Application Security //

Database Security

11/15/2013
08:00 AM
Paige Francis
Paige Francis
Commentary
50%
50%

Higher Ed Must Lock Down Data Security

Higher education rivals only the healthcare industry in housing personally identifiable data. Consider these tactics for smart planning.

Current trends show that higher education is a prime target for a data security attack. Why? Because education is all about data -- student, financial aid, administrative, syllabi, curriculum, assessment, grades, and much, much more. Higher ed rivals only the healthcare industry in housing personally identifiable data.

Combine massive amounts of data with disruptive technologies like cloud computing, MOOCs, streaming video, flipped classrooms ... all are innovative, but all are resource hogs that transmit large amounts of university data across its network.

Throw in the recent reports showing students now boast an average of seven personal wireless devices each. You might ask, "Is it a university's responsibility to provide a competitive wireless environment for so many devices per student?" The easy answer is yes. Suddenly a collective hum, "More, more, more ... How do you like it? How do you like it?" In the world of IT departments, this is the overarching status in serving our campuses.

What is the impact of massive data, new technology trends, and increased mobility in higher ed? At Fairfield University, we have noticed a very real impact, including an increase in phishing attempts, malicious international attacks on our servers, and receipt of direct threat email messages (up to 1.2 million per week).

[ Security concerns are just one reason the cloud may not be right for all institutions. Read Higher Ed's Cloud Computing Forecast: Stormy. ]

Bottom line: Massive data crossing endless connections across a variety of increasing and decentralized devices naturally evolves into a target for attack. In retaliation, here are three initiatives you should tackle to impede security attacks in higher ed.

What's your plan, Stan?

If there's no technology-specific strategic plan in writing, a department's vision almost doesn't count. Think about it. A non-IT person is generally not interested in the nuts and bolts of building a secure technology environment. Dust off the overarching strategic plan for the college or university and consume it. Note the top strategies. If the plan has been refreshed within the past decade, you might even notice that each strategy is likely dependent in some way on technology. That is a win.

Start to map out a technology vision that complements your campus. Is campus technology centralized on your campus? If not, what's keeping that from happening? A centralized technology presence is optimal for security initiatives. Why? Fewer hands in the cookie jars -- and fewer cookie jars overall -- reduce risk. Make sure the technology strategic plan spells out a focus on security. This will be helpful later.

Identify the kryptonite to your network

Where are the holes and weak spots? What will bring this invisible network to its knees? The network foundation is as riveting as it sounds, but it's more crucial than any component on the campus and now more than ever. Is your infrastructure sound, solid, and beefed-up enough to support the inevitable growth and demand of network service over the next decade? This isn't about having 100 times the amount of bandwidth you currently need on your campus today. It's about having the bones to support an increase of that magnitude annually and exponentially over the next decade.

Is there wired where you envision needing wireless? Are the access points already stretched thin? Are the pipes adequate for now but likely to be maxed out in next academic year? Now is the time to plan those large-scale, unsexy, and truly expense-hogging overhauls. How will this ever be funded? Well, it's in the technology strategic plan. Get your plan together for technically aggressive, budget-manageable improvements over the next two, five, and 10 years. Once the infrastructure is confirmed at a minimum "not high risk," invest in hardware and software that empowers real-time system interaction -- who is attacking and from where? University leadership is impressed by statistics, dashboards, and real-time risk factors. These items provide a layer of knowledge, pinpointing where safeguards need to be placed.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
FairfieldCIO
50%
50%
FairfieldCIO,
User Rank: Apprentice
11/18/2013 | 1:04:13 PM
Re: User education
I'm fairly new to this university, however it is important to continually share information/knowledge about the very real risk involved with data security. I try to pass along particularly non-jargonized articles to our Educational Technologies Committee as well as to our Administrative Technologies Committee, share data with our Board, post tips/tricks in our monthly newsletter and, as opportunity arises, SPEAK about the dangers and precautions. Students are super savvy, faculty and staff run the gamut for tech proficiency but we take that more as a challenge to teach/share. Unfortunately, we make technology oftentimes look 'easy' so the complexity and true risk isn't fathomable to many. We speak it, we prevent it from happening therefore there ARE individuals that question any real existence of risk.
FairfieldCIO
50%
50%
FairfieldCIO,
User Rank: Apprentice
11/18/2013 | 12:56:53 PM
Re: Student threat?
Quite a bit David. One of my inner monologues involves the phrase 'it only takes one student' on high-volume, repeat. On the one hand, should any managed 'certified ethical hacking' effort result in a breach, I hope we hear about it. The bored/curious student with time on his/her hands? As a former programmer I 'get' the challenge aspect of testing out those skills. We are continually monitoring ALL network traffic, internal traffic as well.
David F. Carr
100%
0%
David F. Carr,
User Rank: Strategist
11/15/2013 | 11:52:33 AM
Student threat?
How much do you worry about the threat from within, the students testing out their hacking skills, either experimentally or maliciously?
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/15/2013 | 11:08:56 AM
User education
Very interesting lessons to learn about data security from the college environment. I'm curious about how higher ed deals with the question of security awareness and user training. I would suspect that the college population is fairly tech savvy, but how careful are they? What do you do to drill in the dangers?
FTC Opens Probe into Equifax Data Breach
Jai Vijayan, Freelance writer,  9/14/2017
Equifax CIO, CSO Step Down
Dark Reading Staff 9/15/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.