Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

11/15/2013
08:00 AM
Paige Francis
Paige Francis
Commentary
50%
50%

Higher Ed Must Lock Down Data Security

Higher education rivals only the healthcare industry in housing personally identifiable data. Consider these tactics for smart planning.

Current trends show that higher education is a prime target for a data security attack. Why? Because education is all about data -- student, financial aid, administrative, syllabi, curriculum, assessment, grades, and much, much more. Higher ed rivals only the healthcare industry in housing personally identifiable data.

Combine massive amounts of data with disruptive technologies like cloud computing, MOOCs, streaming video, flipped classrooms ... all are innovative, but all are resource hogs that transmit large amounts of university data across its network.

Throw in the recent reports showing students now boast an average of seven personal wireless devices each. You might ask, "Is it a university's responsibility to provide a competitive wireless environment for so many devices per student?" The easy answer is yes. Suddenly a collective hum, "More, more, more ... How do you like it? How do you like it?" In the world of IT departments, this is the overarching status in serving our campuses.

What is the impact of massive data, new technology trends, and increased mobility in higher ed? At Fairfield University, we have noticed a very real impact, including an increase in phishing attempts, malicious international attacks on our servers, and receipt of direct threat email messages (up to 1.2 million per week).

[ Security concerns are just one reason the cloud may not be right for all institutions. Read Higher Ed's Cloud Computing Forecast: Stormy. ]

Bottom line: Massive data crossing endless connections across a variety of increasing and decentralized devices naturally evolves into a target for attack. In retaliation, here are three initiatives you should tackle to impede security attacks in higher ed.

What's your plan, Stan?

If there's no technology-specific strategic plan in writing, a department's vision almost doesn't count. Think about it. A non-IT person is generally not interested in the nuts and bolts of building a secure technology environment. Dust off the overarching strategic plan for the college or university and consume it. Note the top strategies. If the plan has been refreshed within the past decade, you might even notice that each strategy is likely dependent in some way on technology. That is a win.

Start to map out a technology vision that complements your campus. Is campus technology centralized on your campus? If not, what's keeping that from happening? A centralized technology presence is optimal for security initiatives. Why? Fewer hands in the cookie jars -- and fewer cookie jars overall -- reduce risk. Make sure the technology strategic plan spells out a focus on security. This will be helpful later.

Identify the kryptonite to your network

Where are the holes and weak spots? What will bring this invisible network to its knees? The network foundation is as riveting as it sounds, but it's more crucial than any component on the campus and now more than ever. Is your infrastructure sound, solid, and beefed-up enough to support the inevitable growth and demand of network service over the next decade? This isn't about having 100 times the amount of bandwidth you currently need on your campus today. It's about having the bones to support an increase of that magnitude annually and exponentially over the next decade.

Is there wired where you envision needing wireless? Are the access points already stretched thin? Are the pipes adequate for now but likely to be maxed out in next academic year? Now is the time to plan those large-scale, unsexy, and truly expense-hogging overhauls. How will this ever be funded? Well, it's in the technology strategic plan. Get your plan together for technically aggressive, budget-manageable improvements over the next two, five, and 10 years. Once the infrastructure is confirmed at a minimum "not high risk," invest in hardware and software that empowers real-time system interaction -- who is attacking and from where? University leadership is impressed by statistics, dashboards, and real-time risk factors. These items provide a layer of knowledge, pinpointing where safeguards need to be placed.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
11/15/2013 | 11:08:56 AM
User education
Very interesting lessons to learn about data security from the college environment. I'm curious about how higher ed deals with the question of security awareness and user training. I would suspect that the college population is fairly tech savvy, but how careful are they? What do you do to drill in the dangers?
David F. Carr
100%
0%
David F. Carr,
User Rank: Strategist
11/15/2013 | 11:52:33 AM
Student threat?
How much do you worry about the threat from within, the students testing out their hacking skills, either experimentally or maliciously?
FairfieldCIO
50%
50%
FairfieldCIO,
User Rank: Apprentice
11/18/2013 | 12:56:53 PM
Re: Student threat?
Quite a bit David. One of my inner monologues involves the phrase 'it only takes one student' on high-volume, repeat. On the one hand, should any managed 'certified ethical hacking' effort result in a breach, I hope we hear about it. The bored/curious student with time on his/her hands? As a former programmer I 'get' the challenge aspect of testing out those skills. We are continually monitoring ALL network traffic, internal traffic as well.
FairfieldCIO
50%
50%
FairfieldCIO,
User Rank: Apprentice
11/18/2013 | 1:04:13 PM
Re: User education
I'm fairly new to this university, however it is important to continually share information/knowledge about the very real risk involved with data security. I try to pass along particularly non-jargonized articles to our Educational Technologies Committee as well as to our Administrative Technologies Committee, share data with our Board, post tips/tricks in our monthly newsletter and, as opportunity arises, SPEAK about the dangers and precautions. Students are super savvy, faculty and staff run the gamut for tech proficiency but we take that more as a challenge to teach/share. Unfortunately, we make technology oftentimes look 'easy' so the complexity and true risk isn't fathomable to many. We speak it, we prevent it from happening therefore there ARE individuals that question any real existence of risk.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...