BradEgeland.com
  • Welcome
  • Blog
  • Expertise
  • Resume
  • Software / Service Reviews
  • Contact
  • Videos
  • Books / White Papers
  • Mentoring Contact Form
  • Awards/Recognition
  • Templates & Downloads
  • Clients
  • Professional Services
  • Past Survey Results

Learning from Higher Ed Security Breaches

4/8/2019

0 Comments

 
Picture
The higher education is not free from data threats and risks whose primary target is their financial security followed by student retention. Adoption of mobile technologies by colleges and universities has contributed to increased malicious attacks.

Your institution should, therefore, learn and implement information security lessons from the recent security breaches affecting the other institutions.

Security Breaches in Higher Education

How Multi-factor Authentication Safeguards Admission Records

Hamilton, Grinnell, and Oberlin are the three colleges whose admissions records fell in the unauthorized hands of cybercriminals on March 7, 2019. The cybercriminals used the students’ nonpublic personally identifiable details like hostage and birth date to send applicant emails.

Though used by over 800 colleges globally, the violation linked to Slate; software used to manage applicants’ information in the institutions of higher learning. The software sends new applications, texts, and emails. In its defense, slate attributed the unauthorized access to illegal entry into the colleges’ password reset system.

The criminals took advantage of the lack of multifactor authentication for individual sign-on systems to break into the platform. The cyberattack incident placed the student's admission at risk.

If you are a tech-savvy student who is conscious of information security, join colleges and universities with efficient, reliable cybersecurity practices.

Why Protecting Email Matters

On October 19th, 2018, the Florida Keys Community College detected a data breach which happened between May 5th and November 5th, 2018. On 27th February 2019, the college announced the breach whose root cause was an unauthorized collection of workers emails. The announcement followed confirmation of compromised employees’ identities on January 7th, 2019.

Some of the stolen information comprised of the nonpublic personally identifiable information. Such as passport information, username, password, date of birth, social security number and medical information.

The 2018 Ponemon Cost of a Data Breach Report stated that 197 and 69 days as the average time taken to identify a breach and manage it respectively. However, the Florida Keys Community College outdid the record by detecting the breach in 167 days while the response happened in 7 days hence earning a C+ in the identification and an A- for their immediate response.

Though the grading is a positive one, the affected parties; faculty, students, and staff had nothing to smile about due to the compromise of their sensitivity, personal information which ended up with the cybercriminals.

To make the cyberattack successful, the criminals manipulated the weaknesses in the IP and domain configurations. The hackers also used the vulnerabilities on the number of connections to servers, SMTP authentication measures, coupled with a myriad of other network security problems.

How Vendor Risk Management Protects Student Records

The Stanford Daily reported that a campus student identified a vulnerability in the third-party content management system called NolijWeb. The vulnerability allowed Stanford applicants to view their Common Application forms.

Later In 2015, NolijWeb let students access their files using the identification numbers as part of the records' URL. By altering a few characters, you could quickly obtain the information.

Stanford discovered that the system was posing as a potential point of attack. After the realization, Stanford disabled entry to the software and put on hold online student’s access to the application documents. The documents were under the care of the Family Educational Rights and Privacy Act (FERPA).

All you needed to access the site was a valid student login. Later the vendor got cleared by the regular audits. Unfortunately, neither the NolijWeb nor Stanford could identify how long the vulnerabilities lived in the application.

Stanford is however not new to data breaches. Recently in 2017, permission to access a university-wide file sharing system directed all the Andrew File System (AFS) users to view files meant for preparing a sexual assault case.

In the month that followed, Stanford was at it again, but now the weakness was in the Business Graduate School site. The website leaked sensitive workers records.

The primary focus of all these information breaches was weaknesses tied to third-party vendors and those related to permission issues.

Four Steps to Securing Your Higher Education Data

Identify Risk

Cybercriminals will manipulate data irrespective of the stage in which the information is. The data cycle has different stages such as collection, storage, and transmission. Despite knowing the sensitive nature of data they handle, the universities and colleges still fail to perform a risk review.

Instead, the institutions convert traditional data into digital data using Software-as-a-Solution enablement without caring if the platform is updated or from a new vendor.

Stanford is a perfect example because six years after 2009 it still used NojiWeb application for its scanned document needs despite NojiWeb’s vulnerability. All this time the application denied the students access to information stored online. Stanford was, however, exposed to vulnerabilities associated with either an upgrade or installation of a new system.

For enhanced safety of your students records irrespective of whether using an updated or newly integrated provider, identify and guard all points at which information gets stored, collected or transmitted.

Secure Networks

Even with the increased use of mobile devices and the complex network architecture ranging from email servers, guest wireless and library domains, apply due diligence to secure networks and all your data by developing strong controls.

Focus on User Access and Authentication

Upon graduation, you should deny alumni access to your systems, networks, and software. Giving the graduates access magnifies the authentication threats.

Additionally, enforce the multi-factor authentication in your college or university.  Cybercriminals can quickly gain access from a misplaced laptop of Smartphone which is left open thus increasing malicious activities on your information. Increased use of mobile technologies by students call for the establishment of additional measures and procedures.

Monitor Vendor Risk

How proficient is your third-party vendor in matters of information security? Use strict standards such as those you use in the admission of first years to gauge the suitability of your vendor.

Analyze your third-party service provider especially upon identifying a threat to see if they pose further danger to your records. If you are working with a SaaS provider who aids you in the collection, storage, or transmission of staff, student or faculty's information, make sure they do it per your institution's risk tolerance.

Also, ensure you sign Service-level agreements with your vendors. The contracts should document the adequate, standard controls as well as resultant consequences for failure to enforce and maintain the set controls.

Bottom Line

What can you learn from higher education security breaches? From their nasty experiences, learn to employ robust control systems for your organization's information system and leverage tools for higher-education that help monitor and maintain your infrastructure’s data security.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author:

    Picture

    Brad Egeland


    Named the "#1 Provider of Project Management Content in the World," Brad Egeland has over 25 years of professional IT experience as a developer, manager, project manager, cybersecurity enthusiast, consultant and author.  He has written more than 8,000 expert online articles, eBooks, white papers and video articles for clients worldwide.  If you want Brad to write for your site, contact him. Want your content on this blog and promoted? Contact him. Looking for advice/menoring? Contact him.

    Picture
    Picture
    Picture
    Picture
    Picture
    Picture

    RSS Feed

    Archives

    December 2022
    November 2022
    October 2022
    September 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    September 2012
    August 2012
    July 2012
    June 2012
    May 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011
    October 2011
    September 2011
    August 2011
    July 2011
    June 2011
    May 2011
    March 2011
    January 2011
    December 2010
    November 2010
    October 2010
    September 2010
    August 2010
    June 2010
    May 2010
    April 2010
    March 2010
    November 2009

    RSS Feed

Powered by Create your own unique website with customizable templates.