Estimated read time: 4-5 minutes
This archived news story is available only for your personal, non-commercial use. Information in the story may be outdated or superseded by additional information. Reading or replaying the story in its archived form does not constitute a republication of the story.
[STK]
[IN] CPR ITE EDU HED HTS HMS
[SU]
TO BUSINESS EDITORS:
Recent Wave Of University Hacks Underscores Continued Security
Concerns
SCHAUMBURG, Ill., April 9, 2014 /PRNewswire/ -- In 2013, HALOCK
Security Labs noted information security vulnerabilities at colleges
and universities along with numerous challenges that plague these
institutions across the United States. More breaches may come to
light if higher education institutions do not rethink their security
measures.
Just this year, hackers have been successful in gaining access to over
740,000 student and alumni personal information records, including
social security numbers, combined. The breaches occurred at
University of Maryland on February 19, 2014, Indiana University on
February 26, 2014 and North Dakota University on March 6, 2014.
HALOCK Security Labs' 2013 investigation found that 25% of 162
universities sampled were putting student and parent financial data at
risk through the use of unsafe unencrypted email practices. This data
included W-2's and tax information transmitted to financial aid
offices. Universities continue to be targeted by hackers because
they maintain not only a wealth of student and parent financial data,
but they are also centers for cutting edge research and intellectual
property.
These recent breaches highlight the reason why universities need to
take security seriously and extend their safeguards beyond unsecure
email. While HALOCK's investigation highlighted a certain type of
security lapse, the recent breaches underscore that universities need
to consider security comprehensively.
Why aren't schools and universities taking the necessary steps to
safeguard sensitive information? "Universities in general have
limited budgets for information security, and therefore struggle to
comply with the numerous laws and regulations regarding the data in
their custody," says Terry Kurzynski, Senior Partner at HALOCK.
Universities are overwhelmed by a number of issues:
-- Typical university cultures promote open access to information: A
core requirement for information security is the classification of
information and systems. And because colleges and universities are
quasi-public places, they must separate their public network zones
from their sensitive network zones and ensure that each are secured
according to their risk.
-- Transient and inexperienced student workers: After colleges and
universities have separated their sensitive systems from their public
systems, they can assign student employees with jobs that manage the
public systems, leaving sensitive information in the control of
properly trained and vetted permanent employees.
-- Limited security and compliance budgets: While colleges and
universities have lower budgets than some organizations, no
organization has enough budget to address all of their security needs.
All organizations must prioritize their investments using the risk
assessments that are required by law.
-- Student hackers have ample time to target the university that is
teaching them hacking skills: Especially for colleges and universities
that provide information security courses, academic networks can
become the "lab" for course homework . in other words, when you teach
information security, expect your students to hack your network for
practice. Ensure that those who teach the courses collaborate with IT
personnel to detect and prevent the activities that are being taught
in the classroom.
-- Information technology changes are often limited to seasonal
university breaks: Major security patches, upgrades, and security tool
implementations are often held off until inter-semester periods when
the risk of unavailable systems is lower. But this also means that the
security risk is at its highest when class is in session. Proper
change management processes can reduce your availability risks while
making timely security upgrades.
-- Difficulty in educating the Board of Trustees or Regents on
security risks: A well-constructed risk assessment will define risks,
in part, by their impact to the mission of the institution. Impacts to
students, faculty, research funding and the school's reputation and
finances should all be considered as factors in risk assessments. A
risk statement that reads, "A breach of PHI records from the research
database, which foreseeably could happen over the next year, would
result in major fines and would compromise our ability to get IRB
approval for future research, as occurred at XYZ University Hospital
last year," is far more compelling argument than, "Please can we buy
the two-factor authentication appliance? It could prevent a breach!"
According to Kurzynski, "Universities need to get serious about
securing their environment. They need to be sure that they are
following security standards, as well as the laws and regulations that
require the protection of personal information." Some find this
challenging especially when budgets are tight.
Universities that implement a risk management framework often find it
easier to reach compliance. "Under this framework, organizations
invest in security so that they manage the likelihood and impact of
breaches," says Kurzynski. "Securing information according to risk
becomes much more manageable than might have previously been
imagined."
About HALOCK www.halock.com :
Founded in 1996, HALOCK Security Labs is a hybrid security services
firm that strives to balance both business needs and information
security requirements. HALOCK's philosophy of "Purpose Driven
Security" focuses on defining and implementing just the right amount
of security; not too much, not too little. HALOCK's services include:
Security and Risk Management, Compliance Validation, Penetration
Testing, Incident Response Readiness, Security Organization
Development, and Malware Defense Strategy & Solutions.
Steve Lundin: BIGfrontier 312.391.8007 Email Lauren Mieli: HALOCK
Security Labs 847.221.0203 Email
Read more news from HALOCK.
SOURCE HALOCK
-0- 04/09/2014
/Web Site: http://www.halock.com
CO: HALOCK
IN: CPR ITE EDU HED HTS HMS
PRN
-- PH01343 --
0000 04/09/2014 12:30:00 EDT http://www.prnewswire.com
Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.