INFORMATION SECURITY WHITE PAPER Written for the California Community Colleges Technology Center November 2015
INFORMATION SECURITY ATTACK VICTIMS Target, Home Depot, JP Morgan Chase, Cuesta College, Maricopa County Community College District, and Riverside Community College District: What do these organizations have in common? They are all victims of information security attacks that put the identity, credit, and security of their employees, customers, and students at risk.
The California Department of Justice (CDOJ) reports that more than 300 confirmed data breaches of California businesses have exposed more than 20 million customer accounts since the state’s 2013 data breach reporting laws went into effect1. The CDOJ reports that the problem may be more severe because many organizations are: 1. Unaware of the reporting requirements 2. Ignorant of an ongoing information security attack 3. Not reporting or under-reporting breaches because of public relations concerns
Community colleges, like other major organizations, have a responsibility to secure their employees’ and students’ information. This white paper explores the information security challenges facing the California Community Colleges (CCC). Specifically, this white paper demonstrates that information security attacks on higher education institutions are on the rise and that there are significant consequences for neglecting the threat. Higher education institutions are a prime target for information security hackers because of the massive amount of personal data stored on vulnerable campus servers (e.g., student, financial aid, administrative, syllabi, curriculum, assessment, grades, etc.). The increased use of digital teaching technologies such as cloud computing, MOOCs, streaming video, and learning management systems also generate large amounts of data, making them attractive targets. In fact, higher education rivals only the healthcare industry in personally identifiable data storage2.
2 Information Security White Paper | November 2015
Colleges and universities are under attack. The California Community Colleges Technology Center at Butte College reports a large number of higher education institutions are victims of information security attacks. Even the most prestigious institutions in our country, including Harvard3, Stanford4, and Johns Hopkins5 universities, are susceptible to the threat. CCC TechEDge News has compiled a brief list, “Recorded System Compromises”, of institutions that are recovering from information security attacks. RECORDED SYSTEM COMPROMISES*
RECORDED SYSTEM COMPROMISES
• College of the Desert (1,900 records) • Johns Hopkins University (2,000 records) • University of Massachusetts Memorial Medical Center (2,400 records) • Texas State Technical College (approximately 5,000 records) • Auburn University College of Business (14,000 records) • University of Wisconsin-Parkside (15,000 records) • Riverside Community College District (35,000 records) • Arkansas State University (50,000 records) • Indiana University (146,000 records)
Co
d
rs
ity
of M
ar
yl
ve ni U
a ia n
ve Un i
In d
an
rs
it rs ve ni
U e at
St as
ity
y
t ric ist D
id
lle ge
Co
ka ns
un ity
ve
rs
id
e
Ar
m
m
isc on
sin
-P
ar
ks
sin Bu
er iv
e
s
es
g lle
of ge y
sit
er Un
iv Un
of W
Co lle
ch n
y sit
Ri
Au
bu
rn
Te
e
r
te
ic al
Co
en Te te
ta
sS xa
em
or ia
lM
ed
ns ki
M s. as
UM
ic
Un
e th of
sH op
ge lle
hn Jo
Co
al C
iv
D
er
es
sit
er
y
t
• University of Maryland (300,000 records)
*SOURCE: http://ccctechedge.org/news/miscellaneous/438-report-reveals-2013-data-security-trends
3 Information Security White Paper | November 2015
• UC Irvine Health Center (keylogger and malware attacks, unknown amount of data loss) • University of North Carolina Wilmington (compromised server, unknown amount of data loss)
The Corporation for Education Network Initiatives in California (CENIC) has more tickets for Denial of Service attacks going out than coming in, according to Dave Reese, CENIC Vice President of Infrastructure Strategy and Security. This means network computers are compromised and the attackers are using them to try to take down other networks, noted Jeff Holden, Chief Information Security Officer for the CCC Technology Center6. Mr. Holden said the breach at Riverside Community College District is a strong argument for the need for information security awareness training for all college employees7. The data compromise occurred when a district employee used an external email account
iStock
Riverside Community College District is a strong argument for the need for security awareness training for all college employees – Jeff Holden, Chief Information Security Officer for the CCC Technology Center
to send a file to a colleague’s home email because the file was too large for the district’s secure, encrypted email server. The employee accidentally sent the file to the wrong email address, exposing the confidential records of 35,212 students. The latest example of an information security attack is from Cuesta College. A Cuesta College employee was arrested and found guilty of breaching the campus data system and emailing employee names, home addresses, email addresses, phone numbers and Social Security numbers to her private email account8. Information security attacks against U.S. universities are proliferating. A dean at the University of Wisconsin told the New York Times that his school gets hit with 90,000 to
4 Information Security White Paper | November 2015
100,000 hacking attempts from China every day, plus countless probes from other countries. The number of attacks is going up exponentially according to Rodney Petersen of Educause9 and as the attacks increase so do the costs of data loss, litigation, damaged reputation, and employee and student identity theft. Costs are difficult to quantify. Generally, liabilities come from a number of areas including data loss, litigation, damaged reputation, and financial costs to employees and students from identity theft. Maricopa County Community College District (MCCCD) in Arizona suffered the compromise of personal and financial information for 2.5 million students despite an FBI warning that MCCCD’s systems were vulnerable. The district has spent $20 million addressing the issue10.
iStock
Maricopa County Community College District has spent $20 million addressing the compromise of personal and financial information for 2.5 million students
On May 31, 2015, after a Cuesta College employee stole past and present employee personal information, the school offered one year of protection through LifeLock to the 4,000 victims. According to LifeLock, the protection cost the college $110 per employee, for a potential cost of $440,00011. The U.S. Department of Justice reports the average identity theft victim suffers a loss of $2,183, outside of the time and effort needed to clear their credit record. Twenty-nine percent
5 Information Security White Paper | November 2015
of identity theft victims spent a month or more resolving problems while 36 percent of identity theft victims reported moderate or severe emotional distress as a result of the incident12. According to the California Attorney General’s office, when information security breaches do occur, they must be made public. As of 2012, government agencies are required to submit copies of their data breach notices to the Attorney General if the breach involves more than 500 Californians13. While the focus of this report is to highlight that information security attacks are a growing concern for California’s community colleges and the threat can have significant consequences, college leaders may be looking for solutions to these challenges. The California Community Colleges Information Security Center (CCC ISC)14 has developed three resources which can help improve information security on the state’s community college campuses: 1. The Information Security Advisory Committee, 2. Security Awareness, and 3. Standardized Remote Access Policy Templates. 1.
The Information Security Advisory Committee15 (ISAC) is a systemwide committee focused on information security. Its main focus is creating policy and templates that can be used by all of the California Community Colleges. The committee is also working on creating a peer review vulnerability assessment group that can be utilized by the colleges to validate that their security controls, policies and procedures are effectively implemented
2. To help college’s enhance their information security the CCC ISC has developed an active Security Awareness program to provide user awareness education through selfpaced online training. The specific objective of the training is to meet all compliance and legal requirements, but the general or overarching objective is to educate and protect our staff and administration by changing their online behaviors and encouraging safe practices16. 3.
Standardized remote access policy templates allow college leaders to implement best practices in drafting information security policies especially focused on policies for mobile, cloud, and digital resources (including issues of data handling/protection, access control, and end-user awareness)17.
6 Information Security White Paper | November 2015
REFERENCES 1.
http://ccctechedge.org/news/miscellaneous/438-report-reveals-2013-data-security-trends
2.
http://ccctechedge.org/news/miscellaneous/400-security-news-121713
3.
http://ccctechedge.org/news/miscellaneous/361-security-news-041513
4.
http://www.networkcomputing.com/network-security/stanford-university-network-hacked/d/d-id/1110928?
5.
http://ccctechedge.org/news/miscellaneous/412-security-news-040214
6.
http://ccctechedge.org/news/miscellaneous/566-workshop-highlights-need-for-security-policies
7.
http://ccctechedge.org/news/miscellaneous/435-breach-underscores-need-for-security-training
8.
http://www.sanluisobispo.com/2015/06/12/3676516_cuesta-college-reports-data-breach.html?rh=1
9.
https://gigaom.com/2013/07/17/hackers-increasingly-attack-universities-and-admins-are-reaching-for-their-wallets/
10.
http://ccctechedge.org/news/miscellaneous/566-workshop-highlights-need-for-security-policies
11.
Phone interview with LifeLock service representative 7/29/2015
12.
http://www.bjs.gov/content/pub/pdf/vit12.pdf
13.
https://oag.ca.gov/cybersecurity
14.
http://cccsecuritycenter.org/
15.
http://cccsecuritycenter.org/isac
16.
http://cccsecuritycenter.org/services/security-awareness-training
17.
http://cccsecuritycenter.org/isac/administrative-regulation-templates?download=10:remote-access-template
7 Information Security White Paper | November 2015