Risks Higher Education Institutions Face
Student Internet use is nothing short of the Wild West. Malicious software (malware), phishing, infrastructure attacks, social network targeting, and peer-to-peer (P2P) information leakage are not potential threats; they’re actual, daily issues. And here’s the scary part: when a student’s computer on a college network is compromised, it’s not just the student who pays the price—legally, so does the institution.
Most universities’ financial, administrative, research, and clinical systems are accessible through a campus network. Similarly, medical records, student records, many employment-related records, library use records, attorney-client communications, and certain research and other intellectual property-related records are housed on campus servers. As such, they are vulnerable to security breaches that may compromise confidential information and expose the university to losses and other risks. These security risks have impacted over 200 colleges and universities to date, institutions that have lost control of more than 22 million files of detailed data and information that include social security numbers, and other personal, medical, financial, professional, and extremely sensitive research project information.
The dangers for a university or college network can lurk everywhere from e-mail to the Internet infrastructure itself. In this column, we will discuss those risks, including:
1. How the Internet’s infrastructure poses a security risk for college networks
2. Why a university’s partners could be putting the institution at risk of a security breach
3. The unique ways students, professors and administrators use the Internet that jeopardize college networks
4. The potential costs of security breaches
5. Specific information technology (IT) security regulations that directly impact institutions in higher education
6. How institutions can comply with regulations and keep their networks safe
Infrastructure Attacks It may sound like a bad plot from some thriller, but the idea that cybercriminals have used the Internet’s infrastructure itself to re-route all Internet requests within a university’s network is actually very real. With thousands or tens of thousands of students—and frequently thousands of employees—as part of just one university network, this redirection can easily rank among the costliest of security breaches both intellectually and monetarily. And the two main channels that criminals use to attack an institution are the domain name system (DNS) and border gateway protocol (BGP).
Both were created during a much simpler and more trusting period in computing. Flash-forward to the present, when cyber fraud, attacks and crime are all on the rise, and this trust has eroded considerably. In fact, a January 2010 report prepared by the Center for Strategic and International Studies (CSIS), "In the Crossfire – Critical Infrastructure in the Age of Cyber-War," polled 600 IT and security professionals across seven industry sectors in 14 countries. The report found that the cost of downtime incurred from a network infrastructure attack on just one organization is more than $6 million a day.
As the core routing system for the Internet, BGP defines the most efficient route for Internet data to be transmitted around the world, deciding which “links” carry Internet data. Think of it as the Internet’s navigation system, providing turn-by-turn directions for all Internet connections. Unfortunately, BGP lacks systematic controls to limit what a host can advertise via that protocol, meaning there is little or no verification that an advertising host is actually the proper one for a given IP address range. So a rogue host can easily claim to be the legitimate route to IP address ranges belonging to any university.
By hijacking the BGP translations, attackers can drive unsuspecting surfers and/or students, faculty and staff attempting to access the university’s network to malicious sites. They can also intercept e-mail, financial transactions, and other highly sensitive data and personal information as they are transferred to the university or a key partner. The financial and security implications associated with such acts can be tremendous.
In a recent high-profile BGP incident, every organizations’ vulnerabilities were demonstrated when a Chinese state-controlled telecommunications company, perhaps inadvertently, positioned itself to intercept 15 percent of the world’s Internet traffic routes. In that case, China Telecom advertised erroneous BGP routes that funneled traffic for websites, e-mail and other transactions of the U.S. Senate, Department of Defense, NASA and Department of Commerce through Chinese networks before this traffic reached its intended destination.
Over the past few years, many high-profile companies like CheckFree, Comcast, Baidu, Twitter, and even the international oversight body for domain names itself, ICANN, have become victims of domain name hijacking. When this occurs, cyber criminals redirect a domain to a fraudulent Internet host. By hijacking a university’s domains or DNS, hackers can gain access to everything shared with that university: vital research data, Social Security numbers, passwords, e-mails and instant messages, proprietary documents and more. If they intercept access credentials, then all of the data stored by the university is available for exfiltration.
In the CheckFree hijacking, for instance, hackers redirected traffic to a web address that installed malware during the electronic bill pay process, putting the company’s 24 million customers at serious risk. The hackers could have used their malware not just to access CheckFree users’ vital data, but also to swindle information from hundreds of transaction partners. By exploiting connections through all infrastructure levels of an extended enterprise, cyber criminals continually gain access to the core transactions that facilitate business and information exchange.
The Extended Enterprise Internet security risks for higher education don’t just hide behind ivy-covered firewalls. Today, a university’s connections span the globe—from financial institutions where tuition is paid or deposited, to benefits providers, e-mail services and so on. Should those extended enterprise partners’ Internet presence fall into the wrong hands, a university’s security could quickly be at risk as well.
For example, in 2010, ChronoPay, a prominent online payment processor in Russia and Europe, suffered a core domain name hijacking and complete DNS re-configuration at the hands of criminals. For several hours, visitors to chronopay.com were unknowingly viewing a phishing site that mimicked the legitimate site at the exact same Internet location (URL). This attack caused a total disruption of ChronoPay’s entire business for several hours, and resulted in the compromise of at least 800 credit card numbers.
However, the actual damage caused by the attack may be far greater; not only were visitors to the main consumer site compromised, but merchants who used the API (application programming interface) or merchant login platforms were also exposed to traffic diversion and theft. Merchants who logged into their back office accounts during the hijacking to access or edit accounts containing sensitive customer information—including bank and credit card numbers—did so without knowing they were exposing their own critical business information.
Every college and university faces a similar threat. For instance, let’s say the institution processes payments, runs payroll, deposits tuition, etc. through a large bank. If this bank were to be hijacked, the university’s “customers”—students, professors, administrators, etc.—could quickly have personal information compromised even though the university was not the target of the attack. In addition to the obvious security and monetary implications of such an attack, various compliance issues could be at play too. More on that in a moment.
Students and Faculty as Targets
Both students and faculty in higher education demonstrate behaviors and face job or class requirements that tend to put them at higher risk.
Malware Means Money
Statistically speaking, college students and faculty tend to spend significantly more time on the web than average, making them prime targets for malware exploits. What happens if one of these individuals visits a site that’s loaded with malicious software, malware that could take over a student’s or even an administrator’s computer?
That’s apparently what happened in 2010 to the controller’s computer at the University of Virginia. According to reports, thieves stole a million dollars from the University of Virginia after compromising the computer belonging to the university's controller. A virus intercepted online banking credentials for the university's accounts at BB&T Bank, and initiated a single fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China.
Luckily, that’s all that happened. While it may sound ridiculous to say that about a million-dollar loss, what if the malicious software then went just one step further and started sending out a targeted spear-phishing attack loaded with malicious software from the compromised computer? The malware could readily mine the compromised computer’s contacts and so on. In a worst-case scenario, this could put much of a university network at risk.
Social Media Security Risks
College students are known to be among the most avid users of social networking sites. And by its nature, social networking frequently leads to the sharing of personal information. Phishers have recognized this and attempt to exploit these factors, making for an alarming risk when students surf Facebook or Twitter.
Phishers are looking to these sites to collect credentials such as names and password information from university students. The cyber criminals then use this data to create botnets used to facilitate malicious activity including spamming or denial of service (DoS) attacks. Although used differently, both target large groups of individuals who are typically willing to share personal information and trust online links—a.k.a. college students at social networking sites. Research data shows a steady climb in phishers utilizing social networking sites to lure in their victims.
P2P Dangers in Higher Ed
One critical security threat that is often unique to university and college networks is related to the use of P2P software. File sharing and P2P software were designed to facilitate exchange of music, movies, videos, and other files over the Internet, and are clearly a big hit with student populations. But malicious software like viruses, worms and trojans are regularly distributed using these same P2P applications. Some recent viruses that have targeted P2P networks as a primary means of transmission include Swen, Fizzer, Lirva, and Mydoom.
Some of the P2P programs themselves also contain "spyware." This allows the author of the program, and other network users, to see what the user is doing, where they’re going on the Internet, and even to use that computer's resources without their knowledge. Malicious individuals also target these P2P networks, routinely issuing searches to gain access to customer credit cards, Social Security numbers, medical and financial details, network login passwords and more.
While it’s a student’s computer that is targeted by or infected with a malicious P2P program, that computer is usually connected to a university network, as well as to many other students at the same college who are on the same P2P network. This makes education networks a breeding ground for malware infections.
The dangers of P2P security breaches are well known to the U.S. federal government. In fact, the Department of Education’s Higher Education Opportunity Act (HEOA) contains provisions for the regulation of P2P applications that require universities to develop and implement “written plans to effectively combat the unauthorized distribution of copyrighted material by user of the institution’s network without unduly interfering with the educational and research use of the network.”
Data Breach Costs for Higher Education
The impacts of data breaches on college networks are undeniable. Having students’ Social Security numbers stolen or proprietary research fall into the wrong hands is damaging enough for the individual. But the likely cost of a major security breach extends much further. For an institution, it means a public relations nightmare, real financial losses, far-reaching legal issues and regulatory non-compliance penalties. To add insult to injury, such a breach usually means a loss of confidence and trust in the institution, both internally and externally.
If processes aren’t in place to stop—or at the very least limit—an IT security breach, the monetary losses could accumulate quickly. In December 2010, The Ohio State University (OSU) notified thousands of students and faculty members that their personal information was compromised by hackers who broke into a campus server. Names, Social Security numbers, dates of birth and addresses were all at risk. Despite the university’s claims that there was no evidence the data was actually stolen, the breach was still estimated to cost the university $4 million in expenses related to investigative consulting, breach notification and credit card security. This does not include any regulatory action that may have resulted.
But the $4 million price tag in the OSU breach is likely just the tip of the iceberg. The 2010 Ponemon Institute “U.S. Cost of a Data Breach” report found that the average data breach cost companies $214 per compromised record and averaged $7.2 million per data breach event. These figures were derived from organizations that included educational institutions, and could surely apply to most universities given their large user base and vast amount of regulation. Furthermore, the report found that it wasn’t just lost laptops or stolen flash drives that resulted in data breaches. Ponemon found that malicious attacks were the root cause of nearly a third (31 percent) of the data breaches studied.
And both of these examples don’t even take into account the cost of stolen intellectual property like the many years of research that nets universities billions of dollars in grants. For example, in 2009 hackers broke into the electronic files of one of the world's foremost climate research centers, the Climatic Research Unit of the University of East Anglia in Britain. They posted an array of e-mails in which prominent scientists engaged in a blunt discussion of global warming research and disparaged climate-change skeptics. The hackers used this information to make the claim that global warming is a hoax. Not only was the release of these e-mails damaging to the research unit, but it also could cost the university huge sums of money in lost grants since the research is no longer proprietary.
Higher Ed Faces a Regulatory Alphabet Soup
The Federal Trade Commission (FTC) regulations, Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA), Fair and Accurate Credit Transactions Act (FACTA), Health Insurance Portability and Accountability Act (HIPAA) and other national, state and local data loss laws and regulations place stiff penalties on colleges should they not protect private data on their network.
One such example is the FTC Red Flag Rules, which are intended to reduce the risk of identify theft. It is an amendment to the Fair Credit Reporting Act (FCRA) that requires "creditors" or "financial institutions" that provide "covered accounts" to confirm the identity of their customers. Since universities and colleges generally extend various forms of credit, such as payment plans for tuition, the Red Flag Rules apply. Any student account that features multiple payments under the umbrella of one purpose—such as tuition or room and board—is considered a "covered account" by the FTC's definition, making it subject to the Red Flag Rules.
A red flag for a college or university would be any of the following: an identification document that appears forged or altered, an identification where the information listed differs from what was provided on the financial aid or admission application, an application that appears to have been altered or a situation in which a person applying for credit refuses to (or purposefully does not) provide identifying documents. The regulations require colleges and universities with "covered accounts" to devise a set of guidelines to deal with and prevent situations that are red flags.
Under the Red Flag Rules, the FTC may impose civil penalties (up to $2,500 per violation) for knowing violations of the rule that constitute a pattern or practice. If the FTC finds violations of the rule to be unfair and deceptive, the FTC may also use its authority to issue cease and desist orders and other enforcement actions. Although there is no private right of action for noncompliance with the Red Flag Rule under the FCRA, victims of identity theft may be able to bring claims under other theories of liability such as private torts.
The Red Flag instance is just one example of how non-compliance could mean trouble for higher education institutions.
Safety Lies in Monitoring and Mitigation
Unfortunately, simple anti-virus software isn’t going to do it in this age of cyber security threats. Each organization that is storing any type of sensitive information/data is required by law to have a technology-based deterrent in place, a diligent monitoring and review method, and a process to mitigate the breach. For a college and student’s safety, along with compliance to potentially damaging regulations, higher education institutions must implement a complex approach that combines detection, diagnosis and mitigation of cyber security threats.
Long gone are the days where a “boxed” solution is going to protect a university from the cyber bad guys. What IS needed is a 24/7, 365 service that is always on the prowl for any sort of cyber threat that utilizes a university’s infrastructure and vast network of partners. Say goodbye to security software and say hello to a university’s due diligence Internet compliance officer. It’s what’s needed to navigate the 21st century’s college cyber security tightrope.