Increased ICT Penetration in Middle East Educational Institutions Increases Risk of Cyber Crime
Written by Pradeesh VS, General Manager at ESET Middle East
There is a clear trend towards the increased utilization of IT system in Middle East educational institutions. In its predictions for 2014, IDC estimated that ICT spending in the Middle East would top US$96 billion by the end of the year, with education being one of the top three sectors driving the industry’s growth. While this is a positive trend, it also means that hackers now have greater reason to target the sector. Though attacks in the region often go unreported, examples from the West indicate the severity of the problem. Earlier this year, Indiana University in the USA announced that a staff error had exposed information on 146,000 students for 11 months and shortly after, the North Dakota University System reported that a server containing names and Social Security numbers for more than 290,000 current and former students and about 780 faculty and staff, had been hacked.
The harsh reality is that there is now a thriving underground market for stolen credentials, from credit and debit cards to Social Security Numbers, to VPN access. With premiums now being placed on sensitive student records, educational institutions must give due emphasis to security. Here are the most vital defensive measures that every institution must leverage:
1. Layered defenses
Do not expect one security product alone to protect the institution against every possible threat to its systems and data. It is of course necessary to have an anti-malware suite on all parts of the network including smartphones, Android tablets, Linux servers, and Mac computers along with Windows machines. But there should also be a firewall at the gateway to the school’s network and on all the individual machines- those owned by the institution, those owned by grants, and those owned by students, faculty, and staff. Any important data, such as grades, finances, or personal information, should be encrypted both in storage i.e. both on servers and workstations; and any time data leaves the machines, like via email or on devices like smartphones or USB sticks.
2. Implement the principle of least privilege
The principle of least privilege simply means that no person, machine, or system should have access to things they don’t strictly need. For instance: student financial data should be in a different part of the network, and completely cut off from people who don’t need to access it. And very few people, if any, should have administrator-level access rights on their own machines- and if they must have admin rights, they shouldn’t be using that account except when they need to do admin tasks. Any time administrators should be able to restrict access without disrupting people’s ability to do their jobs.
3. Ban the sharing of credentials
Schools, colleges, and universities are characteristically places where people work together closely, so it may seem natural for users to share usernames and passwords with colleagues or leave their machines open and logged onto the network in their own names. Unfortunately this behavior can completely undermine one of the best weapons we have for securing systems: log analysis. If the events recorded in the logs cannot be reliably attributed to the person who executed them, it is going to be very hard to find out what really happened when something goes wrong. Just as the institute should run a password cracker on the network logins from time to time to make sure nobody is using things like “qwerty” or “87654321″, they should spot-check to make sure that when “muhammad” logs into fileserver3, it really is Muhammad!
4. Update, update, update
Applying updates and patches for all software is one of the most important things that can be done to minimize the vulnerabilities criminals can use to silently get into machines. When managing complex systems there may be a case for testing updates before rolling them out, but institutions must keep delays due to this process to a minimum. The bad guys are constantly probing for unpatched vulnerabilities. And schools and universities must not forget that it’s not just the operating systems and applications that need to keep patched; there are the helper apps that browsers run, from Java to Flash to Acrobat and beyond.
Indeed, the risks of not patching as quickly as possible probably far outweigh the benefits of testing. If an immediate system-wide rollout is not practical, at the very least initiate a rollout of patches immediately on a small set of representative machines, then expand to greater subsets as soon as practical until all machines are patched.
5. Passwords are not enough
When protecting lots of personally identifiable data, a password alone may not be enough. Educational institutions should consider implementing two-factor authentication or 2FA. This can be a biometric, like a fingerprint, or a one-time passcode that is provided to users via a small digital key card or fob. A more recent development is the use of smartphones to deliver one-time passcodes to users and these systems can be relatively inexpensive yet highly secure. Students who use social networks like Facebook and Twitter should already be familiar with the notion of 2FA, as those services use it to prevent unauthorized access.
6. Make a clean break
When employees leave and students move on, the institute must make sure to adjust their credentials accordingly. In many cases this will mean terminating their access to school systems. The use of “lingering” credentials that should have been revoked is one of the most common forms of “insider” abuse of systems. And if faculty, staff or students depart abruptly and not on good terms, terminating all of their access – immediately – is a must. In addition, a review of authorized user accounts should be done at least once a year to weed out access that is no longer appropriate.
7. Backup, backup, backup
Backups of data and systems are the last, best line of defense against destructive criminal hackers. In the case of threats like data ransoming they may be the only way to beat the bad guys. While an institution might consider backing up to the cloud, it should be done as a compliment to, rather than a replacement for, local backups that are both tested and stored securely.
8. Security training and awareness
It should come as no surprise to any educational institution that providing security training and awareness for employees and students is a must, and that it actually can be very successful as a protection mechanism. After all, one cannot expect people to abide by security procedures unless they explain how they work and why they are needed.
Of course, there is more that schools can do to defend their systems, but these measures will serve well and, when used together, can defeat many attackers. While there are a lot of criminals out there who see the personally identifiable data stored in education systems as easy pickings, with these measures in place educational institutes can make their data and systems much less attractive targets.