Sanjeev Sah, CISO of UNC-Charlotte, is getting a lesson in the unique security challenges facing universities. Dan Kaplan reports.
It didn't take long for Sanjeev Sah, who was hired last fall as CISO of the University of North Carolina at Charlotte, to feel like a freshman again.
Last February, only four months on the job after serving for more than a decade in the automotive and health care industries, Sah found himself immersed in a breach that would have been considerably less likely to happen in the corporate world, where IT generally is more centralized and controlled.
In May, the 50-year-old university provided the unsavory details of what happened: The Social Security numbers of 350,000 students and faculty were found to be publicly available on the internet due to “system misconfiguration and incorrect access settings.” While school officials said they didn't believe any of the information actually was inappropriately viewed or used to conduct fraud, the breach underscored many of the security impediments that higher-education institutions face.
For Sah, his role at UNC-Charlotte is his first time working in such a distributed IT environment, where schools generally lack mature data handling, incident response and governance programs. But the security stance of many colleges is less established for a reason: The computing paradigm of academia demands openness, autonomy and leniency. It's a challenge Sah knew he would face.
BAD GRADE: BREACHES
Here's a smattering of some recent data-loss incidents that have occurred over the past few months, in what is shaping up to be a monster year for breaches in the academic space.
University of Rhode Island
Records exposed: 1,000 current and former URI faculty members.
What happened? Personal information, which was not intended to be stored on the business college server, was placed there.
“My approach is to understand what is critical for our institutions to be successful and temper the information security program response accordingly,” he says. “You have to allow an open environment to support faculty and students, but at the same time address the security challenges.”
Breaches across higher education have been happening more frequently. From lost laptops and memory sticks to misconfigured or unpatched servers to actual hacks, there has been a steady stream of reported data-loss incidents this year, according to Privacy Rights Clearinghouse, a San Diego-based breach repository.
Already in 2012, through mid-September, colleges and universities have reported 66 breaches impacting 1.26 million records. That easily trumps 2011's total of 63 cases involving 573,000 records. Experts are unsure if the rise is due to increased reporting or an actual jump in cases, or if this trend will in fact continue (years' past had higher numbers). But one thing is for sure: As data proliferates and endpoints expand, the possibility for exposure will also rise.
“The education sector is vulnerable to data breaches for a number of reasons,” says Beth Givens, director of Privacy Rights Clearinghouse. “First, higher education has many moving parts, in a relatively ‘open' environment. This means that databases containing personal information are numerous and decentralized, in general. These factors spell increased vulnerability to breaches relative to other sectors of the economy.”
Focus on the data
Sah wouldn't comment directly on the breach at UNC-Charlotte, only saying that the Social Security numbers that were compromised affected less recent students and faculty. But the incident certainly has given a forceful push to many of the initiatives that the 41-year-old already had underway.
He doesn't like to say he's trying to run UNC-Charlotte like a business, but Sah's certainly not shy to admit that he's seeking to bring a number of corporate best practices onto the 1,000-acre campus, which provides education to 25,000 students.
One of his fundamental undertakings is to migrate from a network-centric mindset toward one focused on data. UNC-Charlotte not only stores the typical financial, health care and other personal information that one could expect a college to house, but it also deals in sensitive research data, relating to human subjects and U.S. government agencies, including the Department of Defense.
“By design, we're an urban research university,” he says. “That's our focus besides academics. Research is a very important focus for the institution.”
BAD GRADE: BREACHESUniversity of Southern California
What happened? A breach in a software system used to process credit cards exposed data related to purchases made at campus dining establishments.
Sah considers efforts around data classification and – depending on whether it's needed – data deletion to be a key part of a proactive incident response program. UNC-Charlotte has turned to technology from Guidance Software to help it inventory its various departments and colleges.
“It's a multistep process,” he explains. “First you have to know where the data is. Then you put a dream team together from every campus business together in a room a number of times to help identify data in a manual way and then correlate it. We're asking people: ‘Does this data really belong here? Is it appropriately secured?' People will do the right thing as long as they're informed about it.”
Rodney Petersen, managing director of Washington, D.C.-based Educause, a nonprofit focused on advancing the use of IT within colleges and universities, says the biggest challenge his group faces is promoting the culture of security to a body of individuals who are used to “openness and freedom.”
“We've been slow to recognize information as an asset,” Petersen says. “We've not come to recognize that there is personally identifiable information (PII) that is not meant to be shared, and not meant to be free.”
In many cases, redundant data lies across systems. “It's very difficult to justify why you need four or five sources of PII across the campus that really could be accessed or protected a single time,” he says. “The best way to minimize these data losses is to identify where they are and a find a way to protect them.”
Higher education certainly has unique challenges, but from a threat perspective, many of the same risks that impact other verticals apply to campus networks.
That may mean targeted malware that seeks financial information or government-commissioned research. Or that may mean “hacktivist” attacks attempting to deface a website or knock it offline. For instance, last September, the home page of Harvard University was defaced by activists supportive of the embattled regime in Syria.
Digital criminals also prefer attacking colleges because of the speed by which many of their networks run. Ryan Laus, network manager at Central Michigan University (CMU), a 20,000-student school in Mount Pleasant, had to deal with such a launching-pad incident over the July Fourth holiday in 2011.
The adversaries didn't initially pinpoint CMU, but after scanning rountable IP ranges and finding an open service port at the college, they were in business. The crooks used a common brute force password technique to login to the machine, and thanks to the system not being patched, were able to run an exploit that granted them root access. Now, with a 10-gigabyte external connection at their disposal, the attackers were able to launch a “pretty massive” DDoS attack against another organization – the attackers' primary target, Laus says.
BAD GRADE: BREACHESUniversity of Texas MD Anderson Cancer Center
Records exposed: 2,200 patients.
Despite CMU having a centralized patch management program in place, Laus says some remote areas of campus still haven't opted in – a common occurrence in the university environment, where users often hang up web servers online and simply forget about them.
The college's intrusion prevention system didn't spot the attack, but thankfully a product from Lancope known as StealthWatch, which tracks NetFlow traffic, detected the anomaly.
But arguably the largest risk facing higher education today is the bring-your-own-device phenomenon – and CMU and UNC-Charlotte are no strangers to it. It's a trend with which businesses around the globe are dealing, as the owners of smartphones, tablets and other mobile devices, want to use the endpoints outside of their home network.
Not only must colleges greatly bulk up the wireless density of their networks to handle all of the devices wanting to connect, but there's also a real security threat. “Now the world is changing in a drastic way for us, “ Sah says. “Students are deciding what the computing environment will be and what it will look like.”
Within enterprises, the main worry over BYOD is that an employee will lose a handheld containing sensitive company information. UNC-Charlotte is less concerned about that and more focused on ensuring that the applications it is creating for students to run on those devices – such as class schedules, grades or maps – are resiliently built.
Even beyond BYOD, educational institutions run the risk of their non-student network being infected because of tolerant policies, says Mark Phillips, principal consultant for Pasadena, Calif.-based Guidance Software. In fact, he and his team investigated one such incident in which a student worker connected an infected laptop to the official university network, which could have allowed access to a trove of PII.
IT freedom comes at a cost
Colleges also face another security challenge that is common across industries, but particularly prominent at colleges: budget and buy-in. Laus of CMU is one of the few people responsible for security at the institution, but he carries the network manager title, although he says his boss, the CIO, “does take our recommendations very strongly.”
Still, he knows many of his peers are working in much-less-enviable conditions. “Usually, you can't get the teeth behind a lot of those security policies until you have a security incident,” Laus says. UNC-Charlotte's Sah admits that the major breach earlier this year certainly helped matters, but he had already been instituting a number of initiatives, including a centralized incident response and vulnerability management program.
BAD GRADE: BREACHESUniversity of South Carolina
Records exposed:34,000 students, staff and researchers.
What happened? The school's College of Education web server was hacked, presumably by overseas attackers.
But what he says may help college security the most is the establishment of a governance, risk and compliance model, something that is especially critical in a collegial setting, with all of its disparate departments and its perpetual turnover of students.
He also conducts regular meetings with CISOs from the other 17 schools that make up the UNC system. And he sits on Educause's Governance, Risk, and Compliance (GRC) Working Group.
About a dozen years ago, Educause formed the Higher Education Information Security Council, which, among other tasks, shares and promotes security best practices, encourages security staffing and resource commitments, and publishes an information security guide built around the ISO 27002 standard, a blueprint for organizations to assess their risks, design controls and build an all-encompassing program that ensures those controls stay in place over time. Each of the 17 UNC campuses is working to adopt the standard.
Overall, Sah says he's pleased with his first year – and he knows leading security at a college is a practice of give-and-take.
“One of the things that I keep in mind is that different scenarios require different types of approaches,” he says. “When I was in automotive for 10 years, the security needs were different. We were very identity access focused.” And, when he went to an educational products company in Wisconsin, challenges were related to e-commerce and PCI.
“I wanted to learn the differences and apply the model appropriate for higher education,” Sah says. “It takes time for anyone not completely familiar with that environment to get familiar.”
And, hey, nobody ever said sophomores had it easy.