Uncategorized  |  April 2016

Colleges and Universities as Prime Cyberattack Targets: Behind the Threat

by Eric Packel
DOWNLOAD         
When it comes to cyberattack targets, many think of retailers and associated credit card transactions or customer information, or perhaps healthcare providers with their ever-increasing storage and transmission of electronic information related to patients. But colleges and universities are increasingly under siege from hackers.

In fact, the education sector, according to recent reports, comes in third place, right after the healthcare and retail sectors, in the number of security breaches. Many universities conduct sophisticated research, whether in engineering, the sciences, or other disciplines. Schools can be a proving ground for new or emerging technologies and innovation. These sophisticated research programs often partner with U.S. government agencies or industry.

Accordingly, schools can serve as a beachhead for other nations and foreign companies seeking to gain competitive advantages, whether economic, political, technological, or militarily. By hacking into university systems, not only can the attackers gain access to sensitive data held by the schools, but those systems can also be used as a jumping point into government computers or corporate networks.

Recent statistics reveal that from 2006 through 2013, over 500 universities reported a data breach (and many more attacks may have been unreported). The trend continues in 2015-2016, when already hackers have targeted large universities in Pennsylvania, Virginia, and Connecticut. In the Pennsylvania incident, over 18,000 students and faculty were affected. So what is behind the targeting of educational institutions?

Hackers Misusing Open Environment of College Campuses

According to an FBI white paper titled “Higher Education and National Security,” the systems and open environment of U.S. college campuses may be misused in order to:

  • Steal technical information or products
  • Bypass expensive research and development
  • Recruit individuals for espionage
  • Exploit the student visa program for improper purposes
  • Conduct computer intrusions
  • Collect sensitive research

So hackers, typically working for foreign companies or governments, can help save vast sums of money and development time, by stealing critical research information. A foreign company can then use the stolen data to produce products, but at a much lower cost when competing with the U.S. product, since it did not have the same R&D costs.

This is not only potentially harmful for U.S. businesses, but it also impacts the bottom-line of universities since it may reduce revenue received through patents and technology transfers, and also may result in reduced grants for research and other sources of funding, not to mention potential damage to the university’s reputation. In other words, by letting hackers in to steal technical research information, funding organizations may equate that to their own money being thrown out the window.

Internal and External Threats

These threats can be internal as well as external. According to the FBI, foreign businesses may also send their own employees as students in order to obtain information valuable to their company. These individuals appear to be typical students, and do not disclose that they are actually employed with a foreign company.

The FBI’s white paper reports that attackers use various methodologies to conduct computer intrusion, including sending phishing emails with malware attached and exploiting social networking sites. Computer hackers, including foreign governments, are capable of breaching firewalls and exploiting vulnerabilities in software used by universities. According to the FBI, U.S. universities receive large numbers of unsolicited requests for information and millions of hits on their Web servers on a daily basis.

To combat these trends, colleges and universities should look to strengthen the security of their networks and deploy sophisticated monitoring and auditing tools. Schools should also be prepared to respond to the inevitable data breach by identifying where sensitive information is stored, prioritizing resources to protect that information, documenting an incident response plan, and rehearsing response strategy and scenarios with their incident response team.

Hackers Moving Freely

And it is not just research or industrial secrets that are of concern. Once attackers are inside the school’s network, they may be able to move freely within it, accessing other systems that contain student, faculty, and staff information such as Social Security numbers, credit card information, and even academic records. Of course, access to this information can run afoul of federal regulations, such as the Family Educational Rights and Privacy Act (FERPA) as well as numerous state data breach notification laws.

Although schools may be difficult targets to defend due to the open nature of campuses and less strict control over hardware and software that students and faculty use, in the wake of a data breach regulators will still look to see that schools had in place appropriate technological and administrative safeguards to protect sensitive information.

In order to help strengthen their networks and defend against potential intrusions, schools should invest in periodic risk assessments to determine where sensitive information is maintained and what vulnerabilities may exist. At a minimum, administrators should set policies that control and limit access to computer networks and ensure that appropriate safeguards are in place for information both at rest (stored on systems) and while in transit. Administrators can mandate that sensitive information, such as critical research information, as well as personal information relating to students and employees, is encrypted.

Finally, when the inevitable data breach does occur, colleges and universities should be prepared to respond efficiently and quickly with an incident response plan that is already in place and that has been tested via practice scenarios. The incident response plan should identify key participants, including legal, compliance, IT and other relevant stakeholders from the organization and provide key information and resources the team can use to contain, mitigate and respond to a cyber attack.

DOWNLOAD         
About the Author
Eric Packel is a partner with BakerHostetler in Philadelphia. He focuses his practice on privacy, data security, and technology issues. Eric has significant experience counseling corporations, healthcare providers and other entities on compliance with data breach notification laws, as well as assisting with data incidents.
Related Articles in Uncategorized

Green Initiatives: Complement LEED Certified Buildings with these Eco-friendly Practices

The Industrial Revolution, which spans from the 1760s through the early 1900s, brought major technological changes to the planet. The shift from small-scale farming, handmade goods, and travel by horse and foot to mass food production, manufacturing, and locomotives greatly increased accessibility for products and ease of movement around the vast United States and across the globe. However, environmental pollution and disruptions of the landscape are continued nasty side effects. Coal burning factories, steam engines, and internal combustion cars produced dense smog in many early 20th century cities and continue to pollute today. Railways, dirt or cobblestone roads, and city construction have resulted in the loss of forests, prairies, and other natural landscapes. 

A Way Forward: Biophilic Design and Sustainable Flooring in Higher Education Facilities

The Youghiogheny River—or the Yough, as it is commonly called—extends its reach from the west side of the Allegheny Mountains in southwest rural Pennsylvania, down through the southwestern corner of Maryland, until it crosses the border into West Virginia, where its waters are absorbed by the tributaries of the Mississippi. At the northernmost point of the Yough, along a five-mile stretch of water and rocks and steep plateaus called Bear Run, Frank Lloyd Wright designed Fallingwater in 1935. He was hired by the Kaufmanns, a prominent Pittsburgh-based family that desired a remote vacationing spot in Pennsylvania. Upon the building’s completion in 1938, Wright would land the cover of Time, posing with his illustration of Fallingwater. Nearly seventy years later, Smithsonian would include Fallingwater among its “Life’s List Of 28 Places to Visit Before You Die.”

New Construction or Renovation: Which is Greener?

As the climate crisis accelerates, students are expressing their desires for a campus experience that embraces a culture of sustainability. Research shows that a college or university’s sustainability strategy can make a major difference in recruitment. The Princeton Review, for example, found that 74% of its 2022 survey respondents said that a college’s commitment to the environment would contribute to their decision about whether to apply to or attend the school. Higher education institutions are responding in kind.

Bates College The Thrill of the Chase (Hall, That Is)

Bates College’s Chase Hall is beloved, iconic, historic, but user-friendly? Well, probably not, thanks to unwelcoming entrances and a confounding interior layout that involved nine floor levels and multiple additions, all stitched together by a labyrinth of corridors and stairways. A plan is now in motion, however, to address these challenges. In May 2022, Bates closed Chase and began a substantial renovation involving as much as half of the building’s floor space, as well as a systems upgrade and plenty of cosmetic work. This will be the sixth addition or substantial renovation in the building’s 102-year history, according to the project announcement.

Six Ways to Future-Proof a College’s Security Investments

Keeping students and faculty safe on college campuses is a top priority for every education administrator. Investing in security solutions such as access control, video surveillance, and analytics can provide peace of mind and help protect the campus. However, these investments often require substantial costs. This article discusses six tips for ensuring that school security investments remain relevant in the future.

Energy Management for Private Universities

Energy management is a critical issue for private universities as they aim to maintain a balance between energy consumption, cost control, and environmental sustainability. With the increasing cost of energy, the need for effective energy management in these institutions is more pressing than ever. Private universities can benefit significantly from energy management practices by reducing energy consumption, reducing costs, and improving their overall sustainability profile. Implementing an energy management plan can help institutions identify areas of energy waste, reduce energy consumption, improve energy efficiency, and ensure compliance with environmental regulations.
MORE
March 2024 Issue Now Available
Subscribe for Free
Available in Print & Digital Editions