This month we turn our attention to a very substantial risk for all of higher education: cybersecurity. October marks the start of National Cybersecurity Awareness Month so we want to use this month's Case-in-Point to discuss practical ways that you can better manage these important risks. I've asked Robert Gottesman, Information Systems Auditor to provide us with guidance on these issues.
* * * *
According to the online database located at privacyrights.org, 297 breaches were publically reported during the 2014 calendar year resulting in the exposure of 67,924,685 records containing personally identifiable information. The media dubbed the year 2014, "The Year of the Data Breach." Perhaps we should reconsider applying the moniker to 2015 since already this year, there have been over 132,000,000 records containing personally identifiable information exposed. The largest data loss on record, so far this year, falls to the U.S. Office of Personnel Management (OPM). In two separate breaches, the personally identifiable information of over 21.5 million federal employees and contractors was exposed in what is being attributed to nation-state hackers. Weaknesses in OPM's network security and neglected basic security guidelines played a part in these breaches.
As end-users we alone cannot prevent our institutions from experiencing a breach, but we must each be vigilant to prevent a breach resulting from our own bad habits. For example, one common cause of data loss is lost or stolen devices. Each of us has a role to play in preventing the loss of University data by ensuring that portable devices (laptops, flash drives, smartphones) are properly secured. Take inventory of devices you utilize to ensure they are password protected, encrypted and do not contain sensitive data. If necessary, contact your IT professional for help.
Similarly, we each have a responsibility to protect our authentication information. Make sure your passwords are strong and avoid password reuse. In July of this year, a commercial adult website was breached and over 30 million accounts were exposed. Like many websites, to access the site you log in using an email address and password. Hackers were able to decrypt 11 million of the exposed encrypted passwords in short order using a brute force dictionary attack. Many of the email accounts used as the user name for this site were user's work email addresses. If the passwords were also their work passwords, this represents a huge risk to their employers. Think about all the websites you visit that require you to create a user name and password. If you use your University credentials you put the University at risk should any one of these third-party websites be compromised. Consider using a password vault on your (password protected, encrypted) smartphone that stores passwords locally and create different credentials for each site you visit. (The October 2015 monthly Security Awareness Newsletter from SANS covers more information about password vaults.) Wherever possible, if a website offers two-factor authentication take advantage of this to further protect your account from unauthorized access. This is becoming more popular and many banks and social media sites now offer this option.
Finally, continue to be suspicious of unsolicited emails, especially those which ask you to verify your login credentials or ask for any personal information.
* * * *
While cybersecurity issues are very important, the number of risks we face within higher education are vast and diverse. We again encourage you to review the issues we've observed over the prior month across our industry and think about whether you have any similar issues that may need pro-active attention and management. As always we encourage your comments and feedback.
|SHA-1 hashing algorithm could succumb to $75K attack, researchers say||10/08/2015 |
|IoT will become a matter of life or death for security pros||10/08/2015 |
|Survey says enterprises are stepping up their security game||10/08/2015 |
|AWS security and compliance tools embrace enterprise clouds||10/08/2015 |
|Bossies 2015: The Best of Open Source Software Awards||09/16/2015 |
|Bossie Awards 2015: The best open source networking and security software||09/16/2015 |
|Review: How to protect top-secret data||08/31/2015 |
|7 top tools for single sign-on||06/19/2015 |
|Review: Portnox, Extreme lead NAC pack||03/31/2015 |
|InfoWorld's 2015 Technology of the Year Award winners||01/26/2015 |
Last Updated: September 30, 2015