Every educational institution should be aware that cyber criminals make money by stealing personal information and selling it on the black market to other criminals, who then turn the data into cash through a range of fraudulent schemes. Why do school administrators and educators and need to know this? Because schools of all kinds — from primary through secondary and higher education — now have databases full of personal information about about faculty, staff, and students. To cyber criminals, who are not fussy about whose data they steal, these repositories of personal data make an appealing target.
This article presents ten critical security measures schools should be taking in order to defend against this type of cyber crime. But first, a quick refresher on the scope of this problem.
Clearly, school networks are under attack. Furthermore, the public has become a lot more sensitive to data privacy issues since the breach that hit Target last year. That event put computer crime on the front page of every newspaper, which means you can no longer act surprised if the bad guys come after the data in your systems. Everyone now knows there is a thriving underground market for stolen credentials, from credit and debit cards to Social Security Numbers, to VPN access. So here are ten defensive measure you need to know:
Do not expect one security product alone to protect you against every possible threat to your systems and data. Of course you want to make sure you have an anti-malware suite on all parts of your network (don’t forget smartphones, Android tablets, Linux servers, and Mac computers along with your Windows machines). But you should also have a firewall at the gateway to your school’s network and on all your individual machines –those you own, those owned by grants, and those owned by your students, faculty, and staff. Any important data, such as grades, finances, or personal information, should be encrypted both in storage (both on servers and workstations) and any time data leaves your machines, like via email or on devices like smartphones or USB sticks.
The principle of least privilege simply means that no person, machine, or system should have access to things they don’t strictly need. For instance: student financial data should be in a different part of the network, and completely cut off from people who don’t need to access it. And very few people, if any, should have administrator-level access rights on their own machines (some people are shocked at this suggestion, but that’s one way we manage our machines here at ESET – and if they must have admin rights, they shouldn’t be using that account except when they need to do admin tasks). Any time you can restrict access without disrupting people’s ability to do their jobs, you should. Remember: the compromise of Target’s point of sale terminals was executed via a supplier who had been granted access to some of the retail giant’s computers.
Applying updates and patches for all software is one of the most important things you can do to minimize the vulnerabilities criminals can use to silently get into your machines. When managing complex systems there may be a case for testing updates before rolling them out, but keep delays due to this process to a minimum. The bad guys are constantly probing for unpatched vulnerabilities. And don’t forget that it’s not just your operating systems and applications you need to keep patched; there are the helper apps that your browsers run, from Java to Flash to Acrobat and beyond.
Indeed, the risks of not patching as quickly as possible probably far outweigh the benefits of testing. If an immediate system-wide rollout is not practical, at the very least initiate a rollout of patches immediately on a small set of representative machines, then expand to greater subsets as soon as practical until all machines under your control are patched. [Getting the machines you do not control patched is a wholly different problem; consider blocking logons to your networks (with appropriate notices beforehand and when actual blockage occurs) to any machines that have not been patched, at least for critical vulnerabilities.
If you’re protecting lots of personally identifiable data, a password alone may not be enough. Consider implementing two-factor authentication or 2FA. This can be a biometric, like a fingerprint, or a one-time passcode that is provided to users via a small digital key card or fob. A more recent development is the use of smartphones to deliver one-time passcodes to users and these systems can be relatively inexpensive yet highly secure. Students who use social networks like Facebook and Twitter should already be familiar with the notion of 2FA, as those services use it to prevent unauthorized access.
Despite one-time passcodes and other authentication developments like biometrics, passwords are likely be with us for a while, so make sure everyone knows how to make them hacker-resistant. A good password is unique, strong, memorable to the user, but hard for others to guess. That means it should be long, maybe even a phrase rather than a word or two. It should contain lower- and upper-case letters, numbers and special characters. (Here’s a very popular article on password selection, with links to plenty of password-related information, from my colleague, David Harley). Most important: each site or service that requires a password should have a different password. If users have a hard time remembering a bunch of passwords, considering implementing a single sign-on system or a password manager app that can help students and staff create strong passwords and then keep track of those passwords across all their different devices .
Schools, colleges, and universities are often friendly places where people work together closely, so it may seem natural for folks to share usernames and passwords with colleagues or leave their machines open and logged onto the network in their own names. Unfortunately this behavior can completely undermine one of the best weapons we have for securing systems: log analysis. If the events recorded in the logs cannot be reliably attributed to the person who executed them, it is going to be very hard to find out what really happened when something goes wrong. Just as you should run a password cracker on the network logins from time to time to make sure nobody is using things like “qwerty” or “87654321”, you should spot-check to make sure that when “jondoe” logs into fileserver3, it really is Jon!
We covered this a little in the “layered defenses” tip, but it very much bears repeating. When we have something that is valuable, we lock it up when it’s not in use. It’s the same with data; if you have valuable data, they should be encrypted whenever not directly in use. That means “When in storage, encrypt!”. When accessed or sent over the network, data should be sent through an encrypted connection. This minimizes criminals’ ability to get any useful data, even if they do manage to breach your other defenses.
Backups of your data and systems are the last, best line of defense against destructive criminal hackers. In the case of threats like data ransoming they may be the only way to beat the bad guys. You might consider backing up to the cloud, but do this as a compliment to, not replacement for, local backups that are both tested and stored securely.
We won’t belabor this point because, as an educational institution, you should be aware that providing security training and awareness for employees and students is a must, and that it actually can be very successful as a protection mechanism. You can’t expect people to abide by security procedures unless you explain how they work and why they are needed.
When employees leave and students move on, be sure to adjust their credentials accordingly. In many cases this will mean terminating their access to school systems. The use of “lingering” credentials that should have been revoked is one of the most common forms of “insider” abuse of systems. And if faculty, staff or students depart abruptly and not on good terms, terminating all of their access – immediately — is a must. In addition, a review of authorized user accounts should be done at least once a year to weed out access that is no longer appropriate.
Of course, there is more that schools can do to defend their systems, but these 10 measures will serve you well and, when used together, can defeat many attackers. While there are a lot of criminals out there who see the personally identifiable data stored in government and education systems as easy pickings, with these measures in place you can make your data and systems much less attractive targets. For more information about solutions that can help ramp up your institution’s security, as well as some case educational studies, click here.
Author Bruce Burrell, We Live Security