Cybersecurity: Understanding the Online ThreatSam Musa | Cyber Security Adjunct Professor, University of Maryland University College
Universities and colleges possess sensitive and Personally Identifiable Information (PII), such as social security and credit card numbers. However, academic computer systems were designed to share information, and not necessarily securely. As a result, the computer systems at colleges and universities are regularly targeted by cybercriminals.
Hackers’ motives vary from stealing students’ sensitive information to going after patents, intellectual property and defense-related projects (which hold a lot more value than credit cards).
Cybercrime, by definition, is committing an illegal act using a computer or network device. Cybercriminals are using sophisticated methods to gain unauthorized access to information systems. Some of the creative methods attackers may use are backdoor programs, phishing attacks and social engineering. There are a number of well-known backdoor tools that can be used to set up a route that circumvents traditional security mechanisms, allowing them to connect into the computer systems; for example, Tini, Netcat, Wrappers, EXE maker, Pretator, Restorator and Tetris.
Phishing is a technique whereby users are sent email messages with false links claiming to be a legitimate site in an attempt to acquire users’ personal information. Social engineering is a powerful human-based technique that bypasses all network countermeasures by relying on human weakness to gain unauthorized access to the network. The technique targets certain personnel, such as helpdesk staff, or executives by creating an artificial situation where staff are pressured to release the needed information.
The protection of information systems is a constant challenge. The cost of data breach is expensive and severe. Cybercrimes cost more than $100 billion annually worldwide. The large number of attempts of cyberattacks is forcing universities to harden their information systems. Federal laws such as the Family Educational Rights and Privacy Act and the Health Insurance Portability and Accountability Act also drive information security policies for universities and colleges.
The goal of information security is to ensure confidentiality, integrity and availability of the data. Universities are obligated to protect their assets, which include data, desktops, servers, buildings and, most importantly, students. Data can be separated and categorized based on need-to-know status. Student and research data need to be separated from public data. Once data are categorized, security clearances can be applied to enable access control. Encryption can be implanted to improve confidentiality of data, digital signatures can be used to ensure data integrity and backing up data and communications lines can also help achieve data availability.
There are total of 18 security controls institutions can put in place to protect student information and university assets:
- Access Control: apply security techniques to control how users interact with the systems.
- Awareness and Training: develop and implement a formal awareness and training plan for staff.
- Audit and Accountability: produce and store audit records of all systems.
- Security Assessment and Authorization: undergo a security assessment of systems to ensure security controls are applied accordingly. System owners must accredit the systems and grant certain members approval to operate.
- Configuration Management Plan: test, approve and document changes.
- Contingency Planning: develop plans for system recovery and alternate sites for operation.
- Identification and Authentication: identify, verify and authenticate users and devices.
- Incident Response: develop a plan to handle responses to incidents and containment.
- Maintenance: develop plans and policies to ensure installation of related patches and fixes.
- Media Protection: address media access, labeling, transport and destruction.
- Physical and Environmental Protection: develop plans to ensure physical, plumbing, electrical and fire protection.
- Planning: develop a system security plan.
- Personnel Security: conduct background investigation and personnel screening.
- Risk Assessment: evaluate all systems for vulnerabilities.
- System and Services Acquisition: ensure allocation and life cycle support of resources.
- System and Communications Protection: protect boundary and transition integrity.
- System and Information Integrity: protect systems against unauthorized changes.
- Program Management: develop an organization-wide information security program.
In conclusion, cybercrime has a profound impact on colleges and universities. It will take students and academic institutes working collaboratively to make a significant impact against cybercrimes.
Click on the button below to be reminded when future installments of WeSam Musa’s series on Cybersecurity are published, during which each of the 18 protection mechanisms will be explored in greater detail.
Author Perspective: Educator
Useful introductory piece on cyber security. I believe many institutions aren’t aware they’re a key target for cyber criminals. When you think of this type of crime, you often imagine financial institutions being under attack. However, it’s important to remember that a lot of sensitive data is contained in student files, and having them fall into the wrong hands would be disastrous.
Thank you for your comments on the article James. Yes, indeed, many institutes are not aware that they are targeted by “cyber-criminals”. People tend to focus on the big data, or classified data, and forget that schools are just one of many back-doors to large government projects. The academic institutes, too, need to adopt and execute a well-developed system security plan.
I don’t think students are taught how to take precautions when inputing/access their data online. Institutions need to do a better job of offering this type of user training. Unfortunately, pop culture has created the narrative of a cyber criminal hacking into a school’s system to change grades or seek revenge on an ex, thus making cyber security seem sort of silly. What students need to remember is that cyber crime is often more serious and more covert than they imagine.
I couldn’t agree with you more Natasha – when it comes to awareness training, almost all schools are not doing a good job. In fact, in my dissertation, I discussed the impact of lack of security awareness training on the organizations’ success. You also nailed it right on the head; pop culture, and more specifically, media, is not empathizing enough on the severity and priority of cyber threats. And yes, students are not taught how to be cautious, when they access their data online. In fact, I am discussing all these issues in the awareness training post – it’s like you read my mind. In the awareness training post, I am actually proposing a solution that schools don’t usually pursue. This post should be available next month or so.
Thank you for your comments Natasha,