IT Security in Higher Education

White Paper

IT Security in Higher Education

Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com

3BIntroduction: The Growing Need for Improved IT Security on Campuses

IT security is a hot topic these days, especially at colleges and universities. An April 2008 Symantec Global Internet report noted that the education sector experienced more IT security breaches than any other industry.F

1F What’s

more, the number of higher education breaches and institutions affected continues to rise, as schools are under greater pressure to collect more and more student data. Between 2006 and 2008, the number of incidents reported by schools grew by 101 percent, and during that same period, the number of institutions affected rose by 173 percent.F

2F As recently as February 2009, the University of Florida reported an exposure of 97,200 student records, all

of which contained names and Social Security Numbers.

Statistics like these in the education sector – as well as the increasing number of breaches in other industries – have garnered a great deal of publicity and have generated cause for alarm. There has been tremendous growth in the field of IT security training, as organizations of all sizes struggle to find professionals to help them address the challenge. There are a myriad books on IT security on the market, and the list grows monthly; and many colleges, universities, and technical schools now offer a degree or certification in IT security.

A December 2008 Gartner Group Survey found that “the role of the chief information security officer (CISO) is no longer rare, but many institutions have yet to formalize the role and the title. Policies and support for educating the community are also still evolving. Work still needs to be done, if security is to be viewed not as an IT problem, but as an institutional problem that needs addressing.”F

3F

The Gartner survey’s key findings include the following:

• “The need for a security officer is now recognized and supported by more than 60 percent of institutions.

• “The risk of losing important data is still a more important business driver for security compared to financial risks.

“Calculating the cost of security breaches and attacks is rare. More than 75 percent of institutions have not even calculated the cost of mobile PC thefts, which should be less difficult to calculate”F

4

4BCampus Technology

The technology environment in higher education is complicated by many factors. First, there are often ambiguous campus perimeters. Many schools have a transient student population, and, even when this is not the case, computer equipment is often moved during the school year between campus and home. This situation is further complicated by the fact that a distributed computing environment is common at large schools, making it hard for a central IT group to keep track of what’s out there. Furthermore, many schools offer distance learning options, meaning that some student computers may never actually be on campus.

Second, there is a tremendous amount of sensitive electronic data on most campuses. Determining the location of that data, who controls it, and how best to protect it is a daunting task, even at a small school. At large universities, there may be a central IT group – or even a central IT security group – but the daily management of many systems and/or handling of data is usually the responsibility of the individual colleges or departments.

1 Security Threat Report, Symantec Global Internet, April 2008.

2 Educational Security Incidents (ESI) Year in Review – 2008, Released February 2009.

3 Gartner 2008 Higher Education Security Survey: Governance, Policy and Cost. Michael Zastrocky, Jan-Martin Lowendahl, and Marti Harris. 22 December 2008.

4 Ibid.


Third is the issue of shadow systems. The university’s core systems, containing Enterprise Resource Planning (ERP), CC information, medical records, or other important student data, may be well protected; but there are frequently local copies of sensitive data that are not under that same protective umbrella. Even small schools have multiple departments, and some of these – Housing or Campus Dining, for example – need systems containing important student information in order to function. When these various shadow systems are connected to the Internet, or where the shadow systems are accessible from across the campus networks, the problem is compounded. This proliferation of systems in a highly distributed information environment makes it very difficult for colleges and universities to keep track of everyone who has copies of sensitive data such as students’ Social Security Numbers.

Academic freedom is a fourth concern. Open networks – indeed, the Internet itself – have their roots in academe. Networks have long been viewed as teaching tools, and the notion of imposing any restrictions on them has been forbidden. IT security measures that would exist as a matter of course in a business environment have, until recently, been frowned upon in academic settings in the name of academic freedom.

Finally, there is always the issue of funding. Because of financial constraints – now more than ever – schools are often forced to depend on a limited staff of professional IT support personnel. In fact, some campus IT departments are staffed primarily by computer science majors or other students with an interest in technology.

5BGovernment Compliance Issues

Unfortunately, this challenging campus IT environment exists at the same time when increasingly stringent government regulations continue to raise the bar for data protection and to impose harsh penalties for those who fail to protect sensitive data. At colleges and universities, IT managers must comply with many such regulations.

• Banking. Universities and colleges lend and collect large amounts of money, as they grant loans and disperse

funds. This means that they fall under the Gramm-Leach-Bliley Act (GLBA) and must protect the privacy of

their student customers.

• Health care. Almost institutions of higher education with students living on campus have a health center

and therefore must protect patient data under the Health Insurance Portability and Accountability Act

(HIPAA).

• Retail sales. Parents and students use credit cards to pay for everything from books to tuition, meaning that

colleges and universities – like all other retailers – must comply with the Payment Card Industry (PCI) Data

Security Standard (DSS).

• Student grades. The Family Educational Rights and Privacy Act (FERPA) controls who can access student

grades. If grades are being distributed or stored electronically, they must be secured.

In addition to these federal requirements, colleges and universities in most states must comply with state privacy laws such as California SB 1386, a piece of landmark legislation that became operative in July of 2003. Laws like this require that any agency, person, or business that owns or licenses computerized “personal information” must disclose any breach of security to those whose unencrypted data is believed to have been disclosed.

In his article, “Back to School: Compliance in Higher Education,” Ken Bocek notes, “While most institutions are compliance with GLB, PCI, HIPAA, FERPA, and other regulations, the number of institutions involved in data breaches does not seem to be on the decline. It’s this point that makes higher education a lesson for all organizations.”F

5

5 “Back to School: Compliance in Higher Education,” SC Magazine. Ken Bocek. September 19, 2007.


6BAddressing IT Security on Campus

Thanks to their growing awareness of the importance of IT security, schools are addressing the issue in a variety of ways. The most obvious solution – creation of a full-time central IT security group on campus – has been put in place at many schools, especially large universities. Even smaller schools have recognized the need for someone whose full-time job is IT security, and higher education employment Websites frequently advertise IT security positions at community colleges and comprehensive universities. The recognition that security is not something a network engineer can do as a side job is viewed by education professionals as a positive trend as they accept the challenge of safeguarding sensitive data, complying with government regulations, and generally protecting the systems and information within the campus computing environment.

A central IT security group is typically managed by an IT security officer, a high-level position with broad authority and recognition throughout the school. Because of budget pressures, many schools’ IT groups have not grown larger in the past few years, but schools have reprioritized resources to address their security concerns. For example, a school may designate what was formerly a network engineering position as a full-time security position, and retrain that individual accordingly.

There has also been a trend toward greater cooperation among departments regarding security. Various campus offices – Human Resources, Controller, Registrar, Financial Aid – frequently collaborate to develop innovative ways to share resources and protect their user communities.

Another important trend has been increased educational opportunities for the extended university community – students, faculty, and administration – about the importance of IT security. Blogs, YouTube, and the ubiquitous laptop and cell phone are all effective means of communication, along with campus newsletters, email, and face-to-face discussions. By communicating through these various media, campus IT security professionals have helped their communities to understand that IT security is a shared responsibility and that every campus computer user faces risks if there is a security lapse.

Many campuses have adopted the practice of conducting departmental or area IT security reviews to help their constituents recognize their vulnerabilities; identify potential problems with hardware, applications, and/or databases; and offer alternatives. Some schools have even developed and distributed an IT disaster recovery plan.

It has also become common for schools to conduct compliance-related reviews to teach people how to handle FERPA, PCI, HIPAA, and/or GLB data, and to underscore the benefit of adopting industry practices such as ISO 27001, CoBIT, and NIST. Furthermore, every college or university today acknowledges the need to maintain a reliable Web presence, and most of their websites now include at least one page dedicated to IT security.

The bottom line is that IT security operations and practices have become increasingly formalized, and schools have a far greater awareness of compliance requirements. Colleges now understand that PCI applies everywhere.

7BIT Security Resources in Higher Education

As IT security has gained exposure on college and university campuses, a growing number of resources have become available to address the issue. The Virginia Alliance for Secure Computing and Networking (VA SCAN) was established to strengthen IT security programs throughout the Commonwealth of Virginia. As their Website points out, “This Alliance brings together Virginia higher education security practitioners who developed and maintain security programs widely emulated by other institutions, and researchers responsible for creating cybersecurity instruction and research programs nationally recognized for excellence.”F

6

6 Website – Virginia Alliance for Secure Computing and Networking (VA SCAN), Hwww.vascan.org


The University of Wisconsin’s flagship campus in Madison now routinely conducts risk assessment of its IT systems with all departmental CIOs in the University system. In Texas, the state legislature has enacted new laws that impact all public universities and their approach to IT security.

Perhaps the best known American higher education technology resource is EDUCAUSE, which was founded in the late 1990s “to advance higher education by promoting the intelligent use of information technology.”F

7F Open to all public

and private colleges and universities, EDUCAUSE fosters information sharing by providing schools with opportunities to participate in policy-sharing forums or to post presentations and other materials that they have developed. EDUCAUSE also sponsors an annual security event for those in security officer or security analyst roles so they can come together and focus on communication, collaboration, and information sharing.

8BThe Role of Rapid7 Nexpose

Rapid7 Nexpose is a vulnerability assessment product that has become a boon to IT security professionals at nearly 100 institutions of higher learning, including Carnegie Mellon University, Florida State University, George Washington University, Norwich University, University of Mary Washington, Virginia Tech University and Weill Medical College. In fact, one IT security officer has described Rapid7 Nexpose as a “force multiplier” that saves valuable time and resources.

Nexpose provides broad platform coverage from one integrated product that assesses the security risk for a wide array of systems, software and devices in your IT environment, including:

• Network and Operating System Vulnerability Assessment – The first step in securing your IT environment is to

ensure that all systems and network devices have been properly audited and exposures eliminated. Rapid7

Nexpose enables organizations to audit their networks, track discovered vulnerabilities through resolution,

and ensure policy compliance.

• Web Application Vulnerability Assessment – Because they exist as a conduit between external users and a

company’s internal databases, Web applications can be one of the biggest security risks. Rapid7 Nexpose

scans the Web application server and all Web applications for serious threats to your environment, such as

SQL injection and cross-site scripting.

• Database Vulnerability Assessment – Rapid7 Nexpose provides comprehensive database scanning for Oracle,

Microsoft SQL Server, Sybase, PostgreSQL, MySQL, IBM DB2 and IBM DB/400 to identify vulnerabilities that

affect databases such as default accounts; default permissions on database objects like tables, views, and

stored procedures; buffer overflows; and denial of service.

• Compliance Scanning – The growing number of government and industry-specific regulations designed

to protect corporate information require organizations to put policies in place to regularly audit the

environment and produce reports that validate compliance. Rapid7 Nexpose generates SOX, HIPAA, PCI,

FISMA and GLBA reports that document and demonstrate compliance to auditors.

7 Website – EDUCAUSE, Hwww.educause.edu


9BAbout Rapid7

Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company’s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by the Boston Globe. Its products are top rated by Gartner®, Forrester® and SC Magazine. The Company is backed by Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7.com.