Parents have plenty of things to worry about when they send their kids off to college: money, physical safety, their happiness, empty-nest syndrome, their future. Do they now have to worry about identity theft and data security, too?
In a word, yes. Colleges and universities have been the target of phishing scams for years. And while they continue to get better at dealing with information security threats, the ways our institutions of higher learning defend themselves against cybercriminals are as myriad as the forms of cyberattacks they face.
As with most hackers, the motivation of these social engineering scammers has ranged from financial gain to accessing secure data and research information. Analyzing the tactics, techniques and procedures (TTPs) of cybercriminals will help institutions understand who is targeting them, what the criminals want, and the methods they will likely use to gain unauthorized access.
But understanding the tactics and techniques of hackers doesn’t always mean that their procedures can be detected. The higher education phishing scam of 2014 demonstrated the savvy methods behind some of these breaches.
The perpetrators had created sophisticated replicas of the university logos and used a range of salary-specific messages in the subject lines, which led to many employees believing that the messages were from a trusted source.
Hundreds of employees at academic institutions across the country had unwillingly invited criminals into their networks. Accepting as true that their employers were requesting their banking information, they shared private data that allowed the criminals to access their bank accounts and steal their paychecks.
Many institutions were able to thwart what could have been greater disaster because of the shared security information they received. “Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) is a commonly relied-upon source of information for the higher ed sector,” says Steve Nyman, CISO at Dartmouth College.
According to the EDUCAUSE Center for Analysis and Research (ECAR), which provides research and analysis about information technology in higher ed for IT professionals and higher ed leaders, the willingness of colleges and universities to share security and breach information helps to reduce the number of stolen records.
Culture of openness can be costly
“Many speculate that higher education’s culture of openness and transparency encourages breach reporting by institutions, even when such reporting is not legally necessary. This culture does not exist in other industry sectors, where breach reporting could damage an organization’s ability to be competitive in that industry,” notes a 2014 ECAR report “Just in Time Research: Data Breaches in Higher Education.”
“As an industry, education has some of the lowest counts of records exposed per breach incident — the number of reported breaches in the education industry does not mean more records containing personally identifiable information are being compromised,” the ECAR report states.
This culture of openness is encouraged by the Higher Education Information Security Council (HEISC), a group established in 2000 to support communication and coordination for higher education. A volunteer organization, “HEISC accomplishes this work through volunteer groups supported by professional EDUCAUSE staff, as well as collaborations with other organizations that address information security and privacy in higher education,” according to its charter.
Learning to share
Conferences are another way that colleges and universities work to share knowledge and best practices with each other. Dartmouth College and many other institutions sponsor one each year, bringing in speakers on a variety of security topics to help foster the kinds of relationships institutions need to defend against threats.
Engaging in these professional conversations about infrastructure and methods of authentication help higher ed CIOs and CISOs determine the best practices for their institutions. One on-going conversation around authentication continues to shape the direction that universities are taking with user login credentials.
Dartmouth College has been using both knowledge-based authentication (KBA) and two-factor authentication (2FA) for quite some time, but only a small subset of the total campus uses 2FA. “KBA is less intrusive on individuals, and it’s appropriate to secure most information,” Nyman says.
For access to more confidential information, though, users must utilize two-factor authentication. “We are building our infrastructure so that we can deploy two-factor more broadly if we feel we need to,” says Nyman.
Colleges and universities “share threats about phishing, what the messages will look like, or where a lot of threats are coming from,” said Quinn Shamblin, CISO at Boston University, when he presented at the CIO Summit Boston hosted by CDM Media in early June.
Informing cohorts about potential risks doesn’t require revealing every detail of a breach.
“While the number of records stolen or specific information about sensitive issues or anything that might have litigation implications is not shared,” Shamblin said, higher education security administrators will report such incident data as an increase in the volume of attacks emanating from a specific region.
Exchanging information allows these institutions to develop better security incident management response plans as they have a heightened knowledge of TTPs. As Shamblin pointed out, “the BU response triage includes analysis of incoming information that will direct responses.”
Incident response plans are crucial for any organization because as soon as a breach happens, people want answers. Institutions need to know who contacts whom, when and how, because in the aftermath of any breach, the reputation of an organization is at stake.
“Higher ed is a more open environment, willing to share indicators of attacks with colleagues,” Shamblin said. “But the effects are just as closely held by higher ed as any other organization.” As much as there’s a logistical response to a breach, there’s also an emotional response from stakeholders.
Knowing how to address those emotional responses can help security administrators leverage support for security, and Boston University realized in the aftermath of its breach that the community was ready to get better at security.
Shamblin instituted two-factor authentication for faculty and staff at Boston University, but he offered this advice: “Research solutions that you know you need. CISOs need to be aware of their own institutions’ weaknesses. If you can get the money for resources before something happens, do.”