Universities and other higher education institutions have long been heralded as strongholds of advanced and independent thought. They are the crucibles in which our most brilliant minds are forged, serving as exchange points to discuss and collaborate on the new theories and inventions that shape our world. However, these great advantages also come with unique security challenges to overcome.
The higher education vertical has been often lumped together with the enterprise in security discourse—and to be fair, the two have many similarities, such as the need for multiple enforcement policies, large numbers of end users, and distributed networks, to name a few. However, the differences between the two are enough that universities and colleges need their own security discussion, one that examines the needs and challenges specific to higher education. And this discussion cannot happen soon enough. Since 2005, there have been more than 500 breaches at higher education institutions. In 2014 alone, these breaches accounted for 35% of all reported attacks.
To find out more about the unique challenges facing higher education, I sat down with OpenDNS Network Security Engineer Alvin Wong, who has held several IT and security positions at both the University of British Columbia and BCNet.
In Wong’s opinion, approaching security at an educational institution like a commercial enterprise may not be a good fit. “Academia requires free and open Internet access without filtering or censorship,” he said. “So to put in traditionally enterprise-focused security controls can be difficult and quite political, in the literal sense of the word.”
Academia Demands Open Networks
The disparity between being a secure institution, and being free and open is further complicated by the distributed nature of many university networks, which can stretch across cities and even around the globe. Although Wong mentioned several potential issues this system introduced, one of the most common was student and faculty connectivity. A professor in Tokyo must have the same protection as a professor in New York, as they’re accessing the same internal resources and data—not to mention partnerships with other schools and potentially corporations.
Another complication is the democratic process institutions use to decide issues like security and access. This dramatically increases the amount of time it takes for adequate security policies to take effect, an unfortunate situation in an industry where even seconds could make a substantial difference during an attack. “Everyone has to have a seat at the table,” Wong said. “It’s not the same as a corporate environment where you can have a strict security policy—a ‘straight block anything, ask questions later’ type of situation.”
Ramen Dinners, Library Naps, and BYOD
In a recent Forbes blog, Sue Poremba called campuses a “melting pot of devices, applications, social media groups, and technology fads.” Mobile devices have worked their way firmly into our everyday lives, and you’d be hard-pressed to find any college student without a laptop, smart phone, or tablet handy at all times.
This creates a host of issues for busy campus security practitioners, who must secure an ever-increasing number of devices. “Schools have a huge BYOD problem,” Wong said. “There’s no such thing as a perimeter for a university.”
Students aren’t the only ones bringing devices to the network either—especially in research universities. “When researchers get funded, they usually bring in their own equipment. The main focus is then getting that equipment hooked up to the network properly, instead of dictating policy,” Wong said. “Unfortunately, security isn’t always top of mind for researchers.” This is especially troubling as research is one of the most targeted elements inside campus networks, after personal data.
Rodney Petersen, managing director for the Washington office of EduCAUSE, says institutions have failed to acknowledge the need for better protection. “What we have been slow to recognize is that the information we have on campus–whether it’s the intellectual property of the academy, or more importantly personally identifiable information–requires a similar level of high protection,” he said.
Shadow IT Is Rampant in Campus Networks
In addition to the challenges presented by BYOD, and also in part because of them, shadow IT is another prevalent issue at universities. Wong indicated that due to the proliferation of cloud services, and a lack of visibility into network activity, administrators are essentially running blind.
“What’s to stop Professor X from putting some intellectual property on Dropbox or some other service, or sending an email from a non-university email? There’s all kinds of complexity surrounding where data is stored and people using things beyond the perimeter,” Wong said.
With app stores just a click away, and a campus full of insecure BYOD devices, shadow IT presents a juicy opportunity for attackers. “Our endpoints were a point of entry into our infrastructure,” Wong said. “We saw a lot of viruses, a lot of malware getting on machines—just detecting those and having visibility into the network was a challenge.”
User education is a way around this problem though, Wong stated. “Making sure everyone is on the same page when it comes to software, for example, what AV to use, and making these tools easily available, is essential,” he said. “Then, you can have staff reinforce the policy, like making sure students have up-to-date software versions installed.”
Phishing and Infrastructure Attacks
According to Wong, public universities are required to provide contact information online, providing a veritable feast of information for social engineers to use as credentials. With endpoints left vulnerable, spear phishing against a member of the school teaching staff or administration could prove devastatingly effective.
In addition to phishing, schools also have to be wary of parasitic infrastructure attacks, Wong said. “Universities are pretty valuable for computing power, and for bandwidth to store traffic or use for DDoS attacks—attackers aren’t just after the intellectual property, but are attempting to gain control of infrastructure they can leverage.”
These are a small sampling of the challenges faced by higher education institutions. As attacks grow bolder and technology advances, it becomes more vital than ever to have a scalable, robust security stack in place, as well as a healthy user education program to mitigate infections caused by user error. “A lot of higher ed security is reactive, simply because of the sheer scale and number of projects, and the disparate directions people are going,” Wong said. “It’s definitely harder than enterprise security, if we’re comparing the two.”
