The lone-wolf hacker creating nuisance viruses in a basement has been replaced by sophisticated foreign governments and organized crime rings as the top cybersecurity threat to colleges and universities.
Today’s hackers are now being deployed around the clock to steal intellectual property, sensitive research, and personal information, potentially costing colleges and universities millions of dollars and badly damaging their reputations.
“The landscape of who the attackers are has changed significantly,” says Mark Nardone, director of IT security for Northeastern University in Massachusetts. “We’re not in the ’80s, where it’s hobbyists coming after systems for a kind of self-gratification or bragging rights. Now we have people coming after resources that have tangible financial worth attached to them.”
(Related UBTech presentation: Threat Assessment.)
Among the higher education cyberattacks that have occurred recently are crime rings stealing vast amounts of credit card numbers; governments of China, Russia, and elsewhere trying to infiltrate nuclear research databases; and students hacking the registrar’s office to change grades.
Higher education is particularly vulnerable because—in contrast to hacking targets like banks—college and university computer networks have historically been as open and inviting as their campuses, says Fred Cate, director of the Indiana University Center for Applied Cybersecurity Research.
“We want our faculty and our students and our public and our donors to connect pretty easily to us,” says Cate, also a professor who teaches courses on information privacy and communications law.
But serving as a “cyberguardian” for those groups and the institution itself is also a logical goal. Here’s why cybersecurity should be top-of-mind for officials—and what kinds of protections can be put in place.
Passwords and policies
The defenses that universities can deploy against cyber-attacks range from the glaringly obvious—changing passwords—to the expensive and complex, such as building ultrasecure research facilities that keep the most sensitive computer systems safe from the open range of the internet.
- Advanced Cyber Security Center
- Center for Applied Cybersecurity Research
- Click Security
- Cyberoam Americas
- ForeScout Technologies
- Kapersky Labs
- RIT's Golisano College of Computing and Information Sciences
- Pace University's Seidenberg School of Computer Science and Information Systems
- ThreatTrack Security
As a first line of security, administrators should set policies that control access to computer networks and safeguard the flow of information. For instance, they might mandate that student records are always encrypted, limit which employees can access this information, and bar it from being downloaded to less secure devices like thumb drives.
Colleges might also consider prohibiting staff from using popular services like Dropbox to transfer student records and other sensitive information, says Jonathan Rajewski, assistant professor of digital forensics at Champlain College in Vermont.
“All it takes is one thumb drive, one hard drive, that gets lost that can cost you millions of dollars in sanctions from the attorney general,” he says.
Cate says more sensitive parts of an institution’s network should require “multifactor authentication.” A user might have to enter a password, answer a separate question, and verify fingerprints or pass a retinal scan. Users also could be required to have a “token,” such as a USB key or card with a magnetic strip.
Indiana University provides “state-of-the-art” antivirus software to users of its network and also will scan new students’ computers to make sure security software is up to date, Cate says. “We treat it as a risk-management issue just like any other risk management issue. That’s not the case in many universities.”
Social media sneaks
What many hackers attempt to do these days is infiltrate a computer system and install a piece of malware that can give them control of the network or allow them to extract data. And it’s now common for hackers to try to break into computer systems by gathering intelligence about an institution’s employees and users.
That’s where social media and the openness of the internet can be a big problem, says Darren Hayes, an assistant professor at the Seidenberg School of Computer Science and Information Systems at Pace University in New York.
“With government-sponsored attacks, these happen over time, so they have staff who can spend a lot of time working on reconnaissance about different organizations,” says Hayes. “Lots of organizations, including universities, don’t often realize how much information they give out on the internet.”
For example, an institution may post an IT job opening on Monster.com or its own website that lists the computer systems, hardware, or software that candidates must know how to use.
“If their post says a candidate needs to be an expert on the IBM 5700, suddenly somebody knows they have an IBM 5700 and they know the vulnerabilities of that system,” Hayes says.
Members of an institution’s IT department may have a LinkedIn profile that lists their employer, position, and the hardware and software at which they are proficient. Also, IT staff may use internet forums to ask industry colleagues for help fixing a computer system. This provides hackers more valuable clues about an institution’s network, Hayes says.
But colleges and universities may not even be aware of the most sophisticated attacks until they are already well underway. Therefore, institutions need IT staff with a new range of “cyberforensic” skills to identify the virtually microscopic changes in a computer network that indicate an infiltration. “It can be something as simple as a couple of lines of code changed in a registry file,” says Hayes. “We’re talking about very, very small changes that traditional security tools do not pick up.”
‘Spear phishing’ threat
Remember those badly worded emails announcing the recipient had won some exotic lottery and all that was necessary to collect the fortune was to wire a few thousand dollars to some obscure bank account?
That somewhat primitive technique was calling “phishing,” but social media has helped it evolve into a much more sophisticated and deceptive weapon called “spear phishing,” says Nardone, of Northeastern.
“Spear phishing is a much more precise method. They’ll take your name, look you up on Facebook, and do research to find out where you live. They’ll used LinkedIn to see what your job is, who your friends are,” he says.
“They’ll try to craft a communication that looks so legitimate that you’ll actually fall for it and you’ll click on a link or download an attachment, and before you know it, your computer is compromised.”
These links and attachments can download malware onto an individual computer to steal passwords that can give the hacker access to the entire college network. Hackers can then download malware to steal information or use a college or university’s powerful computer system to launch an even bigger attack.
“If they’re not interested in what a university can provide, they may want the assets of a university to carry out an attack on other targets, or transfer data through university networks,” explains Jonathan Maurer, information security officer at Rochester Institute of Technology.
A hacker, for instance, could take over a staff member’s university email account and use it to send thousands of pieces of spam that will get past filters because they appear to be coming from a legitimate sender, Maurer says.
At Northeastern, when a spear phishing email begins circulating, the IT department will attempt to notify the entire university quickly through social media and other means. If campus users fall prey to a spear phishing attack, they can notify the IT department, which can block the infected computer or account.
Faculty, students, and others use a variety of devices to connect to campus networks. Smartphones and other mobile devices are another easy target for hackers because they are not nearly as secure as the computers in the institution’s data center—or even the owner of the phone’s laptop.
“If you think about the technology the average human carries with them, the phone has by far the worst security,” says Cate, of Indiana University. Phones have less computing power and users often don’t want to install security that can use up memory and drain the battery, he adds.
Phone hacking software, which hackers can use to steal passwords and other personal information, can be found online for as little as $79. Even scarier, hackers targeting a certain individual, such as a senior university administrator, could find out that person’s location through a phone.
Hackers also could take over a phone’s audiovisual capabilities, Cate warns. “Imagine if somebody accesses the president’s phone and turns on the camera and microphone without his or her knowledge?”
Users can make their phones even less secure by hacking them themselves, a technique known as “jailbreaking.” Users do this to download applications barred by the phone’s manufacturer. It’s especially problematic when, for example, users forgo paying Google $1.99 for an Android app (such as a game) but download it from a dubious “third-party site,” says Hayes.
“The game may play perfectly, but they don’t realize the phone is transmitting information somewhere else, outside of the U.S.”
Phones, of course, also are easy to lose or steal.
“Sometimes, IT administrators will have remote access to servers from their phones,” Hayes says. “If somebody loses a phone, or has a phone stolen, it’s a tremendous access point for anybody trying to steal information.”
Defending the defenses
Some of the cutting-edge defenses against cyberattacks are being developed by research universities. This research is also a target of cyberthieves and is getting special protections, explains David Luzzi, executive director of the Strategic Security Initiative at Northeastern’s Advanced Cyber Security Center.
For example, a few years ago, one leading research university developed new cryptography technology. But “the bad guys” had adopted it before it had even been approved by the national agency that sets standards for such technology, Luzzi says.
Hackers discovered and co-opted the technology after it was published for open comment. Universities are now being more careful with how such research is published, Luzzi says.
“We may describe the breakthrough, we may describe the general area,” he says. “But we will not describe enough information so that bad guys know how it’s implemented.”