Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

5/30/2012
06:55 PM
50%
50%

U of Nebraska Breach Highlights Education In Crosshairs

Database containing 654,000 exposed through 'targeted' attack

As details emerge about a recent hack of a University of Nebraska, security experts warn that the exposure of sensitive information of over 654,000 individuals in the incident is a perfect example of how universities have become a prime target for attackers of all motivations.

"We've gotten to the point where, if you are a university, you have to understand that you have probably already been breached and you don't know it yet, " says Damon Petraglia, director of forensic and information security services for Chartstone. "And if you haven't, you will be. You will be attacked. There's no question about that."

[U of Nebraska Is Hardly Alone. See The (Not-So) Elite Eight In Higher Ed Breach Madness. ] University officials at Nebraska have been strategically mum about how exactly the database was compromised, but what they did say was that they discovered the breach on May 23. The attacker had broken into the Nebraska Student Information System (NeSIS), a centralized database containing personal records of students, alumni as far back as those attending in 1985, as well as other data held for the Nebraska State College System.

"Right now we're focused on determining the exact nature of the breach and communicating with those who may have been affected," Joshua Mauk, information security officer for the university, told the press earlier this week . "We are working with law enforcement and forensics experts to thoroughly reconstruct this incident so that we can identify limitations in our system and put new safeguards in place for the future."

According to Mauk, the attack was extremely targeted and the university says there is no evidence yet that the records exposed in the breach have been used for illicit purposes.

Petraglia says the targeted nature of the Nebraska incident mirrors what he's seen at the universities that have hired him to do security consulting and forensics work of late.

"The 'targeted' part says to me that the attacker had researched and done reconnaissance to select a specific target. Typically, when they say targeted, that's spear hishing," he says. "I don't want to speculate too much on how this happened, however, with the universities I've been consulting with, I've seen a tremendous increase in phishing attacks."

Phishing and other attacks are increasing against educational institutions largely due to the juiciness of the data these organizations are entrusted with, says Rob Rachwald, director of security strategy at Imperva.

"The one thing that surprises me is just how much data, educational organizations actually sit on," Rachwald says. "It is probably second or maybe tied with healthcare records in terms of sensitivity and volume. In this case, they had social security numbers, they had financial information, they had grades, transcripts, and that's consistent across most any educational organizations to sit on that much information. If you are a criminal, you really have quite the motherlode to do some fun stuff with that."

What's more, the University of Nebraska case shows how concentrated that data can truly be within massive, centralized databases such as NeSIS

"On the criminal side, it is literally a one-stop shop. With Nebraska, they had a database with all that information all in one place," Petraglia says. "That's not necessarily a bad thing--I'm not going to fault Nebraska for that. But once a bad actor gets into that one database, they don't have to go any further. Everything is right there for them. And that's traditionally the way universities are set up. Tremendous amounts of personally identifiable information, a lot of financial information, medical records, everything you want is in one place. Once you're in, you don't have to go too far." According to Petraglia and Rachwald, even with the value of information universities care for, they lag far behind other industries in information security practices and management. For example, Petraglia says that it is still common to find major universities that have no dedicated information security department on campus.

"The emphasis has not been on security. Very large universities function solely with an information technology department," he says. "A lot of times it’s a philosophy of 'It's not going to happen to me. I don't have anything of importance, so why could anybody attack me?' It happens all the time and the bad actors are watching these things."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mediaphishme
50%
50%
mediaphishme,
User Rank: Apprentice
6/1/2012 | 7:35:52 PM
re: U of Nebraska Breach Highlights Education In Crosshairs
This breach at the University of Nebraska is one example of the many educational institutions increasingly targeted by phishing criminals with different motives and different levels of sophistication. Higher education is bombarded by phishers focused on stealing usernames and passwords, and that can create a smoke screen for the more damaging phishing attacks focused on faculty, finance, hospital, and research staff. -The IT security professionals that work in this space really have their work cut out for them. These larger-scale enterprise security challenges explain the need for multi-pronged approaches to IT security, beyond the physical security itself. One of the biggest threats to educational institutions like the University of Nebraska is not necessarily the security products utilized by the IT Department, but the people working there. Having trained over 3.1 million employees (using PhishMe.com) like those working for the University of Nebraska, we have found that immersing people in the experience through mock phishing exercises, and presenting immediate, bite-sized educational materials to those who are susceptible has had the desired effect of reducing human vulnerability to these attacks. With so much sensitive data in one place, educating university personnel and students about phishing attacks is a step in the right direction for this vulnerable sector that is higher education.
-
For more information please visit my recent blog post about higher education: http://blog.phishme.com/2012/0...
-
-Aaron Higbee CTO and Co-Founder, PhishMe
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-22199
PUBLISHED: 2021-06-16
SQL Injection vulnerability in phpCMS 2007 SP6 build 0805 via the digg_mod parameter to digg_add.php.
CVE-2020-22200
PUBLISHED: 2021-06-16
Directory Traversal vulnerability in phpCMS 9.1.13 via the q parameter to public_get_suggest_keyword.
CVE-2020-22201
PUBLISHED: 2021-06-16
phpCMS 2008 sp4 allowas remote malicious users to execute arbitrary php commands via the pagesize parameter to yp/product.php.
CVE-2021-20483
PUBLISHED: 2021-06-16
IBM Security Identity Manager 6.0.2 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 197591.
CVE-2021-20488
PUBLISHED: 2021-06-16
IBM Security Identity Manager 6.0.2 could allow an authenticated malicious user to change the passowrds of other users in the Windows AD enviornemnt when IBM Security Identity Manager Windows Password Synch Plug-in is deployed and configured. IBM X-Force ID: 197789.