University hacking

Universities, schools and other institutions of higher education posses a large amount  of interesting information. These can be credit card numbers, bank account numbers, email addresses, medical and school documentation, records related with the staff, information  on student-employee communication, library documentation, intellectual property registers. At the same time, these systems are devoted to storing and sharing data but are not prepared for cyber attacks.

As a result, IT systems of higher education schools are the favorite aim of the attacks of hackers.
Of course, each attempt can have tragic consequences for a particular institution. Most of all, a hacker wants to break in, not necessarily to steal something and will not pay a high price for his actions. But in case of an institution, damages can amount to millions of zlotys, not to mention a ruined reputation.
Why do hackers break into academic systems?
A SANS study informs us that less than a half of schools has implemented a risk management and incidents counteracting programs. Academic networks are often exposed to Internet attacks as these are mainly open networks with many access points. Additionally, universities are not able to sufficiently counteract phishing or other frauds. Cyber criminals do not waste time and use all possible gaps. What is the most alarming here is that the majority of attacks is not detected. Security violation is a continuous threat but many IT university branches lack resources to continuously monitor the security level and to undertake actions to provide safety and integrality of the databases. In general, hackers can sell such information in the Internet, where financial information are of a small value but all personal data are a hot deal. Additionally, many universities have partnership programs with companies and governmental organisations what makes them open to cyber-spying.
Known world’s examples, especially from USA
For the needs of this article, we browsed data from Educause Center for Analysis and Research. These studies revealed that in the period from 2005 to 2014, there were reported 562 security violations at 324 organisations in USA. This means that these violations occurred more often than once a week. However, due to not reporting or detecting all incidents, the number of them is probably higher. What is best, 77 percent of all reported violations were from USA. In February 2014, there was a violation of the security at the University of Maryland what resulted in a sales of records of over 300 thousand of professors, students and employees. The
Butler University was the aim of a cyber attack in May 2014 and the stolen records amounted to 163 thousand. Student Joseph W. Langford of the Weber University was accused of a violation of an IT security.The real value of the theft is not known.
Main gaps in protection of universities
The reality shows that IT systems of higher education schools are a source of IT incidents and a playground for hackers. Now, we shall discuss main weak sides of academic networks, which increase the chance of their infiltration. First, the practices of generating passwords at schools are very weak. To be frank, this weakness is revealed in the highest amount of attacks, what is caused by bad practices in password generating. Higher education school employees and students are not aware of the risk related with using the same password for all IT services. They often use the same password for websites, social networks or for various email addresses. Very often, they have similar question for password recovery. It may also happen that breaking the password is very difficult for a hacker but the answer to the helping question may show him a track.
Knowledge of most of students and professors is not sufficient in the field of phishing attacks. A real problem in recent years is the phenomenon of strange email messages. Hackers can send You emails to know your name and to collect information from social services that you publish. Additionally, students and employees can become victims of emails with malware and attachments, serving as a tool to infect individual computers or a whole network. A hacker can launch a larger attack, for example DDOS – Distributed Denial of Service.
Another essential risk factor is the risk related with BYOD. Higher education schools are a paradise of various devices. Students bring various equipment which can be connected to the school’s network. Employees behave similarly with their equipment. These devices are a very easy aim of attack for hackers, as they are not protected in the same way as data centers or personal computers. On the black market, software for mass break in to mobile devices costs only 79 dollars. What is more, hackers can draw information using malware and unsafe browsers installed in smartphones.
Another risk to be considered is a poor safety policy. We can all agree that an open access to academic networks is a great thing but this may result in numerous unforeseen consequences. One must remember that installing antivirus software or a firewall does not make networks and system fully safe. Even one stolen hard drive or a flash disk can cause an incident that can cost the school millions of zlotys. What is more, students often connect to unprotected WiFi networks close to their schools.
Acceptable use policy
Especially for higher education schools, we developed a template, including all rules and use of security means which are indispensable for strengthening the security of academic IT systems. Let’s name it AUP – Acceptable Use Policy. Let us notice that in this case, both students as well as employees and professors play an important role, which should be exactly played.
AUP for students
Avoid social life. Social media are very good for interaction with friends and family but you should not be engaged in them too much. Check your settings at social media and configure them in the way that you set people who can observe your photos, movies and public information.
Set the limit of activities you undertake when using open WiFi network. A free Internet access is a great thing but even when an academic network is password protected, you still can be in the same net as the hackers. So, you should limit an access to bank systems and other neuralgic points and if you need to use them, use VPN systems.
Browse your emails. Your academic emails are the center of your academic life. Unfortunately, they are also a good aim for hackers. You may receive messages with harmful links or attachments, directing you to sites controlled by hackers. Each email should be read attentively in order to avoid direct logging in to websites of hackers.
Protect your passwords. Speaking about the password protection, we mean creating strong, unique passwords, known only and solely to You. You must learn how to use password managers. Select your favorite password manager and install it in all your mobile devices. Definitely learn how to block your device.Do you know how to protect your device? Both digitally and physically? While more and more schools are focusing on the digital protection, they are not able to educate their students as far as the importance of physical protection is concerned. Most of devices, including laptops and and tablets, are designed for physical protection. This makes you devices less attractive for thieves.
AUP for employees and professors
Of course, professors and employees of universities should also follow all above mentioned recommendations as they are also vulnerable to this kid of threats. But they can do significantly more than students. Below, you can find the list of commandments to follow.
Create backups. A very good practice is to create backups of all data stored in the academic network. Despite the fact that most of attacks are aimed at stealing data or information, you should be aware that it is necessary to restore deleted data immediately. Backups can be created by saving information in clouds, a hard disk and other media such as flash disks or DVDs.
Update your software. Worms, malware, trojans and viruses are also often means of cyber crooks, aimed at grabbing your information. Make sure that your systems are protected by self-updating software. Updates, usually, include all essential improvement and patches which increase the safety of IT system, thus it is important that they are updated automatically.
Learn to delete data safely. When moving computers from one place to another or relaying the hardware to another organisations, you must be sure that all neuralgic data are really deleted. Please note that deleting files does not mean deleting data. The staff and professors can, usually, use good free software for data deletion.
Create a tool for devices registration. Websites of most of universities allow employees, professors and students to register their own devices. These devices are next registered by an external security company. One advantage of the registration is that when your equipment is stolen or lost, an external security team is able to find a thief when he connects to the network again. It is obvious that students should be acquainted with the benefits of the registration of devices. Plan the policy of mitigating security incidents. Although we know how to prevent from cyber attacks, bad things happen anyway. The best thing to do is to speak with an external security company which is able to detect threats. The scope of responsibility of such company should also include the obligation of security policy protection.
Conclusions
As you see, the aim of cyber attacks is changing. In the past, this was money, while personal data at present. Higher education schools are a great source of personal data so we should implement as template of security rules, which is acceptable for everyone and is aimed at protection of the property of the school and students

Przeczytaj ten artykuł w wersji polskiej: http://www.businessmantoday.org/uczelniany-hacking/