People-Focused Information Security Controls Are Important First Step
Faculty, staff and students hold the keys to an institution’s information security program in their hands. The actions taken by trusted individuals can quickly undermine even the strongest security controls. Unfortunately, the people-focused elements of information security are often the most overlooked.
EDUCAUSE recently reported that, although hacking and malware accounted for 36 percent of breaches in higher education, 30 percent resulted from unintended disclosures of information and 17 percent from the loss or theft of a portable computing device. Combined, these areas account for 83 percent of all higher education breaches, and all can be prevented or mitigated through people-focused controls.
Security Through Better Password Requirements
One of the most common ways that intruders gain access to sensitive information is by compromising a legitimate user’s account. Phishing attacks, network eavesdropping, watering hole attacks and other threats present opportunities for attackers to steal passwords and other authentication credentials from unsuspecting users. Attackers may then use those credentials to gain privileged access to enterprise systems without the knowledge of the legitimate user.
Many institutions depend on passwords as an important component of their authentication infrastructure. As long as they are kept secret, passwords provide a convenient, effective way to control access to systems. Organizations relying on passwords should implement effective password management practices that include the use of strong, complex passwords and periodic password rotation. For example, an organization might require that users’ passwords are at least eight characters long and contain a mix of uppercase and lowercase letters, digits and symbols. Furthermore, users should be required to change passwords periodically, such as once every 90 days. Password complexity requirements reduce the likelihood of a successful password guessing attack, while rotation requirements limit the length of time that a successful attacker will retain system access.
In addition to user-focused password requirements, organizations must also implement back-end systems that store passwords securely. Passwords should never be stored in unencrypted form and should be placed only in tightly secured files accessible to as small a population as possible.
Developing More Secure Authentication Systems
Although passwords form the foundation of many authentication systems, they have an inherent flaw: As a piece of information, they may be stolen in a manner that is undetectable. Organizations seeking to provide added security for their systems should turn to multifactor authentication systems that use multiple authentication approaches. Even if an attacker is able to steal the information required to pass a knowledge-based check, it is unlikely that he or she would also be able to gain physical access to the user’s smart card. Similarly, if an attacker steals a user’s smart card, he or she would also have to trick the user into revealing the account password to gain system access.
Finally, organizations must carefully manage the accounts in their authentication systems. This is a traditional problem area for colleges and universities because of the sometimes transient relationships that faculty and students have with institutions and the many “temporary affiliate” relationships that may last for years. Higher education IT staff should work closely with human resources and registrar teams to ensure that accounts assigned to terminated employees, nonenrolled students, inactive vendors and other third parties are promptly removed when no longer needed. Identity and access management professionals should routinely conduct audits to ensure this process functions properly.
Learn more about cybersecurity in higher education by downloading the white paper, "Threat Detection: Keep Campuses Safe. "
