May 02 2008

Networks Remain Security Hotspots

Computer attacks and thefts at colleges and universities are more targeted, but limited.

What makes a higher education IT environment inviting for learning and research also makes it a nightmare to secure. College and university computers and networks continue to be favorite targets for hackers and online attacks. The difficulties that afflict the segment, however, are usually far more intimate and limited than those experienced by corporations.

A new study shows higher education networks are still the darling of hackers and malicious attacks. An Internet security study by Symantec released in April reports that higher education facilities account for 24 percent of all data breaches worldwide. That figure is declining — down from 30 percent six months ago — but it still represents the highest percentage of any market segment, according to the study.

The perception among hackers is that higher education is a soft target, largely because of open standards and a lack of centralization in higher education environments and the apparent inexperience and trusting nature of thousands of young students who make up the majority of end users, says Cathy Hubbs, chief information security officer for American University in Washington, D.C.

This bull’s eye on their back puts higher education IT professionals on the offensive, forcing them to come up with innovative solutions to security problems while maintaining the aura of academic freedom that is essential to their institutions.

One step toward limiting exposure is to understand the subtleties involved in the breach of an institute’s computer or network facilities, say the experts. Careful analysis of university data-breach statistics shows these attacks to be more intimate and targeted than the simple credit card number or identity theft that plagues the consumer market. Despite their frequency, breaches at universities and colleges result in less than 1 percent of identities exposed, according to the Symantec study. That means most breaches result from small-scale equipment theft, rather than the headline-grabbing wholesale hacks into large commercial databases that contain tens of thousands of customer records, it says.

According to Kevin Haley, director of Symantec’s security response team, the most common data breach in higher education occurs from the theft of a single computer or external storage device — typically a notebook belonging to a professor or graduate assistant. The data stolen is usually from a single class, containing the registration information of fewer than 50 students. Compared with the government, financial and retail sectors, in which the typical breach affects thousands or possibly millions of identities, the risk in higher education is relatively contained.

However, the attacks are more personal, argues Jack Suess, co-chair of the Intrusion Detection committee of EDUCAUSE, an organization of more than 2,200 colleges and universities in the United States dedicated to the intelligent use of IT in higher education. “The identities that are exposed aren’t customers. They are colleagues, roommates and co-workers. There is a much tighter bond here and much more at risk,” he says.

Suess agrees that higher education environments are more distributed and open, making them more difficult to secure than a government agency or corporate entity, where a standard security strategy can be enforced from the top down. Data in colleges and universities tend to be decentralized among several departments and made available to many people. At the same time, security needs, policies and budgets vary widely among departments, providing little uniformity or even a consistent framework within which to implement a coordinated security strategy.

The best way to prevent identities from being exposed, according to Suess, is to consolidate that information in highly secure, highly available servers where it can be stored under the watchful eye of the IT staff, rather than scattered and vulnerable on the edge of the network. Suess, who is also chief information officer and vice president of IT at the University of Maryland, Baltimore County, deploys a powerful auditing solution that actively seeks and identifies vulnerable information across campus.

Once he knows the vulnerable information is out there, Suess can then contact the owner of the data and determine how to protect it. If the data cannot be migrated to a central server, the IT staff can deploy encryption solutions and make sure the workstation or portable device is regularly updated with the latest security patches and McAfee antivirus software.

American University has a similar philosophy, deploying a network-controlled security strategy that centralizes intrusion detection through Cisco firewall and Network Admission Control (NAC) solutions. Hubbs also relies on TippingPoint intrusion protection software and Symantec’s antivirus security suite.

While Hubbs would love to deploy a reliable endpoint security agent on all clients on the network, she realizes that the academic community will always be reluctant because of privacy concerns. The ideal solution — consolidating data on servers and giving end users access through thin clients and blade PCs — would be a costly rip-and-replace strategy.

So, in an effort to better secure data regardless of where it resides, Hubbs combines the university’s network-controlled security strategy with user awareness, making sure that students and faculty can identify e-mail phishing and risky Web sites and downloads before they unknowingly infect their computers. She also works closely with the university’s leadership to ensure that data-breach risk assessment is a priority and that she has the administrative support and budget necessary to combat the threats.

Both Suess and Hubbs credit EDUCAUSE with providing a set of best practices for the higher education community when it comes to securing their school’s most critical data. An online forum connects them with thousands of other higher education IT professionals who can share experiences and recommend products and strategies. They also participate in the REN-ISAC program, an Indiana University/EDUCAUSE project that relies on the higher education community to identify and analyze threat information and disseminate it to members for early warning and response.