While we are well into November, it is always a good idea to remain vigilant concerning possible dangers discussed only recently. ThreatMetrix issued a report in early September about the top cybersecurity risks for educational institutions and students during the 2015-1026 school year. Two main trends are an increase in the frequency and scale of data breaches and increased use of mobile devices by students.
As schools like Stratford, who have floating “start dates” for their student body, this is something best kept at the forefront of their attention.
“Technology is playing an increasingly integral role in education,” said Andreas Baumhof, chief technology officer at ThreatMetrix, a company that provides context-based security and advanced fraud prevention solutions. “Students are taking online tests, using mobile devices in the classroom, and storing their personal information in the cloud. While the digital classroom concept creates additional learning opportunities for students, it also increases vulnerabilities and opens the door for fraudsters to wage attacks.”
The ThreatMetrix® Cybercrime Report: Q2 2015 analyzed more than three billion transactions and found that 31 percent of those transactions occurred on mobile devices. As consumers and educational institutions adopt mobile as an e-commerce and academic tool, that percentage, and the risks to students, is likely to grow. Students showing up to the classroom with mobile devices and tablets in hand may not know their online activities are putting them at risk of falling victim to cybercrime. Students are also likely to share information with each other online and that puts them at greater risk.
The other trend called out by the report is the increasing incidence of attacks on universities. The report goes on to discuss breaches Penn State and Harvard earlier in 2015. Penn State announced in May the computer systems at its College of Engineering were hit by Chinese hackers in a sophisticated two-year operation, and in June Harvard discovered a data breach in the Faculty of Arts and Sciences and Central Administration. These recent attacks against higher education are indicative of a larger cybercrime trend targeting educational institutions.
Unlike financial and healthcare institutions, higher education’s storage and retention of personally identifiable information (PII) is largely unregulated. In addition, higher education is much less likely than finance or healthcare to incur the cost required to have the latest security solutions in place. It’s typical for educational institutions to store PII in a comprehensive manner, so an attacker could gain access to students’ (and faculty’s) financial information, social security numbers and medical histories.
My Two Cents
Universities have a lot to protect including internal and external Web servers, email servers, file servers, and databases of students, alumni, prospects, employees and faculty information. Furthermore, the nature of a university network makes it hard to protect because university IT security staff have very little control over the devices on that network. Students are also remarkably talented and resourceful when it comes to subverting security controls.
In an environment like a university where the network cannot be guaranteed secure, all devices – laptops, desktops, tablets, and smartphones – must run endpoint protection software that includes active protections such as host-based intrusion prevention (HIPS), software firewall, and live web threat analysis and prevention, as well as traditional scanning for malware. Everything needs to be protected regardless of operating system. Plus, make sure that your browser’s anti-phishing capabilities are turned on.
Be smart online. Don’t download software. I know it’s tempting to save money, but you’re putting yourself at risk. Criminals pack malware into pirated software. Also, don’t download video or audio players or download a codec you’ve never heard of before just to watch a free file. When you do download, make sure that you scan the files before accessing them. To be even safer, use a separate machine just for downloads.
Don’t reuse usernames and passwords on multiple websites. The problem with password reuse is that if one site gets hacked there’s an underground marketplace for stolen accounts and criminals will buy the list and then try all of those credentials on other site. So if you’ve used the same username and password for multiple sites and one gets hacked now all of your others are at risk.
The Internet is a tool and also a toy. Unfortunately, it’s also a huge threat vector. It’s not fun to have your identity stolen. Protect your device and be smart about what you do in order to minimize risk.
Matthew David Sarrel has been practicing and writing about network and information security for over 20 years. He is Executive Director of Sarrel Group, an editorial services/content marketing, product test lab, and information technology consulting company. He is a Contributing Editor for PCMag.com, Triple-G Editor for Backayard Magazine, and contributor to Infoworld, Programmable Web, and numerous other sites and publications. Previously, he was a technical director for PC Magazine Labs. Prior to joining PC Magazine, he served as VP of Engineering and IT Manager at two Internet startups. Earlier, he spent almost 10 years providing IT solutions in HIV-and-TB-related medical research settings at the New Jersey Medical School. Mr. Sarrel has a BA (History) from Cornell University, an MPH (Epidemiology) from Columbia University, and is also a Certified Information Systems Security Professional (CISSP). Mr. Sarrel has written for and spoken to numerous international audiences about information technology and information security. He participated as an expert in two Federal Trade Commission workshops, one about spam in 2003 and one about spyware in 2004. Follow Matt on Twitter. Follow his adventures with Elvis the information security French bulldog on Instagram.
Stratford University, in association with Key Cybersecurity, is offering CISSP, CISA and CEH training and certification courses at many of its Northern Virginia campuses. We will be providing students the hands-on experience with state of the art security solutions like HeurekaCyber’s Cyber Armor and others. Join us at http://www.stratford.edu/cyber in becoming the first line of defense in cybersecuity.