Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

11/15/2013
08:00 AM
Paige Francis
Paige Francis
Commentary
50%
50%

Higher Ed Must Lock Down Data Security

Higher education rivals only the healthcare industry in housing personally identifiable data. Consider these tactics for smart planning.

Assess what everyone sees

What is connecting to the network and transmitting data? You need to identify the ancillary, one-off applications on your campus. In a post on NetworkWorld.com's Community site, Jon Oltsik writes, "[software vulnerabilities result from] 1) internally-developed software where developers may lack the skills or motivation to write secure code, and 2) Web applications where rapid development and functionality trump security concerns."

In higher education, homegrown products are often the result of a lack of service provided, perceived or actual. Security risks need to be eliminated, and redundant applications should be brought into the fold of large-scale enterprise systems -- if there is any question about it, it is not worth the risk.

Easy as 1-2-3? Sure, as long as you present a strong strategic plan alongside continuous communication with your campus community on why the focus on security needs to be pervasive. Some may ask, "So what's the big deal? Has there actually been a breach?" It's about risk. Every effort needs to be made to mitigate the risk against a security breach. It's also about cost. According to the Ponemon Institute, the average cost per compromised record in an education environment is $142.

And that represents only the immediate dollar cost. A security breach may affect student retention, enrollment, and general confidence in campus security. If we as an educational institution fail to keep our data safe, how safe are our students? Those thoughts cross the minds of concerned parents.

The technology forecast looks more exciting than ever. But with increased efficiency, service, and connectivity comes increased risk. Batten down the hatches today for smoother sailing in the future.

Database administrators are the caretakers of an organization's most precious asset -- its data -- but rarely do they have the experience and skills required to secure that data. Indeed, the goals of DBAs and security pros are often at odds. That gap must be bridged in order for organizations to protect data in an increasingly threat-ridden environment. In the Dark Reading How Enterprises Can Use Big Data To Improve Security report, we examine what DBAs should know about security, as well as recommend how database and security pros can work more effectively together. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
FairfieldCIO
50%
50%
FairfieldCIO,
User Rank: Apprentice
11/18/2013 | 1:04:13 PM
Re: User education
I'm fairly new to this university, however it is important to continually share information/knowledge about the very real risk involved with data security. I try to pass along particularly non-jargonized articles to our Educational Technologies Committee as well as to our Administrative Technologies Committee, share data with our Board, post tips/tricks in our monthly newsletter and, as opportunity arises, SPEAK about the dangers and precautions. Students are super savvy, faculty and staff run the gamut for tech proficiency but we take that more as a challenge to teach/share. Unfortunately, we make technology oftentimes look 'easy' so the complexity and true risk isn't fathomable to many. We speak it, we prevent it from happening therefore there ARE individuals that question any real existence of risk.
FairfieldCIO
50%
50%
FairfieldCIO,
User Rank: Apprentice
11/18/2013 | 12:56:53 PM
Re: Student threat?
Quite a bit David. One of my inner monologues involves the phrase 'it only takes one student' on high-volume, repeat. On the one hand, should any managed 'certified ethical hacking' effort result in a breach, I hope we hear about it. The bored/curious student with time on his/her hands? As a former programmer I 'get' the challenge aspect of testing out those skills. We are continually monitoring ALL network traffic, internal traffic as well.
David F. Carr
100%
0%
David F. Carr,
User Rank: Strategist
11/15/2013 | 11:52:33 AM
Student threat?
How much do you worry about the threat from within, the students testing out their hacking skills, either experimentally or maliciously?
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/15/2013 | 11:08:56 AM
User education
Very interesting lessons to learn about data security from the college environment. I'm curious about how higher ed deals with the question of security awareness and user training. I would suspect that the college population is fairly tech savvy, but how careful are they? What do you do to drill in the dangers?
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.
CVE-2019-19230
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.