Wednesday, May 13, 2009

Academia's Big Big Problem

The headlines tend to speak for themselves these days:
  1. UC Berkeley Breach Affects 160,000 (Berkeley link here)
  2. Data About Students Dispersed in Breach
  3. Financial Aid Data at KCC May Be at Risk
Academia is in serious trouble, and it appears quite clear that universities are faring much worse than other school systems.  The question everyone asks is "why?" and while the answer may be quite simple to those of us who have some inside information to how the higher education networks function I felt it prudent to briefly explain the situation and the circumstances leading to this crisis.

Institutions of higher education, colleges and universities, are under much greater pressures from attackers than are most other educational institutions for a very specific, yet painfully obvious, reason - openness.  Colleges and universities typically have a mandate that the flow of information and ideas through their networks be unrestricted.  What's worse, in a university setting each department is a silo... doing as they please and standing up servers, applications and web sites to their hearts' content without really asking permission or following any protocol.  Given all that it's simple to see why the security teams at universities and colleges have a very unenviable position.

Bracing for the worst from the hackers is one thing when you have a reasonably cooperative organization where security is taken (at least somewhat) seriously.  Higher education tends to take security as an afterthought (if at all), from what I've seen, and the folks trying to push the security agenda are rarely heard.  This creates a double-whammy for the security folks in academia.  On one hand, you can't lay down the law and lock down your environment in the name of education and openness, on the other hand there are websites popping up and data being stored all over the place without your knowledge.  This is a hacker's dream right?

How does someone working an academic environment wraught with adversity like this succeed in protecting the precious information which patrons entrust them with?  There aren't any simple answers here.  Perhaps a grass-roots change in mentality and beliefs is in order.  Perhaps rather than taking blame as a whole, the universities should single out specific people or persons who were directly responsible for the conditions leading up to the breach/hack?  Would that type of accountability change the minds of careless department heads who choose ignore security?  I'm not sure I believe that, but it's a good start.

As I've preached before, a sound policy is the key to a secure environment.  A policy not only should lay out the guidelines for what should be done but also make clear the consequences of failing to comply with the policy.  From experience, it's this last bit that eludes many organizations - and not just higher education.  It's tough to get an organization behind the idea of punnishing people who break the rules, particularly in an academic environment where the culprits are intellectuals (heaven forbid we give them rules to live by) but it must be done lest we continue to see news stories about these types of data breaches in an ever-increasing rate.

Looking beyond the hack method, focusing on the motivation is often a good way to understand why attacks occur and how to prevent them.  In the case of schools and universities there are mutiple possible reasonings for attack.  First - students typically start with a clean slate when they enter college.  If an attacker can collect enough information to create a fraudulent account in a student's name they have a better chance of no one noticing for a while... until that student actually investigates their credit.  This brings me to a second point - credit responsibility.  I've known many friends who went through college collecting credit cards like baseball cards and spending on plastic without regard for tomorrow.  If a card theif managed to set up a line of credit in their names these folks likely wouldn't notice for quite some time, and it would be hard to analyze their spending patterns to identify a fraudulent purchase against their usual spending madness.

On top of all that, schools typically collect massive amounts of information about students and staff for various reasons.  A typical university will know your name, address, phone number and all personal information, along with your grades, affiliations and all academically relevant information.  In addition to that, if you've ever applied for a grant or loan they'll have that information too which includes credit history, social security number and other goodies.  Worse, if you've ever been injured on campus or had the sniffles your medical records are on file as well.  Pretty much all of your academic-related life is on file with your college or university - and they're doing an incredibly poor job of securing that information today, judging by the news headlines.

Some simple suggestions for basic protection, while often ignored, should be heeded:
  • Collect and store only the information absolutely needed and no more
  • Encrypt personal and private information from students and faculty
  • Centralize sensitive data stores and do not distribute this information throughout the school
  • Destroy (digitally shred) digital information after a defined retention period
  • Carefully limit access to sensitive information via roles and permissions

Perhaps UC Berkeley will become a shining example of what will happen in the university/college environments if more care isn't paid to security.  Perhaps not.

If you're working in academia, and are charged with information protection - good luck.

I'd like to hear from those in information protection at the university/college level; share your success or failure anonymously or not!

No comments: