Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

11/15/2013
08:00 AM
Paige Francis
Paige Francis
Commentary
50%
50%

Higher Ed Must Lock Down Data Security

Higher education rivals only the healthcare industry in housing personally identifiable data. Consider these tactics for smart planning.

Current trends show that higher education is a prime target for a data security attack. Why? Because education is all about data -- student, financial aid, administrative, syllabi, curriculum, assessment, grades, and much, much more. Higher ed rivals only the healthcare industry in housing personally identifiable data.

Combine massive amounts of data with disruptive technologies like cloud computing, MOOCs, streaming video, flipped classrooms ... all are innovative, but all are resource hogs that transmit large amounts of university data across its network.

Throw in the recent reports showing students now boast an average of seven personal wireless devices each. You might ask, "Is it a university's responsibility to provide a competitive wireless environment for so many devices per student?" The easy answer is yes. Suddenly a collective hum, "More, more, more ... How do you like it? How do you like it?" In the world of IT departments, this is the overarching status in serving our campuses.

What is the impact of massive data, new technology trends, and increased mobility in higher ed? At Fairfield University, we have noticed a very real impact, including an increase in phishing attempts, malicious international attacks on our servers, and receipt of direct threat email messages (up to 1.2 million per week).

[ Security concerns are just one reason the cloud may not be right for all institutions. Read Higher Ed's Cloud Computing Forecast: Stormy. ]

Bottom line: Massive data crossing endless connections across a variety of increasing and decentralized devices naturally evolves into a target for attack. In retaliation, here are three initiatives you should tackle to impede security attacks in higher ed.

What's your plan, Stan?

If there's no technology-specific strategic plan in writing, a department's vision almost doesn't count. Think about it. A non-IT person is generally not interested in the nuts and bolts of building a secure technology environment. Dust off the overarching strategic plan for the college or university and consume it. Note the top strategies. If the plan has been refreshed within the past decade, you might even notice that each strategy is likely dependent in some way on technology. That is a win.

Start to map out a technology vision that complements your campus. Is campus technology centralized on your campus? If not, what's keeping that from happening? A centralized technology presence is optimal for security initiatives. Why? Fewer hands in the cookie jars -- and fewer cookie jars overall -- reduce risk. Make sure the technology strategic plan spells out a focus on security. This will be helpful later.

Identify the kryptonite to your network

Where are the holes and weak spots? What will bring this invisible network to its knees? The network foundation is as riveting as it sounds, but it's more crucial than any component on the campus and now more than ever. Is your infrastructure sound, solid, and beefed-up enough to support the inevitable growth and demand of network service over the next decade? This isn't about having 100 times the amount of bandwidth you currently need on your campus today. It's about having the bones to support an increase of that magnitude annually and exponentially over the next decade.

Is there wired where you envision needing wireless? Are the access points already stretched thin? Are the pipes adequate for now but likely to be maxed out in next academic year? Now is the time to plan those large-scale, unsexy, and truly expense-hogging overhauls. How will this ever be funded? Well, it's in the technology strategic plan. Get your plan together for technically aggressive, budget-manageable improvements over the next two, five, and 10 years. Once the infrastructure is confirmed at a minimum "not high risk," invest in hardware and software that empowers real-time system interaction -- who is attacking and from where? University leadership is impressed by statistics, dashboards, and real-time risk factors. These items provide a layer of knowledge, pinpointing where safeguards need to be placed.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
FairfieldCIO
50%
50%
FairfieldCIO,
User Rank: Apprentice
11/18/2013 | 1:04:13 PM
Re: User education
I'm fairly new to this university, however it is important to continually share information/knowledge about the very real risk involved with data security. I try to pass along particularly non-jargonized articles to our Educational Technologies Committee as well as to our Administrative Technologies Committee, share data with our Board, post tips/tricks in our monthly newsletter and, as opportunity arises, SPEAK about the dangers and precautions. Students are super savvy, faculty and staff run the gamut for tech proficiency but we take that more as a challenge to teach/share. Unfortunately, we make technology oftentimes look 'easy' so the complexity and true risk isn't fathomable to many. We speak it, we prevent it from happening therefore there ARE individuals that question any real existence of risk.
FairfieldCIO
50%
50%
FairfieldCIO,
User Rank: Apprentice
11/18/2013 | 12:56:53 PM
Re: Student threat?
Quite a bit David. One of my inner monologues involves the phrase 'it only takes one student' on high-volume, repeat. On the one hand, should any managed 'certified ethical hacking' effort result in a breach, I hope we hear about it. The bored/curious student with time on his/her hands? As a former programmer I 'get' the challenge aspect of testing out those skills. We are continually monitoring ALL network traffic, internal traffic as well.
David F. Carr
100%
0%
David F. Carr,
User Rank: Strategist
11/15/2013 | 11:52:33 AM
Student threat?
How much do you worry about the threat from within, the students testing out their hacking skills, either experimentally or maliciously?
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/15/2013 | 11:08:56 AM
User education
Very interesting lessons to learn about data security from the college environment. I'm curious about how higher ed deals with the question of security awareness and user training. I would suspect that the college population is fairly tech savvy, but how careful are they? What do you do to drill in the dangers?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...