CYBER SECURITY WHITE PAPER Written for the California Community Colleges Chancellor’s Office August 2015
VICTIMS OF CYBER ATTACKS Target, Home Depot, JP Morgan Chase, Cuesta College, Maricopa County Community College District, and Riverside Community College District: What do these organizations have in common? They are all victims of cyber attacks that put the identity, credit, and security of their employees, customers, and students at risk.
The California Department of Justice reports that more than 300 confirmed data breaches of California businesses have exposed more than 20 million customer accounts since the state’s 2013 data-breach reporting laws went into effect1. The report suggests the problem may be even more severe because many organizations are: 1. Unaware of the reporting requirements 2. Ignorant of an ongoing cyber attack 3. Not reporting or under-reporting breaches because of public relations concerns
Community colleges, like other major organizations, have a responsibility to secure their employees’ and students’ information. This paper explores the security needs of the California Community Colleges (CCC). Specifically this paper makes the case that cyber attacks on colleges and universities are a growing concern and the consequences for neglecting the threat are significant. Higher education is a prime data-security attack target because of the massive amount of personal data stored on vulnerable campus servers (e.g., student, financial aid, administrative, syllabi, curriculum, assessment, grades, etc.). The increased use of digital teaching technologies such as cloud computing, MOOCs, streaming video, and learning management systems also generate large amounts of data, making them attractive cyber-attack targets. In fact, higher education rivals only the healthcare industry in personally identifiable data storage2.
2 Security White Paper | August 2015
Colleges and universities are being attacked. The CCC Technology Center at Butte College reports a large number of higher education institutions have been victims of cyber attacks. Even the most prestigious schools in our country, including Harvard3, Stanford4, and Johns Hopkins5 universities, are susceptible to the threat. CCC TechEDge News has compiled a brief list, “Recorded System Compromises” (bottom right) of schools that have been attacked.
RECORDED SYSTEM COMPROMISES*
RECORDED SYSTEM COMPROMISES
• College of the Desert (1,900 records) • Johns Hopkins University (2,000 records) • University of Massachusetts Memorial Medical Center (2,400 records)
300,000
• Texas State Technical College (approximately 5,000 records) 250,000
• Auburn University College of Business (14,000 records) • University of Wisconsin-Parkside (15,000 records)
200,000
• Riverside Community College District (35,000 records)
150,000
• Arkansas State University (50,000 records) • Indiana University (146,000 records)
100,000
• University of Maryland (300,000 records)
50,000
ar
Ar
ity
Co m
m un
W
is
co
ns i
nP
Bu of of
ity Ri v
er s
id e
er s
iv
ks Co id lle ka e ge ns as D is St tr at ic e t U n In iv er di an si ty U a ni U ve ni ve rs ity rs ity of M ar yl an d
s
es sin
le ol
lle ge
Co y
iv
er sit
Un
Un rn
bu Au
lC ca
ch ni Te
e St at s
Te xa
ge
r
te en lC
ca ed i
lM or
em M
s. as UM
ia
op H
Jo hn s
Co lle
ge
ki
of
ns
th
Un
e
iv
D
er
es
si
er
ty
t
1,000
*SOURCE: http://ccctechedge.org/news/miscellaneous/438-report-reveals-2013-data-security-trends
3 Security White Paper | August 2015
• UC Irvine Health Center (keylogger and malware attacks, unknown amount of data loss) • University of North Carolina Wilmington (compromised server, unknown amount of data loss)
CENIC (Corporation for Education Networks Initiatives in California) has more tickets for Denial of Service attacks going out than coming in, according to Dave Reese, CENIC Vice President of Infrastructure Strategy and Security. This means network computers have been compromised and the attackers are using them to try to take down other networks, noted Jeff Holden, Chief Information Security Officer for the CCC Technology Center6. Mr. Holden said the recent security breach at Riverside Community College District is a strong argument for the need for security awareness training for all college employees7. The data compromise occurred when a district employee used an external email account
iStock
Riverside Community College District is a strong argument for the need for security awareness training for all college employees – Jeff Holden, Chief Information Security Officer for the CCC Technology Center
to send a file to a colleague’s home email because the file was too large for the district’s secure, encrypted email server. The employee accidentally sent the file to the wrong email address, exposing the confidential records of 35,212 students. The latest cyber-attack example is from Cuesta College. A Cuesta College employee allegedly breached the campus data system and emailed employee names, home addresses, email addresses, phone numbers and Social Security numbers to her private email account8. Cyber attacks against U.S. universities are proliferating. A dean at the University of Wisconsin told the New York Times that his school gets hit with 90,000 to 100,000 hacking attempts from China every day, plus countless probes from other countries. The number
4 Security White Paper | August 2015
of attacks is going up exponentially according to Rodney Petersen of Educause9 and as the attacks increase so do the costs of data loss, litigation, damaged reputation, and employee and student identity theft. Costs are difficult to quantify. Generally, liabilities come from a number of areas including data loss, litigation, damaged reputation, and financial costs to employees and students from identity theft. Maricopa County Community College District (MCCCD) in Arizona suffered the compromise of personal and financial information for 2.5 million students despite an FBI warning that MCCCD’s systems were vulnerable. The district has spent $20 million addressing the issue10.
iStock
Maricopa County Community College District has spent $20 million addressing the compromise of personal and financial information for 2.5 million students
On May 31, 2015, after a Cuesta College employee allegedly stole past and present employee personal information, the school offered one year of protection through LifeLock to the 4,000 victims. According to LifeLock, the protection cost the college $110 per employee, for a potential cost of $440,00011. The U.S. Department of Justice reports the average identity theft victim suffers a loss of $2,183, which does not include the time and effort needed to clear their credit record. Twenty-nine percent of identity theft victims spent a month or more resolving problems
5 Security White Paper | August 2015
while 36 percent of identity theft victims reported moderate or severe emotional distress as a result of the incident12. According to the California Attorney General’s office, when cyber-security breaches do occur, they must be made public. As of 2012, government agencies are required to submit copies of their data breach notices to the Attorney General if the breach involves more than 500 Californians13. While the focus of this report is to highlight that cyber attacks are a growing concern for California’s community colleges and the threat can have significant consequences, college leaders may be looking for solutions to these challenges. The California Community College Information Security Center (CCCISC)14 has developed three resources which can help improve cyber security on the state’s community college campuses: 1. ISAC, 2. Security Awareness, and 3. Standardized Remote Access Policy Templates. 1.
The Information Security Advisory Committee15 (ISAC) is a systemwide committee focused on Information Security. Its main focus is creating policy and templates that can be used by all of the California Community Colleges. The committee is also working on creating a peer review Vulnerability Assessment group that can be utilized by the colleges to validate that their security controls, policies and procedures are being effectively implemented
2. To
help college’s enhance their cyber security the CCCISC has developed an
active Security Awareness program to provide user awareness education through self-paced online training. The specific objective of the training is to meet all compliance and legal requirements, but the general or overarching objective is to educate and protect our staff and administration by changing their online behaviors and encouraging safe practices16. 3. Standardized
remote access policy templates allow college leaders to
implement best practices in drafting cyber security policies especially focused on policies for mobile, cloud, and digital resources (including issues of data handling/protection, access control, and end-user awareness)17.
6 Security White Paper | August 2015
REFERENCES 1.
http://ccctechedge.org/news/miscellaneous/438-report-reveals-2013-data-security-trends
2.
http://ccctechedge.org/news/miscellaneous/400-security-news-121713
3.
http://ccctechedge.org/news/miscellaneous/361-security-news-041513
4.
http://www.networkcomputing.com/network-security/stanford-university-network-hacked/d/d-id/1110928?
5.
http://ccctechedge.org/news/miscellaneous/412-security-news-040214
6.
http://ccctechedge.org/news/miscellaneous/566-workshop-highlights-need-for-security-policies
7.
http://ccctechedge.org/news/miscellaneous/435-breach-underscores-need-for-security-training
8.
http://www.sanluisobispo.com/2015/06/12/3676516_cuesta-college-reports-data-breach.html?rh=1
9.
https://gigaom.com/2013/07/17/hackers-increasingly-attack-universities-and-admins-are-reaching-for-their-wallets/
10.
http://ccctechedge.org/news/miscellaneous/566-workshop-highlights-need-for-security-policies
11.
Phone interview with LifeLock service representative 7/29/2015
12.
http://www.bjs.gov/content/pub/pdf/vit12.pdf
13.
https://oag.ca.gov/cybersecurity
14.
http://cccsecuritycenter.org/
15.
http://cccsecuritycenter.org/isac
16.
http://cccsecuritycenter.org/services/security-awareness-training
17.
http://cccsecuritycenter.org/isac/administrative-regulation-templates?download=10:remote-access-template
7 Security White Paper | August 2015