Fight Back: How Colleges Can Avoid a Hacktivist Attack

Historically, colleges and universities have been open environments, focused on encouraging the flow of ideas and knowledge both inside and outside the classroom. That real-world campus culture has extended to the virtual world at many institutions, evident in IT’s architecting of extensive wired and wireless network infrastructures; in the deployment of collaboration, video conferencing and social networking technologies; and in a growing accommodation of the bring-your-own-device (BYOD) movement.

But supporting open access is only half the job for college IT leaders. Protecting an institution’s systems and networks also is a necessity — and today that means guarding against not only hackers motivated by financial gain but also hacktivists trying to make a social or political point.

In the past, hacktivists were more likely to target big corporations, but now it’s clear that no one is immune. Witness the Team GhostShell attack last fall that exposed some 120,000 records from dozens of higher ed institutions, with the aim of bringing attention to problems in today’s educational systems. Or consider the Anonymous hack of a Massachusetts Institute of Technology website earlier this year, done to eulogize Internet activist Aaron Swartz.

“We have such a large attack surface because we have to be more open than most corporations do,” says Jeffrey R. Howlett, chief information officer at Meredith College in Raleigh, N.C. Indeed, some schools may be even more open than their IT organizations realize — for example, when researchers or others affiliated with the institution stand up their own servers without going through the usual provisioning processes.

The good news is that the steps institutions are likely to be taking to fortify their networks and systems against hackers are the same steps that can help to keep hacktivists at bay.

When it comes to positioning to better fend off a hack, whatever form it takes, in-depth defense is one good place to start, says Dan Boyd, senior network architect at Berry College in Mount Berry, Ga. While he acknowledges there’s “no 100 percent sure way to defeat every threat,” putting in place multiple layers of security controls goes a long way toward helping. That way, there’s a better chance something that made it through one layer won’t get through another.

Security controls include — but also go beyond — pure technical solutions. For example, while Boyd’s team at Berry recently focused on making its Domain Name System (DNS) more robust to defend against website hijacks, another IT group at the college conducted staff training to reinforce good security practices.

“They don’t see initially the potential outcome of using ‘password’ for their password,” Boyd says. “They think no one would want their stuff. This way, we can keep reminding them that hackers don’t want their stuff — they just want a shoe in the door.”

Another layer of defense is the setup of the IT organization itself. For example, Boyd’s department handles both networking and servers. That way, there’s no confusion over disparate team responsibilities, so critical security issues aren’t accidentally overlooked.

But even the most well-organized IT department can’t protect against what is undetected. That’s why Jason Wood, senior security consultant at the independent consulting firm Secure Ideas, recommends frequently running inventory scans of the environment for systems that may have been installed without IT’s knowledge.

“A lot of organizations say, ‘We segmented our network, and we have firewalls and an intrusion detection system in place, so we are good to go,’” Wood says. “It’s not enough.” Being proactive by taking regular inventory scans of the network is an important way to uncover issues such as newly installed servers that might be vulnerable to a number of remote exploits, ensuring action can be taken to upgrade or configure them properly before something bad happens.

Reach Out to Stay Safe

For some institutions, it also makes sense to supplement in-house security activities with third-party help. At Meredith, which Howlett says is constantly under attack, one solution for guarding against hacktivists and hackers alike was contracting with a managed security services company to handle event-log management. The provider performs vulnerability scanning and 24/7 monitoring of the attack surface and alerts Meredith’s IT staff both to threats and to what must be tightened to stay out of hackers’ crosshairs.

“Outsourcing to a company that specializes in higher education, and that has the staff and the systems to monitor constant attacks, for me was a better option than hiring experts internally that worked a traditional shift,” Howlett says.

Concern over hacktivist attacks should reinforce an organization’s commitment to a strong IT security strategy as well as to precautions — indeed, those precautions may become even more critical if hacktivists decide to take on institutions in more malevolent ways.

“Overall, hacktivists seem less dangerous than attackers,” says Howlett, in that they haven’t been out to steal information for use in identity theft or other such schemes. “But you can’t fool yourself into thinking it always will be that way.”