Are colleges and universities at greater risk of data breaches?

A database security vendor says colleges and universities need to do more to secure their databases against break-ins.

A database security vendor says colleges and universities need to do more to secure their databases against break-ins.

10 of the worst moments in network security history

Application Security, which uses the name AppSec, reviewed data breaches in higher education, drawing from a variety of published sources. The company, based in New York City, specializes in database security and has two main products: DbProtect, an application for database security, risk and compliance; and AppDetectivePro, which automatically discovers all database applications on a company's network and evaluates their security.

The data in its report, "An Examination of Data Breaches at Higher Education Institutions," highlights increasing data-loss incidents at colleges and universities. But it doesn't clearly distinguish between the business market as a whole and the higher education sub-market, and it does little to put the higher education breaches into context.

Back-to-school IT projects reshape campus life

For example, the AppSec document cites data from Privacy Rights Clearinghouse to assert that "higher education institutions have experienced a substantially large number of data breaches – nearly 160 breaches and more than 2.3 million records breached since 2008."

But using the same PRC sortable database, the "Chronology of Data Breaches", it turns out that other segments, though indeed with a lower total number of data breaches for the same period (ranging from the 60s to mid-90s), have exposed more records: more than 3 million for government and military, and 39 million for financial services companies, depending on the types of breaches considered. Healthcare, with at least roughly 80 breaches, exposed 1.5 million records.

AppSec notes, correctly, that higher ed is on pace to report more breaches this year than last year. But according to the PRC database, so are financial services, retail, government/military, and healthcare, all of which have a larger number of year-to-date security incidents than does education.

Turning to another source, DatalossDB.org, AppSec pulls other data that says roughly the same thing for higher education: 89 breaches affecting "in excess of one million records" in 18 months from January 2009 to August 2010. DatalossDB ranks higher ed as No.2 among markets experiencing database breaches, according to AppSec. But it's not clear exactly where that data comes from. A page of statistics, in the form of pie charts, shows education with 29% of reported "incidents" (of all types), a general "Biz" category with 49%, government with 18%, and healthcare with 13%.

According to the AppSec document, where "many of these breaches occurred, the institutions had passed PCI compliance audits. Compliance does not equal security." But the assertion would only be meaningful if college and university security staff believe that compliance did equal security. AppSec doesn't offer evidence of this, nor any comparative data to show whether breaches are more or less common in other industry segments that are, or are not, PCI-compliant.

The data security weaknesses "can be attributed to a number of factors," according to AppSec, though it doesn't go into much detail. For example, "university IT departments are often plagued by resource issues." That could mean "not enough security staff" but AppSec doesn't elaborate. Another of the factors is "budgetary constraints," a problem that is hardly unique to higher education.

But in another section, AppSec explicitly identifies budgetary constraints as representing "perhaps the most rational reason why colleges and universities are experiencing a high volume of attacks." It cites the "2010 Security Spending Trends" report (from the Enterprise Strategy Group, an IT analyst and business strategy company; the report is available only as a "premium subscription") to assert that "only 50% of universities in the U.S. plan on increasing their IT security spend for 2010."

But just as PCI compliance is no guarantee of security, neither by itself is increased security spending. Nor is it clear why AppSec thinks that not increasing security spending is causing the allegedly high number of attacks on campus databases.

Drawing on the same ESG data, AppSec notes that all organizations, not just those in education, "are only spending 20 percent of their IT budget on security and only 20 percent of that security budget on databases." Again, the unsupported and undocumented implications are that neither percentage is enough, and that increasing them translates into increased security.

Somewhat confusingly, the AppSec document elsewhere suggests another equally if not more rational reason for the higher education data breaches: "The nature of higher ed is to foster an open academic environment, which is a nature at odds with the need to protect sensitive information and be mindful of security issues. Changing this nature requires a philosophical shift in the way these institutions view sensitive data."

To a degree that's true, since the assertion hinges on what is meant by an "open academic environment," it's not a new challenge for higher education. Educause.org, one of the main associations for education IT professionals, has a collection of information security whitepapers, recommendations and surveys going back to at least 2006. One of them is the May 2006 "Current IT Issues Survey Report," which noted that "For the first time ever, Security and Identity Management has topped Funding IT as the number-one IT-related issue in terms of its strategic importance to the institution."

More details of the Educause Cybersecurity Initiative are online.

By means of what the AppSec report calls a "forensic analysis," the authors conclude that the most common methods used by attackers to gain database administrator privileges are:

- Taking advantage of weak, blank or default access controls.

- Exploiting a database, application or operating system vulnerability.

- Obtaining a valid login and password (for example, by guessing it or by a brute force attack).

Once they have access, attackers can sidestep logging mechanisms intended to record and track their activities. Techniques include: disabling logging completely; loading external libraries (a common database practice to add functionality) to execute code inside the database server process and gain access to process memory and database components; impersonating other database users to perform unauthorized actions; deleting or overwriting logs.

AppSec says some risks are unique to higher education. Among them:

- Using students as IT staff, with less experience, and higher turnover; with access to sensitive information though lacking in security training and in adequate supervision.

- Open student terminals and workstations on the same network as sensitive databases.

- About one-quarter of the user population changes each year, with associated challenges in managing accounts and credentials.

- Multiple IT departments within the university, each with different possibly even conflicting information security policies.

Finally, the document recommends six "best practices" to secure education databases:

1. Conduct automated database scanning to create a complete inventory of all databases.2. Classify them according to their "business value."3. Identify all database vulnerabilities, including improper configurations, shortcomings with regard to compliance mandates, and access control violations.4. Assess the level of risk for each of these problems and create a prioritized list of remediation steps.5. Take the remediation steps.6. Monitor the databases and user activity.

John Cox covers wireless networking and mobile computing for Network World.

Twitter: http://twitter.com/johnwcoxnww

Blog RSS feed: http://www.networkworld.com/community/blog/2989/feed

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitycybercrimelegaleducationdata breachindustry verticalshealth carePrivacy Rights Clearinghouse

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Cox

Network World
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?