What IT needs to know to stay one step ahead of cyber attacks and student data leaks.
[*Editor’s Note: This article originally appears in the Jan/Feb digital edition: http://ecampusnews.eschoolmedia.com/current-issue/]
Security of college students is a growing concern for the students themselves; for their parents, relatives and friends; and for colleges and universities. The security concerns are two fold, both for the physical security of the students themselves and for the security of the student data on university systems.
Both those seeking to cause physical harm and those seeking to attack data systems continue to advance their techniques, pushing college security experts to continue to evolve security strategies to stay ahead of the threats.
To better help institutions keep one step ahead, here are the top five campus IT security trends for 2015:
1. Monitoring of higher education social media
Today’s college students are engaged on Facebook, Twitter, Pinterest and other social media platforms for hours every day.
So are hackers looking to spoof a classmate, professor, university organization, popular off-campus gathering places or a variety of other entities. The idea is to lure the most people in as possible says Chris Cullison, chief technology officer for ZeroFOX, a Baltimore, Md.-based social risk management company.
“We monitor campus sites, and different university [social media] assets to make sure what’s out there is legit and not something nefarious,” Cullison says. “Social media doesn’t use email, so there are no direct virus scans and no immediate way to tell if [a person or entity] sending you something is legitimate or not.”
That verification is important, Cullison says, because one of the popular methods hackers use to spoof sites is to buy followers so that the site looks more legitimate than the legitimate one. As many as 5,000 followers can be purchased for as little as $10. The more followers on social media, the more likely the unknowing person will think a fake social media Facebook or other site or Twitter feed is legitimate.
(Next page: Evolving BYOD; layered security)
2. Evolving BYOD policies
As smart watches and other wearable technologies start making their entrance into the market in 2015, colleges and universities will need to review their bring your own device (BYOD) policies to ensure that they balance the need for security with the need for access, says Renee Patton, U.S. public sector director of education at Cisco, San Jose, Calif. “The policies define what access should be available. As more devices come on campus, you have to make sure those devices are trustworthy.”
Some devices, like wearable health monitoring devices, have no reason to access the college or university network, so shouldn’t have access to network resources, Patton adds. “Administrators have to understand the trends and transitions. They need to continue to adapt. They need to make sure that security software is installed on those devices and that is configured properly by enforcing limited access for unsecured devices.”
The device management will get only more complex in the future as the Internet of Things (IoT) evolves. Cisco estimates that the number of connected devices will mushroom from about 15 billion today to more than 50 billion by 2020. [Read: “How to prepare for everything.”]
Ron Woerner, director of cyber security studies at Bellevue (Neb.) University, adds limiting access to those resources necessary for faculty or students. A professor may need access to grades of the students in his class, but not to their grades in other classes. Similarly, a student may need access to his or her grades, but not the grades of classmates.
3. Increasingly layered security
Antivirus and antimalware protection are commonplace, but still offer only a base level of protection, security experts agree.
Network monitoring is increasingly important to catch threats that can slip past antivirus and antimalware programs.
Santa Clara (Calif.) University, for example, employs algorithms to analyze network traffic and to send alerts to security staff about suspicious activity, says Robert Henry, the university’s chief information security officer. Network traffic analysis helps identify spikes in network use and other activity outside of the norm.
The variety and number of attacks are increasing, says Neal Moss, system network analyst for BYU-Hawaii. Rather than random attacks, hackers are targeting specific parts, specific servers, etc. Higher education financial and human resources departments are top targets because of the depth of the personal information that they contain. So colleges and universities are using multiple firewalls in order to separate serves from one another and limiting the applications that users can access.
“They key for us is using zero trust,” Moss says. “We treat everyone as bad guys trying to get at my stuff. We only allow specific applications to communicate with users.” The applications automatically reject any modifications a user attempts to make.
Woerner also recommends enhanced penetration testing to examine if all physical and technology controls are in place and to ensure that commonly available information (i.e., university calendar) is separate from sensitive information (i.e., employee payroll).
(Next page: The cloud; physical security)
4. Protecting data in the cloud
“One of the big topics in higher education is the movement to cloud services [and] protecting information that we no longer have in our data center,” Henry says. The cloud-based information includes sensitive student information like grades, finances, class scheduling, history of credits, etc.
The first step in protecting this information, according to Henry, is selecting a cloud services provider that has strong security practices and a security staff large enough to respond quickly to any potential security threats.
Higher education administrators need to scrutinize cloud services contracts, not so much for the technology provided, but for language that clearly defines that the provider has the proper security certifications and follows specific security standards in operating cloud services.
5. Increased use of technology to augment physical security
College campuses have long used access cards for students to enter dormitories, certain buildings on campus and other areas with limited access. However, it’s not uncommon for an authorized person to “be polite,” holding the door open for the next person, who may or may not be authorized.
Also, an unauthorized person may rush in once the door is opened, so there’s never a chance for it to shut.
To help combat this problem, the University of San Francisco, and a number of other colleges and universities, is deploying combinations of cameras and facial recognition software to positively identify authorized students and other personnel.
Phillip Britt is an editorial freelancer with eCampus News.