Application Security // Database Security
11/15/2013
08:00 AM
Paige Francis
Paige Francis
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Higher Ed Must Lock Down Data Security

Higher education rivals only the healthcare industry in housing personally identifiable data. Consider these tactics for smart planning.

Current trends show that higher education is a prime target for a data security attack. Why? Because education is all about data -- student, financial aid, administrative, syllabi, curriculum, assessment, grades, and much, much more. Higher ed rivals only the healthcare industry in housing personally identifiable data.

Combine massive amounts of data with disruptive technologies like cloud computing, MOOCs, streaming video, flipped classrooms ... all are innovative, but all are resource hogs that transmit large amounts of university data across its network.

Throw in the recent reports showing students now boast an average of seven personal wireless devices each. You might ask, "Is it a university's responsibility to provide a competitive wireless environment for so many devices per student?" The easy answer is yes. Suddenly a collective hum, "More, more, more ... How do you like it? How do you like it?" In the world of IT departments, this is the overarching status in serving our campuses.

What is the impact of massive data, new technology trends, and increased mobility in higher ed? At Fairfield University, we have noticed a very real impact, including an increase in phishing attempts, malicious international attacks on our servers, and receipt of direct threat email messages (up to 1.2 million per week).

[ Security concerns are just one reason the cloud may not be right for all institutions. Read Higher Ed's Cloud Computing Forecast: Stormy. ]

Bottom line: Massive data crossing endless connections across a variety of increasing and decentralized devices naturally evolves into a target for attack. In retaliation, here are three initiatives you should tackle to impede security attacks in higher ed.

What's your plan, Stan?

If there's no technology-specific strategic plan in writing, a department's vision almost doesn't count. Think about it. A non-IT person is generally not interested in the nuts and bolts of building a secure technology environment. Dust off the overarching strategic plan for the college or university and consume it. Note the top strategies. If the plan has been refreshed within the past decade, you might even notice that each strategy is likely dependent in some way on technology. That is a win.

Start to map out a technology vision that complements your campus. Is campus technology centralized on your campus? If not, what's keeping that from happening? A centralized technology presence is optimal for security initiatives. Why? Fewer hands in the cookie jars -- and fewer cookie jars overall -- reduce risk. Make sure the technology strategic plan spells out a focus on security. This will be helpful later.

Identify the kryptonite to your network

Where are the holes and weak spots? What will bring this invisible network to its knees? The network foundation is as riveting as it sounds, but it's more crucial than any component on the campus and now more than ever. Is your infrastructure sound, solid, and beefed-up enough to support the inevitable growth and demand of network service over the next decade? This isn't about having 100 times the amount of bandwidth you currently need on your campus today. It's about having the bones to support an increase of that magnitude annually and exponentially over the next decade.

Is there wired where you envision needing wireless? Are the access points already stretched thin? Are the pipes adequate for now but likely to be maxed out in next academic year? Now is the time to plan those large-scale, unsexy, and truly expense-hogging overhauls. How will this ever be funded? Well, it's in the technology strategic plan. Get your plan together for technically aggressive, budget-manageable improvements over the next two, five, and 10 years. Once the infrastructure is confirmed at a minimum "not high risk," invest in hardware and software that empowers real-time system interaction -- who is attacking and from where? University leadership is impressed by statistics, dashboards, and real-time risk factors. These items provide a layer of knowledge, pinpointing where safeguards need to be placed.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
FairfieldCIO
50%
50%
FairfieldCIO,
User Rank: Apprentice
11/18/2013 | 1:04:13 PM
Re: User education
I'm fairly new to this university, however it is important to continually share information/knowledge about the very real risk involved with data security. I try to pass along particularly non-jargonized articles to our Educational Technologies Committee as well as to our Administrative Technologies Committee, share data with our Board, post tips/tricks in our monthly newsletter and, as opportunity arises, SPEAK about the dangers and precautions. Students are super savvy, faculty and staff run the gamut for tech proficiency but we take that more as a challenge to teach/share. Unfortunately, we make technology oftentimes look 'easy' so the complexity and true risk isn't fathomable to many. We speak it, we prevent it from happening therefore there ARE individuals that question any real existence of risk.
FairfieldCIO
50%
50%
FairfieldCIO,
User Rank: Apprentice
11/18/2013 | 12:56:53 PM
Re: Student threat?
Quite a bit David. One of my inner monologues involves the phrase 'it only takes one student' on high-volume, repeat. On the one hand, should any managed 'certified ethical hacking' effort result in a breach, I hope we hear about it. The bored/curious student with time on his/her hands? As a former programmer I 'get' the challenge aspect of testing out those skills. We are continually monitoring ALL network traffic, internal traffic as well.
David F. Carr
100%
0%
David F. Carr,
User Rank: Apprentice
11/15/2013 | 11:52:33 AM
Student threat?
How much do you worry about the threat from within, the students testing out their hacking skills, either experimentally or maliciously?
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/15/2013 | 11:08:56 AM
User education
Very interesting lessons to learn about data security from the college environment. I'm curious about how higher ed deals with the question of security awareness and user training. I would suspect that the college population is fairly tech savvy, but how careful are they? What do you do to drill in the dangers?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

CVE-2014-3372
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM reports interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90589.

CVE-2014-3373
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Dialed Number Analyzer interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCup92550.

CVE-2014-3374
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM admin interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90582.

CVE-2014-3375
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Service interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90597.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.