Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

11/15/2013
08:00 AM
Paige Francis
Paige Francis
Commentary
50%
50%

Higher Ed Must Lock Down Data Security

Higher education rivals only the healthcare industry in housing personally identifiable data. Consider these tactics for smart planning.

Current trends show that higher education is a prime target for a data security attack. Why? Because education is all about data -- student, financial aid, administrative, syllabi, curriculum, assessment, grades, and much, much more. Higher ed rivals only the healthcare industry in housing personally identifiable data.

Combine massive amounts of data with disruptive technologies like cloud computing, MOOCs, streaming video, flipped classrooms ... all are innovative, but all are resource hogs that transmit large amounts of university data across its network.

Throw in the recent reports showing students now boast an average of seven personal wireless devices each. You might ask, "Is it a university's responsibility to provide a competitive wireless environment for so many devices per student?" The easy answer is yes. Suddenly a collective hum, "More, more, more ... How do you like it? How do you like it?" In the world of IT departments, this is the overarching status in serving our campuses.

What is the impact of massive data, new technology trends, and increased mobility in higher ed? At Fairfield University, we have noticed a very real impact, including an increase in phishing attempts, malicious international attacks on our servers, and receipt of direct threat email messages (up to 1.2 million per week).

[ Security concerns are just one reason the cloud may not be right for all institutions. Read Higher Ed's Cloud Computing Forecast: Stormy. ]

Bottom line: Massive data crossing endless connections across a variety of increasing and decentralized devices naturally evolves into a target for attack. In retaliation, here are three initiatives you should tackle to impede security attacks in higher ed.

What's your plan, Stan?

If there's no technology-specific strategic plan in writing, a department's vision almost doesn't count. Think about it. A non-IT person is generally not interested in the nuts and bolts of building a secure technology environment. Dust off the overarching strategic plan for the college or university and consume it. Note the top strategies. If the plan has been refreshed within the past decade, you might even notice that each strategy is likely dependent in some way on technology. That is a win.

Start to map out a technology vision that complements your campus. Is campus technology centralized on your campus? If not, what's keeping that from happening? A centralized technology presence is optimal for security initiatives. Why? Fewer hands in the cookie jars -- and fewer cookie jars overall -- reduce risk. Make sure the technology strategic plan spells out a focus on security. This will be helpful later.

Identify the kryptonite to your network

Where are the holes and weak spots? What will bring this invisible network to its knees? The network foundation is as riveting as it sounds, but it's more crucial than any component on the campus and now more than ever. Is your infrastructure sound, solid, and beefed-up enough to support the inevitable growth and demand of network service over the next decade? This isn't about having 100 times the amount of bandwidth you currently need on your campus today. It's about having the bones to support an increase of that magnitude annually and exponentially over the next decade.

Is there wired where you envision needing wireless? Are the access points already stretched thin? Are the pipes adequate for now but likely to be maxed out in next academic year? Now is the time to plan those large-scale, unsexy, and truly expense-hogging overhauls. How will this ever be funded? Well, it's in the technology strategic plan. Get your plan together for technically aggressive, budget-manageable improvements over the next two, five, and 10 years. Once the infrastructure is confirmed at a minimum "not high risk," invest in hardware and software that empowers real-time system interaction -- who is attacking and from where? University leadership is impressed by statistics, dashboards, and real-time risk factors. These items provide a layer of knowledge, pinpointing where safeguards need to be placed.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
FairfieldCIO
50%
50%
FairfieldCIO,
User Rank: Apprentice
11/18/2013 | 1:04:13 PM
Re: User education
I'm fairly new to this university, however it is important to continually share information/knowledge about the very real risk involved with data security. I try to pass along particularly non-jargonized articles to our Educational Technologies Committee as well as to our Administrative Technologies Committee, share data with our Board, post tips/tricks in our monthly newsletter and, as opportunity arises, SPEAK about the dangers and precautions. Students are super savvy, faculty and staff run the gamut for tech proficiency but we take that more as a challenge to teach/share. Unfortunately, we make technology oftentimes look 'easy' so the complexity and true risk isn't fathomable to many. We speak it, we prevent it from happening therefore there ARE individuals that question any real existence of risk.
FairfieldCIO
50%
50%
FairfieldCIO,
User Rank: Apprentice
11/18/2013 | 12:56:53 PM
Re: Student threat?
Quite a bit David. One of my inner monologues involves the phrase 'it only takes one student' on high-volume, repeat. On the one hand, should any managed 'certified ethical hacking' effort result in a breach, I hope we hear about it. The bored/curious student with time on his/her hands? As a former programmer I 'get' the challenge aspect of testing out those skills. We are continually monitoring ALL network traffic, internal traffic as well.
David F. Carr
100%
0%
David F. Carr,
User Rank: Strategist
11/15/2013 | 11:52:33 AM
Student threat?
How much do you worry about the threat from within, the students testing out their hacking skills, either experimentally or maliciously?
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/15/2013 | 11:08:56 AM
User education
Very interesting lessons to learn about data security from the college environment. I'm curious about how higher ed deals with the question of security awareness and user training. I would suspect that the college population is fairly tech savvy, but how careful are they? What do you do to drill in the dangers?
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16863
PUBLISHED: 2019-11-14
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
CVE-2019-18949
PUBLISHED: 2019-11-14
SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.
CVE-2011-1930
PUBLISHED: 2019-11-14
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
CVE-2011-1145
PUBLISHED: 2019-11-14
The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.
CVE-2011-1488
PUBLISHED: 2019-11-14
A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent withi...