The headlines are enough to strike fear in the heart of any campus IT manager: personal data of alumni and students exposed at institutions like Boston College, Tufts (Mass.), George Mason University (Va.), Stanford (Calif.), and scores of other schools, putting credit card information, Social Security numbers, and medical records into the hands of digital miscreants.
But if the news seems troubling to read, it's even scarier to be the one in the story.
"You put all these protections in place, all these tools and processes," says Elaine David, assistant vice president for Information Services at the University of Connecticut, which had to notify 72,000 students, faculty, and staff of a potential breach last June. "But even with all that security, it just takes one vulnerability for a malicious person to get in. And they will, because they think like criminals, and we don't."
Security experts agree that the recent spate of security breaches aren't isolated incidents that can be cured with an ounce of prevention. Rather, sophisticated hacking tools and the porous nature of campus server environments make breaches a matter of "when" instead of "if" for just about every IHE.
But that doesn't mean campuses have to simply brace for the onslaught and try to clean up as best they can. Many schools that have been hit are leading the way in showing how to recover from breaches, minimize damage, and prevent future headlines.
Moving Data Off-Site
Well aware that data breaches are becoming more and more commonplace, some IHEs are choosing not just to protect sensitive financial data, but to actually remove it from campus servers altogether.
Higher One, a firm offering integrated financial aid disbursement services, has seen a great deal of interest lately from schools that want the firm to handle student financial records, putting the data behind Higher One's firewalls rather than within a campus network.
"If you're looking for a data-rich target, universities are it," says Sean Glass, chief marketing officer for Higher One. "The advantage to a service like ours is that we have to comply with banking regulations that determine how we protect information. Schools don't have to follow those mandates."
Kennesaw State University (Ga.) chose to go with the company to try and avoid even the potential for a breach, says Earle Holley, vice president for Business and Finance. After he heard about incidents at other schools, Holley found that his university was using encryption to send data out, but that on campus, no encryption existed. Rather than develop a plan to deal with breaches, Kennesaw chose to move the sensitive data off its servers.
"We feel that it's easier to avoid issues with data on campus," notes Holley, "if we limit what kind of information is on the servers in the first place."
Locked Doors, Open Windows
Unlike corporate networks, which can be controlled and monitored through strict IT policies, IHE setups have to be flexible, allowing for multiple types of devices and often for decentralized pockets of IT management. That makes schools tempting to hackers, who can crack networks through system flaws, viruses, and spyware.
The Privacy Rights Clearinghouse recently stated that of the 113 data breaches reported since February 2005, almost half took place at colleges, universities, and university-related medical centers.
The prevalence of breaches is likely to continue, according to the security firm Symantec. In its annual threat report, released last fall, the company noted that education is now the most attacked industry, ahead of small business, financial services, and government. IHEs are attractive targets due to their large, diverse networks and stores of highly sensitive information. Also, a false sense of ownership exists among students and faculty. They often install wireless access points or tap into campus networks without firewalls in place, the report notes.
Sometimes, even seemingly bulletproof protection isn't enough. After a worm disrupted its systems in 2003, the University of Washington School of Medicine installed tough firewalls and intrusion systems. But when another virus attacked, IT staff found they couldn't identify where the threat had originated-so cleaning infected departments before the infection spread was difficult.
Appropriate Alerts
The news isn't all dire. Despite many incidents of data breaches, there has yet to be any widespread identity theft as a result of the exposed information. Attackers sometimes find themselves with data, but no idea how to exploit it.
"Data can be stolen or lost, but without an application that can tie that information into other databases, usually it's not useful," says Tom Chomicz, a network security engineer at CDW-G, a technology provider to government and educational institutions. "Selling it takes time and connections, and if any part of it is encrypted, it's just not worth it to the attacker."
Most hackers don't break into campus networks specifically to get sensitive data, Chomicz adds, but instead to create channels for sending spam. Purveyors of unsolicited mail pay hackers for these "zombie" connections, so spam can't be traced back to them. Much like breaking into a bank and emptying the cash drawer but neglecting to peek into the open vault, hackers take advantage of vulnerabilities to exploit networks, yet don't always use data that is right in front of them.
At Boston College, for example, letters had to be sent in March 2005 to 120,000 alumni describing an exposed database that contained Social Security numbers. College officials noted that the attacker's real motive seemed to be embedding a program that could be used to attack other computers.
