I attended the Association of Governing Boards of Colleges and Universities annual conference this April, and I had the chance to talk to board members about cybersecurity. We started the conversation with what is at risk regarding institutional data. This includes student data protected under FERPA, intellectual property of faculty, credit cards, fundraising information, and hospital data protected under HIPAA. These data sets are bursting at the seams of the university and are used everywhere and all the time. Criminals know this, and they can monetize the personal information. Depending on the nature of the record, it could be sold for $10 to hundreds of dollars per record. This creates an unprecedented demand on cybersecurity. Cybersecurity protects against the criminal or unauthorized use of electronic data.
"While most illegal access to computers is perpetrated through the network, physical security of servers and data is also important"
The amount of security you apply to data, and the cost of the security, is related to classification of the data. For FOIA data that is freely posted on the web, there is little need to provide additional protections. The next level of security is for data used in the course of business that could have an adverse effect on the university, for example; university ID number, date of birth, student application data. As the sensitivity increases, the consequences of a data breach become more severe. In the more sensitive data area are academic records, human subject data, source code and installation documentation for critical systems. At the highest level of sensitivity are SSN, credit card numbers, donor records, and protected health information. These are data sets that produce fines and the greatest potential for reputational damage when lost.
At our university, we have a firewall set up to protect our datacenters. Since the datacenters store data ranging from public to highly sensitive, our business practice is to apply the most stringent rules possible on the firewall. That is, block everything, and then open only what we need to do our jobs. Throughout the world-wide web, there are infected computers and automated network scans that are constantly looking for vulnerabilities. These services repeatedly send network traffic from the criminal’s computer looking for a path into our datacenter. They are looking for open pathways and unpatched systems that would allow them to quickly and easily take over our computers. When our firewalls see this activity, the firewall denies the connection. This goes on all day, every day, and it results in about 10M attempts per day. If 10M pennies where stacked on top of each other, the stack would be almost 30 times the height of the Willis Tower in Chicago.
There are data breaches in corporations and throughout higher education. Whether it is a big company or a hospital, data is constantly stolen. In general, corporate breaches are an order of magnitude greater than universities’. The result is the same, though. There must be a formal notification of the breach, the press writes a story on the breach, the organization figures out what went wrong, and then millions of dollars are spent on a combination of fines, new technology, and compensation for those who lost their data.
About three years ago, when President Putin signed a decree declaring the Crimea region of Ukraine to be an independent state, the Voice of Russia accused the University of Illinois at Urbana-Champaign of hacking Russian computers. They claimed that computers from central Illinois, including those from the National Center for Supercomputing Applications were engaged in a denial or service attack. This caused media outlets to write stories and the university’s IT professionals to investigate. Assumptions were made, and people created new stories about the NSA being part of the Urbana-Champaign campus. As it turns out, it was all false. The university never hacked Russian computers. The point is that you will spend time defending your reputation and following up, regardless of whether it is true. Fortunately, that story has faded away, but the irony of today’s news reports on the Russians hacking U.S. computers isn’t lost on me.
While most illegal access to computers is perpetrated through the network, physical security of servers and data is also important. In the case of Health Insurance Portability and Accountability Act of 1996, or HIPAA, it requires that physical, network, and process security measures be in place to safeguard protected health information (PHI). The physical safeguards for datacenters are set by the Health Information Technology for Economic and Clinical Health.
(HITECH) Act, and you must provide the minimum amount of access needed to perform a given task, including access to the data and to the physical space. Only authorized personnel are allowed in the space, some servers require separate locked enclosures, biometric and card entry for some locations, 24x7 monitoring, and a check-in log are some of the requirements.
We’ve reviewed some of the risks to your data, the compliance associated with data, and how criminals might get to your data from the outside world. To specifically address these issues, here is a summary of the actions that should be in place in order to be as safe as possible.
• Make sure that you have policies in place that address security for public to highly sensitive data. This would include the storage and use of data and procedures when there is a breach.
• Train your employees on the policies. We use a product from the SANS Institute called Securing the Human, and we train in short segments to minimize the burden and repetition.
• Detection means that you know that something has happened or that it is happening right now. Make sure that you have automated network and server scanning and that the output from the scan results in action. Sometimes the tools generate a tremendous amount of data; however, if no one looks at or uses the data, then it has little value to stop an event.
• If there is an incident, you need to know how public affairs, the IT professionals, law enforcement, the president’s office, and other administrators will respond to the event. This is an area where a simulation or a tabletop exercise would be beneficial.
Even though addressing these aspects of cybersecurity is a significant amount of work, you need to do it to maximize the opportunity for your employees to use your data to do their job and minimize the ability for criminals to get to your data. Most universities want to free their data so it can be used in teaching, research, and conducting University business. With a good plan, you can strike the right balance of policies, automated tools, up to date computers, and a minimum of places where your data is stored.
In the second part to this article, we will review how your data can be comprised from the inside out, that is, how your employees can inadvertently cause a data breach and what can be done to prevent it.