Tracy Schroeder, the University of San Francisco’s vice president of IT, says many hack attempts are inside jobs by students.

Can You Hack It?

With colleges ever more vulnerable to attack, it's important to take steps to prevent breaches and deal with the aftermath if they succeed.
{mosloadposition mostpop}

As much as we hate to admit it, higher education institutions are far from immune to hackers and other security breaches. Data shows that sensitive personal records are highly vulnerable to attack on higher institutions’ networks — just as they are in other business sectors.

There have been 148 cases of publicly disclosed data breaches at colleges and universities since 2005, out of 634 overall incidents in all sectors, according to Privacy Rights Clearinghouse — a nonprofit organization that strives to raise consumers’ awareness of how technology affects personal privacy. Whether they know the numbers or not, higher ed information technology personnel know all too well the unique challenges they face in securing data.

“We’re always trying to balance access and security,” says Lori Temple, vice provost for information technology at the University of Nevada at Las Vegas. “But our people change so often at the university level that it presents a unique challenge. At a corporation, they hire employees and then they occasionally leave, but our students come and go and are guaranteed to change every four years. As a transient group, they need access to a lot of resources, so you have to make systems that aren’t hard for them to get into.”

UNLV kept one would-be hacker out in early 2005, when a security check on network activity discovered a hacker trying to download university data, according to a report in the Las Vegas Review-Journal. Though Temple said she couldn’t discuss the case’s details because of ongoing legal action, she added, “I can tell you it opened our eyes to how easily this can happen.”

Tracy Schroeder, University of San Francisco’s vice president for IT, concurs, claiming no university avoids hacking attempts. Her school deals with “thousands” of attempts every day — some from the paying customers. “Our most significant hacking attempt is from the inside from ambitious students who want to test the university,” she says. “Our successful monitoring is through administrators who watch certain behaviors and have been able to identify anonymous activity on campus. You can find individuals without too much problem, and we’ve been able to take some action based on that. We have never had confidential data compromised or needed to prosecute a student for hacking.”

Chris Christiansen, an IDC security analyst, says the worst-case scenarios of breaches can be harsh. “It’s every ugly scenario from university machines hosting industrial espionage, gross theft of copyrighted material, bot networks attacking other network user machines to even illegal fraudulent auction schemes,” he says.

Where’s the Harm?

If there’s a silver lining, it’s that security incidents at higher ed institutions are rarely the worst-case type. Christiansen says most student hacking is harmless, and he estimates criminal hacking makes up 1 to 2 percent of the higher ed hacking.

Philip Howard, an assistant professor in the communication department at the University of Washington, agrees that student hacking is often not as damaging as hacking in other sectors. Howard and University of Washington doctoral candidate Kris Erickson wrote a report analyzing publicly disclosed data security breaches over a span of more than a quarter of a century. Their report, “News Accounts of Hacker, Consumer, and Organizational Responsibility for Compromised Digital Records, 1980–2006,” says that although higher ed institutions made up a high percentage of hacking incidents, fewer records were breached, compared with breaches at corporations.

“I think it means hackers are targeting universities and colleges almost for practice, because they’re not getting large volumes of records,” Howard says. “People with criminal intent go to commercial firms.”

Still, having to disclose breaches leaves educational institutions with egg on their faces. And the more cases of hacking, the more chance that somebody will hack with criminal intent. Having all those hackers practice on their networks is only one major hurdle campus security officers face in staying secure. Another hurdle at many institutions is that their networks aren’t centralized.

“It’s quite challenging for the computing and communications office at a university to keep all department and all wings of the university on the same security standards,” Howard says.

There are many ways higher ed institutions can stay vigilant against attack. Temple says you should be prepared for attacks before they ever start. “You need to have a set of policies and checklists in place,” she says. “Ask, ‘Who will audit what to make sure you will follow it?’ The ideal is to have staff that can pretend to be hackers and can ‘beta up’ the systems and run programs to see how good they are. Another important question is, ‘do you have resources for these policies so you can have administrators even to do a checklist?’ You give hacking the best attention you can give it and concentrate on the most vulnerable systems. Work your way out to the heart of the data.”

But Temple warns that you also have to prioritize, because not all data can be easily found that’s been breached. “Any place where you have social security numbers, those have to be focused on, along with university grant data,” she says. “Financial data is open for a lot of universities, so at least you don’t have to worry as much about that.”

By the Book

Schroeder prepares by going with the age-old model of keeping it simple. “We outline our plan in our information security policy, and the keys there are having the right people involved — a single coordinator in IT for breaches and having that person coordinate all of the logistics,” she says. “But you need to be aware of when it’s time to also bring in local authorities and student affairs for judicial matters. Bottom line, the person who coordinates the incidence response needs to be well connected with different areas of the university that are involved, so when a breach happens they know who needs to be informed.”

Temple believes another way to avoid hacking is to mirror what the university is there for: education. “We’re informing people about servers and vulnerability. We’re also moving servers from their own care to IT because we have safer data centers,” she says. “We have a campaign we put together called ‘think before you click’ — it educates students about avoiding attachments you don’t know or answering an e-mail you’re unsure of.”

Schroeder also leans heavily on system-level trainers. “They check their logs for any unusual activity — we have some scripts that run on particular systems to alert if there is a service outage and we are looking at third-party services for application performance monitoring,” she says. “Monitoring services can tell you not just that you have a problem but also help you diagnose what the problem is. Intrusion detection or prevention is another piece, and that is challenging. We have intrusion prevention for our enterprise information systems, but it doesn’t cover the entire network and is currently only in detection mode.”

Offensive Posture

It’s always good to be prepared, but sometimes every preemptive measure in the world can’t stop the successful hack. Temple believes you need a few teams to succeed in responding should this dark day come.

“Have one team working on the hack itself, and capture data on the hacks to get forensics data to report it,” she says. “Another team needs to be ready to deal with whatever those findings are for disclosure. Will you need to let folks know and do you have policies in case? Also, what is state law and will you report because of ethics of the university? You need to also have Web pages ready for those whose data has been compromised to go get information they need for fraud alert.”

Universities also have to figure out with the help of law enforcement agencies if the hack is the work of international cybercrime or more mature networks of people making their living from compromising systems. “You can tell the difference by tracing back the Internet routing, and often it will take you back to the particular country,” says Schroeder. “Once traced, you can notify the ISP [Internet service provider], and they may take action in accordance of their policies. But we’ve never pursued it beyond that.”

NAC Can Help Avoid Attack

A strict network access control (NAC) policy can help avoid education institution hacking incidents, according to IDC security analyst Chris Christiansen. NAC is especially important on campus because IT doesn’t have as much control over devices accessing the network as corporations have.

“The university IT department doesn’t own or control the student laptops,” Christiansen says. “They don’t own the choice of operating system or application, even the behavior of the student. We’ve seen a lot of schools with policies, ranging from very strict to lenient. The best policy is that students must load a client supplied by the university that contains antivirus and personal firewalls that can also contain a way for the university to check whether the student’s machine and online behavior is compliant with the university’s proper use and policies. By checking whether machines are transmitting Trojans or malicious code, it’s a huge benefit.”

Christiansen says a strong NAC policy prevents noncompliant computers from accessing the network or, at the least, will grant only limited access. “For the stricter colleges, when a student is caught moving clients or caught violating policies, it’s usually ‘three strikes and you’re out,’ ” he says. “The first strike is a warning, and with the second strike your privileges are cut off. The third strike is most access privileges are gone, and the student may be barred from college and university networks. Colleges are also starting to have mechanisms to avoid spoofing addresses or other credentials, but that hasn’t been implemented a great deal.”

Christensen says lax NAC policies can bring a university to its knees.

“The more liberal universities tend to have networks becoming almost unusable,” he says. “I visited a large state university, and they had WiFi throughout campus — every student had their machine infected or was having severe problems with people using their accounts without their permission. You could even see which students were on machines.”

School Daze

Hackers cause a higher percentage of data breaches at collegiate institutions than in the private sector, public sector (including the military) and medical community, according to an analysis by Beth Rosenberg posted on the Privacy Rights Clearinghouse Web site, at www.privacyrights.org/ar/databreaches2006-analysis.htm.

In 2006, 52 percent of the breaches at higher education institutions were caused by hackers, compared with 15 percent in the private sector, 13 percent in the public sector and 3 percent in the medical community.

On the plus side, insider malfeasance caused only 2 percent of high ed breaches — lower than in any other sector. And the 20 percent of higher ed breaches caused by notebook theft is half the percentage of the breaches caused by stolen notebooks in the private and medical sectors.

Don’t Phone It In

You have to keep an eye on more than computers where security is concerned. You also have to keep an eye on phones, according to Mark Collier, CTO and vice president of engineering at SecureLogix.

“If I detected a problem coming from a specific phone or specific switchboard, I would shut it off and focus on network access control,” Collier says. “If you saw someone tried to get a PC to mimic a phone, you could detect that, or if you saw a flood of packets, then you could quarantine that user. There are also some countermeasures you can employ in network switches, like rate limiting if you see large packets.”

A private branch exchange (PBX) that connects an institution’s phone system to outside phone networks also connects to computers and data networks, as well as voice networks.

“You have to worry most about someone grabbing a tool off of the Internet and doing denial of service attacks against you, so intrusion detection can help with that,” Collier says. “A typical PBX supporting a large campus may have 50 different computers and 50 IP addresses, so a lot of hosts are potential targets. There are all sorts of tools to download that will run flood-based attacks or exploit a known vulnerability in service.”

Aug 20 2007

Sponsors