Sometimes it seems like the security challenges facing American colleges and universities are never-ending.
Students and others share user information. Campus visitors pop USB sticks into networked machines. Hackers find their way into an internal network through carelessly discarded information from an open screen or from an infected workstation.
Here are six of the things that keep campus security people up at night, and big challenges that schools should address to make themselves more resistant to cyber threats.
Phishing and Social Engineering Attacks
One of the biggest challenges with university cybersecurity is the sheer amount of hacking that goes on in these environments. Schools have to deal with a unique mix of user levels, including students who are often young, and relatively trusting, and are not employees of the organization — so they’re less controlled.
For example, research shows a full 90% of malware attacks originate through e-mail. Various types of spoofing and spear-phishing campaigns entice students and others to click on illegitimate links that can usher in a Trojan Horse to do damage to a network system, or compromise the security of information. Many of these kinds of phishing are cost, high — which leads to an inundation of hacker activity that schools have to keep in top of, by somehow segmenting network systems, by shutting down compromise parts of the system, or by some other high-tech means.
With this in mind, better security often starts with identifying separate pools of users — for example, administrative staff versus faculty and students, and then customizing controls and access for each of these groups individually.
The IT Crunch: Limited Resources
The challenge of limited resources and funding for university cybersecurity generally speaks for itself. The above kinds of network monitoring and cybersecurity engineering have significant costs attached to them, and many universities simply find it difficult allocate the manpower or the funding to address cybersecurity issues.
Regulatory Burdens and Secure Data Efforts
Another part of this challenging cybersecurity environment is that schools and universities have big compliance burdens under many different types of applicable regulation.
Some campus leaders tend to focus on items like NIST 800-171 and the use of controlled unclassified information, just because there is a deadline on for this particular type of compliance right now. However, regulations like FERPA are also critical. Even HIPAA puts pressure on schools to tighten up cybersecurity, since as healthcare providers, schools may hold student health data. Third-party cloud providers often offer FEDRAMP certification and other qualifications for cybersecurity on their side of the fence — but that doesn’t fully bring a university into compliance unless it can bring its own internal systems up to standards.
System Malware — Zero Day Vulnerabilities and More
Universities and colleges also have to anticipate situations where hackers may exploit existing system vulnerabilities. They have to look at continuing support for operating systems and other technologies.
There is a reasonable expectation that manufacturers will make adequate security available, but this doesn’t absolve the university of having to look for security loopholes and close them. This means evaluating architectures — for example, can hackers get host names, IP addresses and other information from devices like printers?
It also means using multi-factor authentication to control user activity. It means understanding how malware will enter a system, and anticipating attacks. The good news is that modern security tools go well beyond the perimeter of a network to seek out harmful activity if they are set up right and controlled and observed well, they can dramatically decrease risk.
Protecting Personally Identifiable Information
At the heart of many of these cybersecurity efforts is the daunting struggle to protect all sorts of personally identifiable information, from simple student identifiers to financial data and medical data, from grades to Social Security numbers and items that identity thieves might use. The above-mentioned regulations are part of the drive to secure this type of data, along with more general standards and best practices for enterprise. Simply put, data breaches cost money, both in damage control, and in the reputation of the school itself.
In some ways, this ongoing data vigilance is hard for schools, because the academic world isn’t necessarily into strict control of information. But it’s also hard in a practical sense, because so many cybersecurity architectures just can’t handle modern challenges, like a WannaCry infiltration or other attacks that exploit common vulnerabilities. Many schools have up to a dozen or more security tools in place, but many of these tools don’t talk to each other or share data well, and so they become less effective as a comprehensive protective force.
There are some things that schools can do to protect PII — one technique is to limit end-user storage and access — for instance, restricting the ability of students to simply move floods of information to the cloud, or navigate sensitive internal network areas freely.
Another strategy is to use internal monitoring tools to inspect network traffic for suspicious activity.
For example, peeking at the header and footer of data packets can show the origin of data transfers, unless there is spoofing or some sophisticated type of deception involved. Some schools will go further and fully decrypt data packets to see what’s inside them. However, this practice can involve getting into the philosophy of privacy, where schools are wary of digging into network traffic because they see their monitoring as too intrusive to students or other users. In addition, emerging European privacy standards may put some pressure on schools in the U.S. to limit decryption and observation activities.
End-User Awareness and Training
Another way for schools to increase safety is for them to conduct vibrant types of end-user awareness campaigns.
This starts with educating end-users on how malware gets into a system — asking them not to click on suspicious e-mails or use inbound links, but instead to always do online banking and perform other transactions through a secure website.
Schools can also educate on the kinds of data that are most likely the targets of hacking activity — research data, student grades, health information or other sensitive data sets that hackers really want to get their hands on.
On the other side of the equation, schools should also work on improving their internal security postures — figuring out how they will respond to attacks, and how they will preemptively safeguard systems against everything from phishing to ransomware.