On May 23 2012, Joshua Mauk got a nasty shock. Mauk, who works as an information security officer at the University of Nebraska, found that a critical database had been compromised on the school’s system. It wasn’t just any database, either, it was the Nebraska Student Information System (NeSIS), which held the personal details of 654,000 students.
“They got access to student data, financial aid and billing,” recalls Mauk, explaining that protecting networks in higher-education campus environments is often more difficult than in conventional private sector ones. “The main challenge with campuses is just that culture of openness,” he says.
According to the Open Security Foundation, 15% of data breaches since records began have happened at educational institutions. These places face a unique set of challenges that keep people like Mauk on their toes.
Many of these challenges are intimately bound together. For example, the network environment in universities is often sophisticated and intricate. This, in turn, is a result of higher education’s idiosyncratic organisational structure. These fragmented networks are common because of the decentralised nature of most schools. Mauk explains that universities have at least three parts: academic, research, and business. This inherent looseness creates challenges not only in technical infrastructure, but also in leadership and decision-making.
Universities also have to worry about those pesky users, who are a diverse bunch. Aaron Massey, a postdoctoral fellow at the Georgia Institute of Technology, describes a syndrome, well understood among IT admins in higher education, called Eternal September. Professors and IT staff used to get a constant stream of questions from clueless students in September, at the start of the academic year, as they grappled with networks and computing systems. To compound the problem, both students and tutors like to bring in their own devices, and the explosion of post-PC hardware over the last two years has exponentially expanded the number of platforms. Some administrators solve this problem by completely blocking access to administrative systems from unapproved devices.
Cohesion on campus isn’t enough, experts argue. Sharing information between academic institutions to establish and reinforce best practices is a key part of the process. Openness may be one of the educational sector’s biggest weaknesses from a cybersecurity standpoint, but it is also one of its saving characteristics.
The University of Nebraska is just one of many educational institutions across the globe that continues to tighten their security. Although the university notified all affected users of the compromise, over the next three to six weeks it narrowed the group of users at a higher risk from 600,000 to 150. In education, as elsewhere, compromises can happen. It’s how you respond that sets you apart from the pack.
Read full article at: TheGuardian