New regulations should reduce number of costly attacks
Higher education institutions are major targets for hackers. Their databases contain a perfect trifecta of personal information, financial and health data for what’s considered high-value targets on the black market. Last year, a hacker known as Rasputin breached over 60 universities and government agencies and the tally continued to grow into 2017, becoming one of the largest higher education breaches in history. This sole cybercriminal made news, but hacks are really just the tip of a very large iceberg of breaches that are primarily caused by negligence.
In 2016, the U.S. Department of Education said they would require colleges and universities to comply with requirements laid out in the National Institute of Standards and Technology (NIST) Special Publication 800-171, which are designed to protect the confidentiality of “controlled unclassified information.” The first compliance deadline schools must meet is December 31, 2017.
Colleges and universities have a wide array of vulnerabilities, but in the interest of brevity and relevance, we’re going to focus on a few recent cloud email and storage related events in higher education that will be addressed by several of the 800-171 requirements.
Oregon Health & Science University
After Oregon Health & Science University (OHSU) suffered its fourth major breach in 2012, two employees were placed on administrative leave for the “unlawful release” of 22,00 pages of records from the university president’s office. These records included confidential information on faculty, staff, and students. The data was stored in Google’s Gmail and Drive applications by resident physicians and discovered by another faculty member in 2013. In addition to the 1,361 individuals facing significant harm due to their diagnoses being leaked, credit card data, payment information, procedures, photos, driver’s license numbers and Social Security numbers were included in the breach for thousands of others.
The OHSU breach is about as bad as they come since it included both HIPAA and FERPA violations. To prevent future breaches, the university agreed to a four-point strategy:
- Identify and isolate sensitive and/or regulated data
- Encrypt the data
- Monitor and restrict access to the data
- Educate campus community on best practices
The remediation process, fines, and strategy cost the university $2.7 million. This entire event could have easily been prevented with a cloud security solution that monitored files for sensitive data. However, given that this situation was handled beginning in 2013, OHSU was able to get ahead of about 99% of their fellow universities that have been dealt one blow after another in more recent years.
University of Oklahoma
This year, the University of Oklahoma (OU) experienced a similar data leak to OHSU. OU uses Microsoft Office Delver, an internal intelligent search engine. In just 30 of the hundreds of documents made publicly discoverable on Delve, there were more than 29,000 instances in which students’ private information were made available to users within OU’s email system. With a simple Delve search, student journalists discovered four spreadsheets that included students financial information along with the amounts of money they received in scholarships, grants, loans or waivers from 2012 through 2016! But wait, there’s more:
Another series of spreadsheets listed students who had received a grade of incomplete during the six semesters starting Fall 2014 through Fall 2016. One document listed the names and social security numbers of 30 students, including the names of athletes now playing professionally. It’s not clear why the document existed or how these students were related.
Two other documents listed the visa statuses of more than 500 international students. Several documents included information about current OU athletes’ scholarships and their eligibility statuses, including one that listed which students were barred from practice this past summer due to failed drug tests, recruiting violations, or academic misconduct.
These files were easily discovered by the student journalists who reported it, so the impact and breadth of the leak are still unknown and the investigation is ongoing.
Washington State University and the University of Ottawa
At this point, you might be dismissing these examples, since all these breaches took place in the cloud. But this year there have also been several instances of physical theft. A Washington State University (WSU) researcher noticed that an 85-pound safe that contained a hard drive was missing from a WSU storage unit. The drive contained names of about a million people, and the social security numbers and health history of some of them.
Think this is just a one-off? The University of Ottawa also found itself the subject of an investigation after the information of some 900 students was exposed when an external hard drive went missing. The data included people with disabilities and mental health issues.
In both cases, the hard drives are assumed to be unencrypted and investigations are ongoing.
What comes next?
A new set of federal regulations is set to tighten the cybersecurity practices of colleges and universities. There are six major steps higher education leaders can take to develop a program that fulfills new contractual obligations required for continuing federal grants, research contracts and other transactions in which institutions receive data from the federal government, which is most of them, according to Deloitte and EDUCAUSE:
- Form a working group with representatives from each of the institution’s three main business units: academics, administration, and research. The working group should have top-down support and the sustained engagement of leadership.
- Analyze the impact and scope by determining the applicable contracts and identifying data that must be controlled.
- Assess the current state of security and understand where CUI data resides (in on-premise campus systems and in cloud systems) and how it’s processed from the point of receiving through the lifecycle.
- Develop a plan to achieve compliance and mitigate existing gaps by defining roles and responsibilities to achieve and maintain compliance.
- Establish responsibilities and efficient processes to achieve sustained compliance over the long haul.
- Employ third parties to provide a thorough review of current practices across the entire academic enterprise.
What are the 800-171 requirements?
There are 14 categories of security requirements that must be met. Each category has a unique set of policy tests in which affected programs must meet.
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
For a complete list of policy tests included under each of the 14 categories, please refer to the NIST SP800-171 web page. A deadline to comply or to report delays in compliance has been set for December 31, 2017.