Education Sector is Failing Security

Thursday, May 13, 2010

Anthony M. Freed


“The Social Security numbers of about 30,000 people became vulnerable after malicious software attacked Penn State University computers,” an artidcle announced in December, 2009.

“Other data breaches occurred in January and February and in December 2008. One targeted a single computer; the two others affected hundreds of individuals.”

The problem is lack of funding. Year after year of steep budget cuts in the education sector have left primary, secondary, and university systems more exposed than ever to information security threats.

The vast majority of schools are falling behind in major security areas like security assessments and testing, threat prevention, remediation, training, policies and procedures, regulatory compliance, and current best practices.

“The rapid growth of network and cyber security threats poses a daunting challenge for higher education at a time of tight budgets and cost pressures,” says Michael Menefee, President of WireHead Security, located in North Carolina.

Unless an institution is of a substantial size, these organizations rarely have a designated staff position such as a CIO or CSO, and the responsibility for system integrity is usually dispersed laterally to those who lack the authority to much more than follow procedure.

Mitigation protocols are usually out of date, and keeping pace with dynamic pace of technology and hardware upgrades takes priority over comprehensive vulnerability analysis.  The result is patchwork security efforts made in response to data loss events - which is much like continually filling potholes, but never fixing the road.

Data loss events at educational institutions give rise to a particular set of problems regarding remediation efforts.

First of all, many data loss events probably go completely unnoticed. When the stolen data is personally identifiable information, as opposed to thousands of dollars from a bank account, there are few red flags that pop up.

Information like names, social security numbers, dates of birth, and other such information in school records may lay dormant in the hands of a criminal network for years before it is ever utilized. When the impropriety is finally noticed, it may be difficult to trace the origin of the breach due to the elapsed time since the event.

Secondly, higher education students are a particularly vulnerable population when it comes to criminal exploitation. Near the beginning of any school term, college students may receive thousands of dollars in deposits to their bank or university accounts from parents, financial aid, and scholarships.

Theft of these funds could be detrimental to all involved, and leave the student out of school and potentially still on the hook for the loans, as outlined in the promissory note.

Which brings us to the third point: who is responsible when an event does occur? Certainly if a financial loss can be directly linked to data loss at a particular institution, the school will have to pay up to the extent the law allows.

But this is little consolation when considering most educational endeavors are not profit driven, and probably do not set aside a certain percentage of funds yearly to compensate for losses due to fraud, like a credit card company or retail outlet would.

Ant the vast majority of schools are public in nature, which means the taxpayer is ultimately responsible.

The plain truth is security is very real issue for everyone in every sector, and the vested interests must realize that data loss from vulnerable IT systems is the new norm, it is here to stay, and it is a pay now or pay later proposition.

Possibly Related Articles:
Budgets Enterprise Security Privacy
Higher Education K-12 Preschool
Social Security Numbers
Post Rating I Like this!
Lance Miller The article highlights the Higher Learning space, but the same issues exist in the K-12 environment as well.

Criminals are making millions of our students identities, however the impact is usually not felt for a number of years. This is because the criminals know that with time the value of each identity will grow as the student's credit rating grows. From what I have seen, the criminals sit on the stolen data for as long as five(5)years before cashing in. A single victim's ID sells for $2.50 to $100, depending on their credit rating.

My question is when will the lawsuits start rolling in?
Katie Weaver-Johnson Great article and thanks for sharing! I agree that it is just a matter of time before we start to see lawsuits regarding stolen personal information in the education sector. We have already seen multiple customer vs. bank suits this year when financial institutions failed to implement appropriate security measures and protect consumer information.

I think one of the key requirements for higher education is to ensure they are providing ongoing awareness training to all appropriate personnel (faculty, staff, third-parties, etc.), as well as their students. Once-a-year general training is not enough as risks, threats and best practices are constantly changing.

I know that several institutions are now incorporating a security awareness session at their freshman orientation, but it is critical to provide ongoing updates as new risks with social networking, passwords, e-mail, online banking, etc. continue to escalate.

Anthony M. Freed Again, it all comes down to the money, and our track record demonstrates Education is a very low priority all around in this nation...
Katie Weaver-Johnson Agreed, but if organizations continue to fail to implement ongoing security programs, policies, procedures, education, training, etc. they will find themselves facing expensive and embarassing lawsuits, breaches, reputation loss, etc.

By proactively implementing cost-effective and preventative solutions now, they will be saving themselves a lot of money and headaches in the future.
Christine Stagnetto-Sarmiento Anthony, I agree with your article. Some higher education institutions opt for giving numbers instead of social security. I think that organizations such as education, government, hospitals etc. when hire people ask to write your social security. Those organizations are more vulnerable than others. In my humble opinion, they do not need to request your social insecurity. Another example for obtaining your social security in social network (e.g., Twitter, Facebook), when the subscriber add all information.
David McCauslin As a 14+ year veteran of K-12 IT, I can tell you that we stopped collecting SSN's about 6 years ago. Our student admin system would generate a 6 digit number for identifying the students within the system. Higher Ed needs to do this as well. But that is only one small step towards protecting data. We (the education system in general) do a dismal job of protecting sensitive data!
Christine Stagnetto-Sarmiento Excellent article. This problem is happening in my workplace, and wrote a robust and restructured security network infrastructure with new security policies
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.