthorized access.

But understanding the tactics and techniques of hackers doesn't always mean that their procedures can be detected.  The higher education phishing scam of 2014 demonstrated the savvy methods behind some of these breaches.

The perpetrators had created sophisticated replicas of the university logos and used a range of salary-specific messages in the subject lines, which led to many employees believing that the messages were from a trusted source.

[Related: Higher-education CIOs weigh In on 2015 priorities]

Hundreds of employees at academic institutions across the country had unwillingly invited criminals into their networks.  Accepting as true that their employers were requesting their banking information, they shared private data that allowed the criminals to access their bank accounts and steal their paychecks.

Many institutions were able to thwart what could have been greater disaster because of the shared security information they received.  "Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) is a commonly relied-upon source of information for the higher ed sector," says Steve Nyman, CISO at Dartmouth College.

According to the EDUCAUSE Center for Analysis and Research (ECAR), which provides research and analysis about information technology in higher ed for IT professionals and higher ed leaders, the willingness of colleges and universities to share security and breach information helps to reduce the number of stolen records.

Culture of openness can be costly

"Many speculate that higher education's culture of openness and transparency encourages breach reporting by institutions, even when such reporting is not legally necessary. This culture does not exist in other industry sectors, where breach reporting could damage an organization's ability to be competitive in that industry," notes a 2014 ECAR report "Just in Time Research: Data Breaches in Higher Education."

"As an industry, education has some of the lowest counts of records exposed per breach incident -- the number of reported breaches in the education industry does not mean more records containing personally identifiable information are being compromised," the ECAR report states.

This culture of openness is encouraged by the Higher Education Information Security Council (HEISC), a group established in 2000 to support communication and coordination for higher education.   A volunteer organization, "HEISC accomplishes this work through volunteer groups supported by professional EDUCAUSE staff, as well as collaborations with other organizations that address information security and privacy in higher education," according to its charter.

Learning to share

Conferences are another way that colleges and universities work to share knowledge and best practices with each other. Dartmouth College and many other institutions sponsor one each year, bringing in speakers on a variety of security topics to help foster the kinds of relationships institutions need to defend against threats.

[Related: How to win the hiring war for graduating millennials]

Engaging in these professional conversations about infrastructure and methods of authentication help higher ed CIOs and CISOs determine the best practices for their institutions. One on-going conversation around authentication continues to shape the direction that universities are taking with user login credentials.

Dartmouth College has been using both knowledge-based authentication (KBA) and two-factor authentication (2FA) for quite some time, but only a small subset of the total campus uses 2FA.  "KBA is less intrusive on individuals, and it's appropriate to secure most information," Nyman says.

For access to more confidential information, though, users must utilize two-factor authentication.  "We are building our infrastructure so that we can deploy two-factor more broadly if we feel we need to," says Nyman.

Colleges and universities "share threats about phishing, what the messages will look like, or where a lot of threats are coming from," said Quinn Shamblin, CISO at Boston University, when he presented at the CIO Summit Boston hosted by CDM Media in early June.

Informing cohorts about potential risks doesn't require revealing every detail of a breach.

"While the number of records stolen or specific information about sensitive issues or anything that might have litigation implications is not shared," Shamblin said, higher education security administrators will report such incident data as an increase in the volume of attacks emanating from a specific region.

Exchanging information allows these institutions to develop better security incident management response plans as they have a heightened knowledge of TTPs.  As Shamblin pointed out, "the BU response triage includes analysis of incoming information that will direct responses."

Incident response plans are crucial for any organization because as soon as a breach happens, people want answers. Institutions need to know who contacts whom, when and how, because in the aftermath of any breach, the reputation of an organization is at stake.

"Higher ed is a more open environment, willing to share indicators of attacks with colleagues," Shamblin said. "But the effects are just as closely held by higher ed as any other organization."  As much as there's a logistical response to a breach, there's also an emotional response from stakeholders.

Knowing how to address those emotional responses can help security administrators leverage support for security, and Boston University realized in the aftermath of its breach that the community was ready to get better at security.

Shamblin instituted two-factor authentication for faculty and staff at Boston University, but he offered this advice: "Research solutions that you know you need. CISOs need to be aware of their own institutions' weaknesses. If you can get the money for resources before something happens, do."

Join the CSO newsletter!

Error: Please check your email address.

Tags no companyeducationsecuritySecurity and Privacyindustry verticals

More about Boston University

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place