Cybersecurity: Understanding the Online ThreatSam Musa | Cyber Security Adjunct Professor, University of Maryland University College
Universities and colleges possess sensitive and Personally Identifiable Information (PII), such as social security and credit card numbers. However, academic computer systems were designed to share information, and not necessarily securely. As a result, the computer systems at colleges and universities are regularly targeted by cybercriminals.
Hackers’ motives vary from stealing students’ sensitive information to going after patents, intellectual property and defense-related projects (which hold a lot more value than credit cards).
Cybercrime, by definition, is committing an illegal act using a computer or network device. Cybercriminals are using sophisticated methods to gain unauthorized access to information systems. Some of the creative methods attackers may use are backdoor programs, phishing attacks and social engineering. There are a number of well-known backdoor tools that can be used to set up a route that circumvents traditional security mechanisms, allowing them to connect into the computer systems; for example, Tini, Netcat, Wrappers, EXE maker, Pretator, Restorator and Tetris.
Phishing is a technique whereby users are sent email messages with false links claiming to be a legitimate site in an attempt to acquire users’ personal information. Social engineering is a powerful human-based technique that bypasses all network countermeasures by relying on human weakness to gain unauthorized access to the network. The technique targets certain personnel, such as helpdesk staff, or executives by creating an artificial situation where staff are pressured to release the needed information.
The protection of information systems is a constant challenge. The cost of data breach is expensive and severe. Cybercrimes cost more than $100 billion annually worldwide. The large number of attempts of cyberattacks is forcing universities to harden their information systems. Federal laws such as the Family Educational Rights and Privacy Act and the Health Insurance Portability and Accountability Act also drive information security policies for universities and colleges.
The goal of information security is to ensure confidentiality, integrity and availability of the data. Universities are obligated to protect their assets, which include data, desktops, servers, buildings and, most importantly, students. Data can be separated and categorized based on need-to-know status. Student and research data need to be separated from public data. Once data are categorized, security clearances can be applied to enable access control. Encryption can be implanted to improve confidentiality of data, digital signatures can be used to ensure data integrity and backing up data and communications lines can also help achieve data availability.
There are total of 18 security controls institutions can put in place to protect student information and university assets:
- Access Control: apply security techniques to control how users interact with the systems.
- Awareness and Training: develop and implement a formal awareness and training plan for staff.
- Audit and Accountability: produce and store audit records of all systems.
- Security Assessment and Authorization: undergo a security assessment of systems to ensure security controls are applied accordingly. System owners must accredit the systems and grant certain members approval to operate.
- Configuration Management Plan: test, approve and document changes.
- Contingency Planning: develop plans for system recovery and alternate sites for operation.
- Identification and Authentication: identify, verify and authenticate users and devices.
- Incident Response: develop a plan to handle responses to incidents and containment.
- Maintenance: develop plans and policies to ensure installation of related patches and fixes.
- Media Protection: address media access, labeling, transport and destruction.
- Physical and Environmental Protection: develop plans to ensure physical, plumbing, electrical and fire protection.
- Planning: develop a system security plan.
- Personnel Security: conduct background investigation and personnel screening.
- Risk Assessment: evaluate all systems for vulnerabilities.
- System and Services Acquisition: ensure allocation and life cycle support of resources.
- System and Communications Protection: protect boundary and transition integrity.
- System and Information Integrity: protect systems against unauthorized changes.
- Program Management: develop an organization-wide information security program.
In conclusion, cybercrime has a profound impact on colleges and universities. It will take students and academic institutes working collaboratively to make a significant impact against cybercrimes.
Click on the button below to be reminded when future installments of WeSam Musa’s series on Cybersecurity are published, during which each of the 18 protection mechanisms will be explored in greater detail.
Author Perspective: Educator