Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/28/2012
05:35 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Lessons In Campus Cybersecurity

What universities are doing -- and should be doing -- in response to increased cyberthreats, and how students can protect their suddenly very valuable IDs

The University of Nebraska had just deployed a new security information event management (SIEM) system when an undergraduate student there apparently broke into the school's student information system, exposing sensitive information of 654,000 students, alumni, and employees.

While the breach was a serious one that is still under investigation, Nebraska was actually better off in the end than most universities that get hacked. An IT staffer detected an error message in one of the university's systems at 10 p.m. on a Wednesday evening in May, and began to escalate the issue, bringing in the security team, which investigated the activity and monitored some suspicious behavior throughout the night.

"By that next afternoon, we had figured out what had happened," says Joshua Mauk, information security officer for the University of Nebraska. An insider had accessed the university's PeopleSoft-based database.

Mauk says the university used logs from all of its database, applications, network, and security tools -- including the SIEM -- to piece together a picture of the breach within 48 hours of its occurrence. "That [let us] provide enough information to the police for them to execute warrants to confiscate the person of interest's computing equipment that may have been used in the breach," he says. "We used this data and more to conduct a more detailed analysis, with the assistance of an external security firm, to produce a summary and timeline of what we believe the attacker did."

Having the summary and timeline was crucial. "It allowed us to understand how the breach occurred, what data was at risk and for how long, what data may have been accessed, if any, and where to focus our remediation plans," Mauk says. Just what the alleged undergrad hacker intended to do with those Social Security numbers and other data has not been revealed, but identity information is a hot commodity among cybercriminals outside the campus, as well.

Other universities could learn from Nebraska's breach experience. College students have become juicy targets for cybercriminals -- they're newly independent, setting up bank and credit-card accounts, and living in a relaxed, open society -- not to mention that their new home-away-from-home universities are prime targets in data breaches, exposing personal information on students, alumni, staff, and faculty.

The cycle of university information exposure continues, but sometimes it's human error: The University of Rhode Island revealed this week that a server with SSNs and other personal data on students, faculty, and staff was inadvertently place on a publicly shared server that exposed that information online, according to an Associated Press report.

With the fall semester under way on most campuses, college students face more than just the logistics of move-in day and signing up for classes, but also some disturbing data: According to the Better Business Bureau, college students account for one-fourth of all identity theft victims in the U.S. And it can take months for them to learn that their identities have been stolen -- around 132 days, according to Javelin Strategy & Research.

"It's easier to think of a university as a small city that's an employer, has its own police force, and has as many people as many small towns in America," says Aaron Massey, a postdoctoral fellow in the School Of Interactive Computing at Georgia Tech. "A university has whole bunch of other concerns that are going to be important, period. It's not just ID theft, it's [also things like] illegally downloaded [content] to university servers," for example, he says.

Despite all the gloom-and-doom about universities being in the bull's eye for cybercrime or even insider attacks like Nebraska's, most are being more proactive now in getting students better schooled on how to better protect their information and identities. "Most have some level of training there. The problem is, from an electronic credit view, it's just one more thing [for students] to be trained on. It's overwhelming, all of the things they have to orient to: where's the library, where they eat, how they get their laundry done ... Electronic credit protection is just one more thing on the list," Massey says.

At Massey's alma mater Purdue University, for instance, students are retrained in data and information protection every semester. "Universities are doing the best they can here," he says.

Students are prime targets because they are now out on their own in a seemingly sheltered environment, says Steve Coggeshall, chief technology officer at ID Analytics. "They're opening up new financial accounts for the first time, and they really don't have the habits or knowledge of how they should protect their personal information," Coggeshall says. "And they tend to live in high-density areas, with roommates and lots of traffic coming through their personal areas."

Today's students also have grown up on Facebook and other social media, and are used to sharing personal information publicly, he says.

[ Basketball has March Madness, but higher ed IT should be competing to stay out of the brackets for last year's worst breaches. See Slide Show: The (Not-So) Elite Eight In Higher Ed Breach Madness. ]

While there are some measures students can take to lock down their information (see "5 Tips For College Kids To Avoid ID Theft," next page), it's up to universities to better protect their databases from insider and outsider threats. Here are some tips from the experts on just what universities can do:

1. Have an incident response (IR) plan in hand.
Nebraska's Mauk says one lifesaver for him during the breach investigation there was having an established IR plan. "I carried that with me pretty much the whole time," he says. "[I had] a well-documented and thought-out plan on how to make decisions [in the aftermath of a breach], who is making the decisions, when and who to notify and how."

And be sure to loop in legal and public relations in the IR plan. "Those individuals are key to being able to make decisions," he says.

2. Limit user access to only what they need to do their jobs.
What users feel they need to do their jobs and what they actually need can be quite different, says Paul Kenyon, co-founder and COO of Avecto, a Windows privilege management provider. "That can be quite a wide gap," Kenyon says.

Because they are basically open environments, universities tend to buck at limiting user privileges, he says. "We often see resistance to limiting privileges in that world ... even though it makes a dramatic impact on security to do so," he says. "We always recommend minimizing exposure by minimizing the privileges in terms of systems they are accessing."

In Windows, that means setting user access control to "high" and employing application whitelisting. And ensure end users are logging onto their machines as a "standard" user, he says.

Nebraska's Mauk can't provide details of just what adjustments or changes the university made in the wake of the attack, but he says he's looking at how to handle trusted users on the network since the attacker was an insider who abused his access. "So we are really looking at how we treat individuals we trust on our network. We have controls to protect us from outside [attackers], but it's a little harder to apply the same level of controls" to a trusted user, he says.

3. Understand your network and systems monitoring capabilities.
Having a SIEM and proper logging helped Nebraska spot its breach relatively quickly. "We realized what was happening" and shut the attacker out, Mauk says.

Mauk recommends collecting as much data as possible at the start of the investigation and to get that information to the authorities as soon as possible. "Understand what information" you can pull out of the logs, he says.

Next: Segmentation and student tips Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-20001
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
CVE-2021-27363
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...