North Dakota State University administrators confirmed last week that hackers never accessed the personal information of more than 200,000 students, faculty and staff housed on the server they successfully infiltrated.
This attack perfectly suits the modern hacker’s MO. They attack open systems wherever they can find them. Just like predators on the African plains, they ignore the strong and well-protected, instead going after the weak and the old. Once one system is compromised, hackers can use it to vector into others, as they did in the recent breach at Target.
Universities are frequently soft targets. They are inherently decentralized, complex and intentionally open. Their IT departments must balance security with a need for openness and academic freedom. Many public universities have also been facing significant budget constraints, which limits the technology and security investments they can make.
When hackers do target universities, financial motivations may not be the prime consideration. An information security officer at one of the universities Coalfire works with has been alarmed by the number of incidents originating from overseas. Since many faculty members work collaboratively as staff at classified research organizations, the general feeling is that the universities are being targeted as part of a broader attack regarding researchers working with national security secrets.
Of course, sometimes colleges are themselves the target, because they do possess a treasure trove of information assets. Beyond payment data and student records, schools manage a significant amount of other sensitive information, including employee records and patient health information.
For parents, one of the scariest aspects of the NDSU attack is that the compromised server included information from 1,300 applicants. High school seniors often apply to six or more schools, meaning their personal information is being stored at colleges they may not even visit, let alone attend.
University officials need to understand the scope of the risks they face. A well-tended firewall is no longer enough. Many recent breaches have been executed with sophisticated, zero-day malware exploits that were undetectable by antivirus solutions. If hackers beat one control, they need to be caught them with the next – or the one after that.
This is also why the current debate over “smart” chip-and-pin credit cards doesn’t go far enough. This technology will help retail locations – which includes on-campus sandwich shops or bookstores – significantly reduce fraud stemming from counterfeit plastic, but that’s really just one layer of protection covering one aspect of potential loss.
All good security programs are based on the principle of “defense in depth.” University security administrators need to improve their monitoring programs and do comprehensive risk assessments that give them an understanding of their information assets. The good news is that more universities now recognize the threat they’re facing and are devoting significant resources towards security, compliance and enforcement. The bad news is that the breaches keep happening and security is a constant process, not an end state.
Given the scale of recent breaches and the impact of the attacks on consumers and shareholders, it’s time for some fresh thinking and decisive executive action. Cyber-attacks are not simply a loss prevention problem – they are the single biggest consumer protection issue of our time.