In a news flash buried beneath a slew of other notable security news items, UCLA Health revealed last week it was the victim of a massive data breach that left 4.5 million patient records compromised. Like previous attacks on Anthem and Premera Blue Cross, the intrusion gave hackers access to highly sensitive information: patient names, addresses, date of births, social security numbers, medical conditions, and more. And while matters around healthcare IT have taken center stage as of late, the ineffective security at leading institutions of higher education and research is equally distressing.
It’s a fact that the majority of the world’s leading hospitals are run by top universities. Take the U.S., for instance—Johns Hopkins Hospital, Columbia University Medical Center, UCLA Medical Center, Stanford Hospital, the list goes on. The gauntlet has been thrown down for these institutions to bolster their IT security, as healthcare data is estimated to be 10 times more valuable than credit card information, and unfortunately—currently easier to access and steal. It’s therefore conceivable that other university IPs such as engineering plans and sensitive research data are just as easy to hijack. If this is truly the case, leading educational institutions—as well as their home countries—could face far graver consequences down the road.
Higher education is viewed by many experts as being particularly vulnerable to cyber attacks. While banks and financial systems—though subject to their own weaknesses—are designed to defend against external actors, the opposite is true of university networks. IT infrastructures in academia are designed to support research and scientific collaboration, and are therefore open by nature.
“… college and university computer networks have historically been as open and inviting as their campuses… It's hard to think of any organization in the economy that has as broad a range of data as a modern university… The fact that universities serve broad communities also makes them vulnerable… We want our faculty and our students and our public and our donors to connect pretty easily to us...
Hackers are always looking for a way in. Like burglars looking for an open window, they need just one member of a large computer network whose password is ‘password’ to break in and wreak havoc… Universities are typically are designed to be accessible to the world."
—Fred Cate, Indiana University Professor/Cyber Security Expert
Recent statistics also highlight the rising trend in cyber attacks carried out against academic institutions. A study by Educause revealed that 551 data breaches occurred at U.S. universities between 2005 and 2013, while another study by The Identity Theft Resource Center found that 42 colleges and universities were the victims of cyber attacks in the previous year. High bandwidth networks, highly available systems, large collections of personal data from students and employees, and sensitive treasure troves of valuable research data—all elements that make colleges and universities prime targets for cyber attacks.
“Higher education accounts for 17 percent of all personal information data breaches. Only the medical sector (27 percent) is victimized more.”
—Kenneth Westby, President, Coalfire Systems Inc.
Disconcerting, to say the least—especially since our top universities spearhead most of the nation's cutting-edge research. Some of the most important and privileged innovations began in academia—in fact, the internet traces its roots to a joint initiative between the government, UCLA, UCSB, and the University of Utah. Both Yahoo! and Google began as research projects at Stanford. Countless scientific, medical, and of course government/military initiatives (both public and clandestine) are currently being conducted at top universities.
So how vulnerable are America’s top universities to being hacked? If history is any indication, our best academic institutions have yet some learning of their own to do:
Harvard University, July 2015: the Faculty of Arts and Sciences and Central Administration information technology networks are compromised
Harvard University, May 2015: the Institute of Politics’ website is hacked by pro-Palestinian hacker group AnonGhost
UC Berkeley, December 2014: 1,600 records of former and current employees are stolen from university servers. Compromised data include Social Security and credit card numbers.
Stanford University, July 2013: Stanford’s SUNet system is compromised, giving hackers access to all user accounts and passwords.
Yale University, August 2011: 43,000 faculty, staff, student, and alumni names and social security numbers are stolen by hackers through an unprotected FTP server.
And in a dated but nonetheless amusing item, Princeton University hacks into Yale's website in July 2002 to gain unauthorized access to its admission decisions—testament to the fact that corporate espionage wears many guises.
With endowments ranging in the billions, the nation’s most prestigious institutions certainly have ample resources at their disposal for bolstering existing security measures. But it doesn’t take nearly that much to establish the proper foundational components for effective IT security. UpGuard enables cost-effective infrastructure visibility and comprehensive security monitoring/testing to ensure that administrative, research, and instructional systems are free from vulnerabilities and errors.
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Blog >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >