Hacking Institutes Of Higher Learning

By Hart Brown, CORP, CBCP, CEH, CLCS, LPQ, Senior Vice President, Practice Leader, Organizational Resilience, HUB International Limited

Due to the fact that Universities and Institutes for Higher Learning have large amounts of legacy financial and health records, grant computer privileges to students with traditionally a lax security mindset, and house valuable research data hackers have taken notice. This is why higher education has become the second most targeted industry after Healthcare.

Based on how stolen data can be monetized, various types of hackers have become interested for different reasons. In some cases, it has been nation-state actors that are more interested in the research data such as with the recent case of the Russian hacker known as Rasputin. In other cases, it has been an individual who was able to change passwords of email accounts or a disenfranchised student assistant who was terminated but maintained access to the system.

For those hackers not interested in the data, ransomware attacks are beginning to find their way to Universities with some having to pay the price to gain back control of the systems. Denial of service attacks have been found recently where corrupted vending machines and internet connected lights were used to disrupt the network from within. Hackers reportedly even managed to access a University comptrollers credentials and then affected a wire transfer of 1-Million dollars.

But what can be done?
Continual news seems to highlight a breach almost every day, pushing people to the point of ?breach fatigue? and a feeling of hopelessness. From a liability standpoint —with all of the breaches— it is becoming almost impossible to determine which breach caused a victim to be targeted for fraud and thus lead organizations to disregard the value of protection.

The reality is that the defense of information is not only important from a regulatory and reputational standpoint, but data protection is becoming commoditized in its own way. Those that can protect data have a potential advantage in the competitive market for students, parents, researchers and donors.

The first step ?and at times the most difficult? is to be able to answer the financial question of what does a potential breach really cost and how much can we spend in security. This involves statistically modeling the breach events in conjunction with the specific IT infrastructure of the University. Only then will administrators be able to determine the best ways to mitigate the risks through investments, insurance, and other forms of risk transfer.

Once this is understood, a health check of the current policies, procedures, and infrastructure can be conducted to identify potential gaps related to best practices. This process has benefits for both the IT operations as well as the administration. By ensuring reasonable measures are being incorporated —in comparison to benchmarks— liability toward the University as a whole can be better managed.

Based on the fact that the hackers appear to be winning the security race at the moment, it becomes imperative to plan for the worst. Developing cyber incident and breach response plans are a necessity, as decisions need to be made quickly and the consequences can be heavy if the first few steps are incorrect. Plans should be crated for loss of personal data, financial information, critical applications, websites, databases, and research as well as for specific attacks such as denial of service, ransomware, email compromise, and credential harvesting. These plans should also be tested in live exercises to ensure understanding and compliance under stress.

Developing standardized structures can be critical as 25% or more of modern breaches start with a vendor being infiltrated first.

Conducting due diligence on vendors and supporting operations has long been built into the decision making processes for large contracts. However with so few understanding these risks, due diligence for third parties providing cyber equipment, services, applications, and data sharing has not been fully integrated. Developing those standardized structures can be critical as 25% or more of modern breaches start with a vendor being infiltrated first. It is no wonder why Rasputin was able to breach 35 institutes for higher learning through vulnerable web apps that were not developed with security in mind.
Finally, training and awareness needs continued advancement as fast as the trends in the attacks change. The more management can move beyond a compliance training mentality to actual education, the better the level of the system-wide protection will be.

Even though many people like to hope for the best, with Universities focusing on education only and considering the attack surface for hackers is constantly growing with students and network access points, targeting of these institutions will continue. While there have been some high profile arrests of attackers, they are too few and far between to be an effective deterrent. The rewards for a successful attack can be high with the risks relatively low.

By establishing a security first mindset alone can help reduce a potential breach by 29%.

The best way to establish a level of protection is to ensure there is a security mindset and a preparedness effort for all administrators, faculty, students, staff, and vendors involved. By establishing that mindset alone can help reduce a potential breach by 29%. By advancing that mindset to involve financial assessments, health checks, due diligence, and training provides institutions with a way to manage the overall cyber risk.

About The Author:
Hart-Brown-Cybersecurity
Hart S. Brown, Vice President of Organizational Resilience for HUB International?s Risk Services Division, has nearly 20 years experience in security, crisis management, emergency management and business continuity. A former Program Director for the US Department of State, Brown received an Award of Appreciation from President George W. Bush. He is a widely published security expert and frequent contributor to HUB?s Crisis Management Center blog.

Source: hubinternational.com
0 Comments