In fact, it’s important that institutions not be lulled into thinking this was an isolated attack simply because Penn State is the only school to have announced a breach. For obvious reasons, schools want to protect their brands. A lot of the work at research universities involves private-public partnerships that could be damaged by perceptions that a school does a poor job of protecting IP. In the case of Penn State, some of the stolen data included personally identifiable information (PII), so the school’s hand was forced: The law requires it to notify anyone whose information has been compromised.
If PII is not involved, however, schools can keep mum. “If it were intellectual property or if it were unrelated to information such as a social security number or a credit card number, then schools wouldn’t necessarily have to tell the press that a compromise occurred,” explained Westin.
Another reason for universities to keep silent about an attack sounds more Le Carre than College Park: It allows schools and authorities to monitor the attackers without alerting them that the jig is up. “That’s definitely a possibility,” said Westin, who noted that Penn State waited six months to go public for that very reason. “If you’re able to cordon off parts of the network or ensure that your data isn’t completely compromised, you can have that intrusive function as a honey pot, and you can learn more about some of the tools and techniques that the hackers are utilizing.”
Vulnerable to attack
Before a university can take action, though, it has to know that a breach has occurred in the first place. Unfortunately, many schools are unprepared to stop an intrusion—or detect it after it has occurred—making higher education an inviting target.
“Financial services companies and banks allocate a lot of resources to private security, but higher education doesn’t necessarily have those resources available to them, ” said Westin, who fears that some of the Chinese attacks on higher education have not yet been detected by the FBI. “Universities don’t have the ability to pay the higher salaries for experienced security folks. In general, I don’t think their IT programs are quite as sophisticated.”
The culture of higher education also makes it difficult for IT to impose the kind of security discipline that is often required in the corporate world. “First of all, a lot of universities don’t think they are targeted,” said Westin. “And it can be really difficult telling professors what to do—there’s sort of a do-it-yourself security mentality that can actually put your network at a bit more risk.”
While the attack on the College of Engineering was undeniably sophisticated, higher education’s reputation for lax security attracts wannabe hackers, too. “For a lot of espionage groups, higher education is usually their training grounds, where they may work with some of their younger or more junior hackers,” said Westin. “Higher education networks are usually a lot easier to penetrate, and there’s less likely to be blow-back if a school is somehow able to reveal an IP address.”
Improving network security
The good news is that a first-rate cyber-security program on campus doesn’t have to cost a fortune. “A little bit of effort can make you a lot more secure,” said Westin, who believes that spending on security measures follows the law of diminishing returns. “There comes a certain point where throwing money at the problem is only going to make you incrementally more secure.”
The most important step is to put the right security policies in place and follow them. For many schools—particularly smaller institutions—outsourcing certain services can also improve their security posture. “If schools outsource websites and other services like that, a third party will manage security for them, handling patching of the web server and so on,” explained Westin.
Westin also encourages schools to review the security frameworks available from organizations such the Center for Internet Security and the National Institute of Standards and Technology. “That’s a really good place for IT organizations to start,” he added. “They offer an executive brief that covers some of the top things they should focus on in a security program.”
And, given the prevalence of research partnerships between universities and corporations today, any security review must encompass the entire “attack surface,” in the parlance of cybersecurity. “It’s really important to look at the third-party venues and partnerships—how networks are connected and who might have information on the network,” said Westin. “There is a huge risk, not just for the university but also for those companies doing business with it.”
Ultimately, though, Westin believes higher education needs to learn how to communicate better about the joint threats universities now face. As a model, he points to FS-ISAC, an information-sharing group developed by the financial services sector to disseminate information about global security threats.
“Universities could actually exchange information about attacks they are seeing on their networks,” he said about the possibility of a similar higher education group. “They may find some common tools or IPs are being used in an attack that indicate it’s part of a larger campaign—that can help the FBI and law enforcement. It’s something they could even get their students involved with.”
Andrew Barbour is a contributing editor with eCampus News.