The recent Georgia Tech breach where 1.3 million students, student applicants, and current and former faculty and staff may have been compromised is believed to be one of the biggest higher-ed data breaches suffered by a university in the U.S.
The vulnerability found in Georgia Tech’s web application speaks to the risks of higher-ed data breaches–risks academic institutions and businesses face daily. Unsecured web applications provide easy access for hackers to gain entry into any business to conduct a variety of crimes.
Related: Don’t be complacent about data security
The three-month exposure window gave the intruder ample time to access critical details to leverage and sell on the Dark Web. This is a warning sign that nobody is impermeable and a sobering reminder to proactively strengthen application security.
Application downtime can cost tens of thousands of dollars. For this reason, the academic sector must carefully plan their patching practices around established maintenance windows. But as we saw with the recent zero-day vulnerability in Oracle’s WebLogic servers, attackers don’t take a vacation. As a matter of fact, automation is making attacks – especially against web applications – omnipresent.
With this constant barrage from the bad guys, the academic sector is caught between securing critical applications and minimizing the risk to business operations. How can security professionals in the academic arena minimize the window of exposure, but still outrun the incoming threats of higher-ed data breaches?
1. Containing the Breach: Patch Quickly. Once a vulnerability is announced, it is a race to patch – or face the risk of being attacked. Keeping up with the volume patches is next to impossible, but patching high-risk vulnerabilities is necessary to secure mission critical applications. Things get more complicated in academic institutions where applications can often go unpatched to the point that applying a security patch could compromise app functionality and potentially cause major business disruption. Of course, there are alternatives like Runtime Application Self-Protection (RASP) and NG-WAF (Next Generation Web Application Firewalls) that offer the binary equivalent of vendor patches without the potential risk.
2. Tracking Inventory: Academic institutions need to understand what applications they own and their dependencies, as well as the related supply chains of those applications. Wipro, one of the largest third-party service providers, saw a significant breach in April 2019 that compromised client systems. On the heels of that news, Synopsys released its Open Source Security and Risk report showing that 96 percent of codebases have open source software and 60 percent of that code has a known vulnerability. Unfortunately, we can no longer assume safety from external resources.
3. Don’t Ignore Legacy Applications: Seeing as data is like gold to cybercrooks, academic institutions offer a treasure trove of information for cybercriminals. Legacy applications are often the most valuable assets at academic institutions, and while they may have a much stronger perimeter security than other applications, this doesn’t make them impenetrable. As a matter of fact, perimeter security can often come with a pretty high price with regards to false positives. For that reason, these measures can go ignored or have alerts disabled all together. A warning is only as good as the preparation and reaction taken once notification is received.
4. Establish a Cybersecurity Response Team: Universities should incorporate a security breach response team that anticipates potential crisis scenarios and establish internal protocols for handling them. When a breach occurs, the response team should convene without delay. The tenets of any breach are to be proactive, be transparent, and be accountable.
5. Communicate: GA Tech has a very strong identity in the cybersecurity space. The university boasts alums like Chris Klaus, founder of Internet Security Systems, one of the first unicorn exits in Atlanta selling for $1.3B to IBM in 2006. Because of this, the university was likely fearing the worst. However, Tech’s swift action and immediate notification has largely made this breach a non-event. Tech went on to offer identity monitoring to all 1.3M people affected by the incident.
One footnote worth mentioning here: According to Georgia Tech, the intrusion was detected by developers who noticed an issue with performance. While it’s great to see that developers are becoming more active in the security voice, it does seem startling that such an elite college wouldn’t have more security in place.
The academic arena is an industry hampered by monolithic applications which have fueled their businesses for decades. Given the monetary gain to attackers, academic institutions will most certainly continue to remain one of the most targeted by hackers. Like Fortune 500 companies, universities need to adopt a defense-in-depth approach by making it clear that cybersecurity is important to the institution.
Further, cybersecurity is not just an IT problem, but it affects everyone in the university community. The Georgia Tech breach underscores how the academic sector needs to focus on updating their cybersecurity strategies and adopt security solutions to combat cybercriminals.