2016 hasn’t begun in a very positive way for education institutions. January 2016 saw data on 80,000 students, faculty, and staff at UC Berkeley compromised in the University’s third data breach disclosure of the past 15 months. This was followed by a breach of 63,000 names and social security numbers of current and former students and staff at the University of Central Florida in early February 2016 obtained when hackers attacked the school’s computer system.
Data breaches and security hacks aren’t new to this industry. In fact, one of the earliest books written about computer hacking featured hacking at universities. Arguably, universities are a breeding ground for next generation of hackers cutting their teeth by creating new malware and probing for vulnerabilities.
So why are these breaches continuing to occur? Paul German, VP EMEA, Certes Networks, outlines three common security misconceptions in the education sector that he insists need to be put right in order to stop these hacks being repeated month after month.
Misconception 1: I can have an open IT environment, or secure IT environment, but not both open and secure
With an ever-expanding attack surface encompassing personal devices, widely shared applications, a culture of open access and often no well-defined perimeter, university environments repeatedly become the perfect playground for hackers to exploit. Yet, having an open IT environment does not mean that it can’t be kept secure. What’s more,simply reducing the number of users on the network or limiting the number of applications available to those users, won’t meet the expectations of students and staff – in fact, it will result in your institution operating much less efficiently.
A more effective strategy is to focus on reducing the attack surface of the most sensitive applications through application segmentation and isolation that tightly controls access to those most sensitive applications, while leaving other applications in a more open stance. One segmentation technique is to use strong encryption for segmenting the sensitive applications and then applying role-based access control. This blocks hacker lateral movement so that if they compromise one of the open applications, they cannot access the more sensitive ones. This way, IT environments can be kept open, with more devices, applications and users than ever, and still be secure. It doesn’t have to be one or the other.
Misconception 2: Breach protection and detection policies are enough to keep the hackers at bay
The Verizon Data Breach Investigation Report 2015 showed that the education sector has by far the most malware incidents of any sector, coming in at 2,332 incidents compared to a mere 350 incidents in the financial sector. What’s more, the report also shows that educational institutions take the slowest time to fix all measured sectors. In general, industry data shows that after much innovation in the breach detection and response areas, the typical breach still is not detected for more than 200 days on average. While an improvement from previous average detection lag of more than a year, this is still too long. These facts alone demonstrate that breach protection and detection policies are no longer enough, by the time a breach has been detected, the damage will have already be done.
With a software-defined breach containment approach to security it is possible for organisations to confine the scope of a breach to a small, defined area, rather than creating a system wide disaster. As well as mitigating damage, breach containment strategies allow security teams to base segmentation on business applications and grant access based on user roles, as opposed to focusing solely on physical or infrastructure based segmentation.
Misconception 3: I know which users and applications can be trusted
This is fairly simple: in reality, no user or application should be trusted. The multiple hacks that have already caused damage for education institutions this year alone show that these institutions, and other organisations alike, must adopt a “No Trust” security model. This assumes that there is no such thing as a trusted network or IT environment. Instead, every user, device, network and application must be treated as untrusted, and all systems should be considered already compromised.
Following this mind-set, sensitive data should be isolated with strong cryptography and access to it should be tightly controlled based on user roles. This segmentation should then be applied consistently across all silos, for all users in the enterprise to keep the open environment under control.
Conclusion
It’s clear that something needs to change. The education sector recognises that an issue exists; yet many are still not putting the proper measures in place. It has never been clearer that now is the time to act, and by thinking of security in a different way and overcoming the common misconceptions outlined above, education institutions can quickly begin the journey from security chaos to security harmony.
[su_box title=”About Paul German” style=”noise” box_color=”#336588″][short_info id=”60222″ desc=”true” all=”false”][/su_box]
Paul German, CEO at Certes Networks
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.