Dark Web Making Itself at Home on Campus

The dark web, a place inhabited by people looking for ways to profit from selling malware, poses a real threat to higher education. The Digital Citizens Alliance recently found nearly 14 million email addresses and passwords for faculty, staff, students, and alumni from U.S. colleges and university, 79% of them added to the dark web last year.

“Because [higher-education institutions] have large-capacity Internet connection links that served all the students and large-capacity servers that are designed for many users, they are almost always on and attackers never have to worry if a part of their infrastructure will be available for use,” Will Glass, a senior analyst for the cybersecurity firm FireEye, wrote in the Alliance study.

The first line of defense is better passwords. The report noted that too many young people use the same password for multiple services, making it easier for hackers. Colleges and universities are also installing security systems that automatically block users from downloading unapproved applications.

“We are constantly working to make sure that we incorporate layers of security, all working together to help protect the university’s data and assets,” said Timothy Cureton, IT security coordinator at Arkansas State University, Jonesboro. “At the same time, this approach still allows us to have that openness that we’ve always had and want to continue to have.”

Is Ransomware Targeting Education?

Education may or may not be the main target for ransomware schemes, according to difference sources. One study from the security-analyst firm BitSight Technologies found that 13% of educational institutions examined by the company had experienced a ransomware attack in the last year, compared to 5.9% of government agencies or 3.5% of health-care providers.

Ransomware disables data from a system until users pay a ransom for its release. U.S. Department of Justice statistics for 2016 indicate there are nearly 4,000 ransomware attacks every day.

“Establishing email security protocols, monitoring key third-party vendors, tracking security ratings, and avoiding file sharing are all ways to mitigate risks associated with ransomware,” Stephen Boyer, co-founder and chief technology officer of BitSight, said in an article for Campus Technology.

Another report from the security firm Datto painted a much different picture for education. The company surveyed 1,100 managed service providers and placed education ninth on its list of ransomware attacks at 12%, far behind professional services (44%) and health care (38%). The study also found that 46% of ransomware attacks came from email phishing, followed by 36% resulting from lack of employee training.

“Malicious emails, coupled with a general lack of employee cybersecurity training, are the leading cause of a successful ransomware attack,” the authors wrote in Datto’s 2016 Global Ransomware Report. “Today’s businesses must provide regular cybersecurity training to ensure all employees are able to spot and avoid a potential phishing scam in their inbox, a leading entrance point for the malware.”

Cybercriminals Target Ed Sector

The 2015 Global Threat Intelligence Report found that the education sector accounted for more than a third of all the reported malware incidents. NTT.Com Security analyzed more than six billion attacks and reported that the bring-your-own-device (BYOD) format instructors are beginning to use could be to blame.

Students and staff use a variety of devices on institutional networks, often providing personal information in the process. Cybercriminals understand that and so focus their attacks on those networks.

“The history of open networks at education institutions has resulted in network architectures where there is usually no strong separation between areas containing sensitive data and untested areas where professors, students, or visitors can connect,” said Chris Camejo, director of assessment services for NTT.Com Security. “This makes it more difficult to prevent, detect, and respond to attack. IT officials must develop a strategy that is custom to the BYOD culture that they have embraced.”

University Servers Could Be Targets

Hackers may be turning their attention to data stored on college and university IT infrastructures. A hacker gained access to data from an unnamed U.S. university early in 2014, according to a warning issued by the Department of Homeland Security (DHS).

The hack initiated a denial-of-service attack against the servers and used about 98% of the school’s bandwidth. The DHS memo warned that government-funded research programs are appealing targets and university networks can offer hackers a way in.

“University networks, which often have multiple levels of connectivity and accessibility to fuel collaboration, may present easier targets for cyber-espionage actors than sensitive government or private-industry networks,” the memo said.

The memo also warned that less sophisticated cybercriminals may look to hack university networks to carry out phishing scams, insert ransomware, or create havoc with student financial information. The university network can also be used as a base for cybercriminal attacks on other IT systems because constant use by students can mask the criminal activity.

Malware Hits More Higher Ed Networks

Colleges and universities are losing the battle against malware, according to security firm OpenDNS, which reported that networks run by higher education institutions are three times more likely to be infected than government agencies or businesses.

The most common threat is Expiro, software that can replicate itself, steal disk space, and slow computer memory to a halt. The malware can also corrupt data, steal personal information, and erase hard drives.

“Our research shows that while higher education institutions face the same cyber-attacks as enterprises and government agencies, they tend to be compromised by malware and botnets at a much higher rate,” Dan Hubbard, chief technology officer at OpenDNS, told Campus Technology during the Educause 2013 conference. “Clearly, colleges and universities must operate more open networks and support an endless number of access devices, which puts them at higher risk.”

Hubbard suggested that “fundamental security best practices” can reduce infection rates, such as alerting users when spear-phishing appears, an e-mail fraud that seeks unauthorized access to confidential information. Institutions should also use analytics to block access to malvertising (online advertising that spreads malware) and watering holes (sites infected with malware).

Higher Ed Should Beware of Hackers

Colleges and universities across the country may be making it much easier for hackers to steal sensitive information from students and their parents, according to research done by Halock Security Labs.

A survey of 162 institutions found that more than half of colleges and universities transmit sensitive information over unencrypted channels, including financial statements. In addition, one fourth of the schools said they ask that personal information be sent by e-mail.

“When universities utilize unencrypted e-mails as a method for submitting W2s and other sensitive documents, the information and attachments are transmitted as clear text over the Internet,” Terry Kurzynski, partner at Halock Security Labs, told eCampus News. “This format is susceptible to hackers and criminals who can use this private information for identity theft.”

The report said the open culture of higher education and budget issues facing colleges leave IT departments without the funds to protect student information. It said campus administrations may not completely understand the dangers of sending the information over unencrypted channels, but should since the issue could draw the attention of federal and state government agencies.

“These are foreseeable risks that are extremely treatable,” Kurzynski said. “Breaches resulting from this type of transmission will capture the attention of states’ attorneys general and the Federal Trade Commission.”

Campus Networks Have Limited Protection

Not surprisingly, some 85% of K-12 and higher education institutions in the U.S. and U.K. permit students and/or instructors to log into institutional networks from their own computing devices, according to a new survey from Bradford Networks, says an article in Campus Technology.

What may be surprising, the article adds, is that most of these institutions are somewhat lax in their security measures.

The Bradford survey found more than half don’t make their users install antivirus software first and two-thirds don’t have the ability to determine who’s connecting to their network.

While 61% of the responding institutions do limit what certain users can access on their networks, the rest give all of their users unfettered access to all parts of the network. Twenty-seven percent don’t even require users to register before accessing the network.

But campus IT departments are already aware this is a problem. Supporting the bring-your-own-device trend and the related security challenges is the No. 2 issue on the Top Ten IT Issues of 2012 report from Educause. The report notes it can be difficult for schools to balance security and privacy with the need to provide access to information and resources while supporting an ever-widening array of devices and platforms.

Another challenge is that some budget and policy decisions are out of the hands of IT staff, and are not always a priority for those with decision-making power.