Thursday, 25 July 2013
Locking Up the Ivory Tower
clear

Universities are traditionally open, without all of the information security controls that are implemented in the corporate environment.  Not surprising, given that the term university means community.  It is hard to build community with overly restrictive security controls.

Now, however, the New York Times reports that universities are under increasing attack from cybersecurity threats—“Universities Face a Rising Barrage of Cyberattacks”.  Is this media hype or are more successful attacks being carried out?  My approach is always to start with evidence based risk assessment.  What does the actual data show?  While we don’t have perfect actuarial data for information security, we do have some extremely valuable information. 

For this post, I analyzed breach data from Privacy Rights Clearinghouse, over the years from 2011-2013.  I included all breaches reported at educational institutions, whether secondary schools or university level institutions.  I used the breach types that Privacy Rights uses to classify the breaches.  Here are the results:

Type of Breach Number of Breaches Number of Lost Records % (Number of Records)
Hacking or malware 65 1,601,000 63
Unintended disclosure 53 812,000 32
Portable devices 19 87,400 3
Insider 10 25,245 1
Physical loss 16 3175 0.1
Payment card fraud 1 16 0

So the media reporting seems to be on target;  hacking and/or malware is the top root cause of most breaches.  Unintended disclosure or user error falls in second place.  Losses from portable devices is third.  The devices reported include laptops, flash drives and hard drives.  The insider breaches include existing and former employees or students.  The physical, non-electronic losses comprise lost records or records dropped in dumpsters without shredding.

To defend against these types of breaches, we need to harden the databases that are holding confidential records.  We can no longer rely on the traditional defense in depth approach, using multiple layers, each slowing down the adversary until we catch him.  It is now too easy to drop in a Remote Access Trojan (RAT) into the inner layer of the defensive system.

Hardening of databases is itself difficult, since there are so many ways to attack.  The remediation consists of people, process, technology and monitoring.  The best summary of non-vendor-specific recommendations that I have seen has been developed by Berkeley Security, University of California.  It is worth comparing your data security controls versus this list of controls.

clear
Posted on 07/25/2013 1:13 PM by Frederick Scholl
clear