UCF breach shows that colleges and universities need to get serious about security
When we think about the organizations and enterprises that are prime targets for data thieves and malicious actors, the usual suspects are often financial services companies, national retailers and government agencies that deal in top secret information and intelligence.
But that’s just not the case anymore. Recent cyber threats and attacks have shown us that every organization needs to make cybersecurity a priority. This is true in the healthcare space, with our nation’s critical infrastructure and, now, even with our educational institutions.
In early February of this year, the University of Central Florida (UCF) announced that it was the victim of a significant cyberattack that may have affected as many as 63,000 individuals, exposing personal information and social security numbers. According to an article by the Orlando Sentinel, those impacted by the UCF breach include, “undergraduate student employees (including those in work-study jobs); graduate assistants; housing resident assistants; adjunct faculty instructors; student government leaders and faculty members who were paid for teaching additional classes…”
Although the source and cause of the breach is unknown, speculation points to credential theft through a sophisticated phishing attack. The problem was further exasperated by the fact that UCF failed to encrypt much of their data, and aggregated and stored data on these individuals over the course of three decades.
Now, the school is getting attention for more than their excellent political science program and athletics department. UCF is currently being sued by individuals that claim information compromised during this attack led to identity theft and other security issues. One individual even claims to have had his bank account drained as a result of this attack. In their lawsuits, the parties suing the school claim that the institution didn’t do enough to protect their data, and then failed to respond effectively to the threat.
The UCF situation should be a wake-up call to colleges and universities all over the country that security is a concern. And it actually makes a lot of sense that malicious actors would target these institutions.
When I was in college, my name was practically replaced with my social security number when it came to all interactions with the school itself. The last four digits of my social were used to identify me on tests, professor evaluations and in the cafeterias if I forgot my student ID. And the school had a tremendous amount of information about me. They knew all of my personally identifiable information (PII), they had financial information through financial aid and my student loans. They even had my health records and information through their health services center.
My school knew everything about me. I’d presume that much of that information was stored on paper, since this all took place years ago, but today’s schools are undoubtedly digital and storing these mountains of personal information about their students on their networks or in the cloud. And this information is pretty useful to malicious actors.
In a previous post on Access Granted, I discussed some recent breaches of companies that manufacture and sell children’s toys, and looked at why the PII of small children could be extremely valuable to malicious actors. Essentially, the lack of credit monitoring and the fact that they won’t be checking their credit histories for years means that data thieves could use their identities for much longer than they could an adult’s identity before being noticed.
Now, college students actually do use credit. They have student loans, car payments and (often too many) credit cards. However, if students today are as irresponsible as students were when I was in school, chances are that they’re not taking the time to ensure that their identities haven’t been stolen and their PII used for nefarious purposes. They may even simply delete alerts from their credit card companies notifying them of potentially fraudulent activity. They also most likely choose to use their limited funds on things other than credit monitoring services.
None of this would shock me, and all of it would benefit hackers.
When you couple the value of a young person’s information, with the sheer amount of information – including healthcare information, which is increasingly sought after – that colleges have for their students, it’s plainly obvious that they’d be solid targets for cyberattacks. But what can they do about it?
First and foremost, schools need to move past the archaic, “monitor, identify and respond,” approach to security that has been the standard for too long. It doesn’t help to prevent attacks, it only seeks to mitigate the damage when they happen. Then, these schools need to implement advanced risk-based security and authentication solutions that use the data available and make logical decisions about who can access networks and when.
If someone is trying to access college networks from a different continent – and it’s not a student traveling abroad – today’s advanced security and authentication solutions can identify that and shut them down.
College students, teachers and employees also have access to many different online services and capabilities that require a login with their unique credentials. It’s essential that the login processes for these online services authenticate users on multiple factors so they can determine that they truly are who they say they are.
It’s not enough to authenticate a user by a set of credentials anymore, since those credentials could be compromised through a variety of attacks – including the phishing attacks that may have been at the root of UCF’s breach. Instead, schools should be implementing solutions that examine a number of factors to ensure that the authentication is, in fact, authentic.
Finally, schools need to think about the user experience. This seems counterintuitive, but without ease of use, students will simply find ways around security protocols or otherwise ignore them. By ensuring that they’re making security smarter and stronger, but not harder to use, schools can truly protect students and their data.
To learn more about the security challenges facing organizations – including colleges and universities – today, click here to watch our recent Webinar, “Ending the game of enterprise security whack-a-mole,” featuring Mattel CISO, Jill Knesek.