Lessons Learned from Data Breaches at Universities
No industry is immune to IT security breaches. Recent breaches at Indiana University, Iowa State, the University of Maryland, and the University of North Dakota cumulatively impacted over 750,000 students, alumni, faculty and staff. In the case of higher educational institutions there is data exposure risk from personally identifiable information, such as social security numbers. It may come as a surprise that a number of these significant data breaches were the result of very simple mistakes.
In the case of Indiana University, a change in the security protections for a web server inadvertently allowed the site to be accessed without the necessary authentication. A staff member of the university registrar’s office, who accessed the files in question for internal use, discovered the issue 11 months later.
At the University of Maryland, cyber-attacker targeted a university website meant for uploading photos. The attacker uploaded a Trojan horse containing malware that found the passwords for some IT managers. Armed with those credentials, the hacker escalated privileges and accessed social security numbers and other personal information.
The data itself is not always the primary target. At Iowa State, systems were infected with bitcoin-mining malware. According to Jonathan Wickert, Senior VP & Provost, “We don’t believe our students’ personal information was a target in this incident…” Unfortunately, the malware exposed Social Security numbers. The University decommissioned and destroyed the compromised servers… as well as offering the requisite credit protection to all those affected.
So what were the lessons learned?
As stated at the outset, avoiding simple mistakes such as using default passwords is a good starting point. It is solid security practice to monitor compliance of policies and harden default configurations of all existing and new systems. Scan high-risk web applications for OWASP Top 10 vulnerabilities. And employ anti-malware, intrusion detection, and perimeter security. For a more formal and mature approach to security consider implementing the SANS 20 Critical Security Controls. You can learn more about NopSec’s approach to helping achieve the 20 Critical Security Controls in “Whitepaper: SANS 20 Critical Security Controls“.