A database security vendor says colleges and universities need to do more to secure their databases against break-ins.
Application Security, which uses the name AppSec, reviewed data breaches in higher education, drawing from a variety of published sources. The company, based in New York City, specializes in database security and has two main products: DbProtect, an application for database security, risk and compliance; and AppDetectivePro, which automatically discovers all database applications on a company’s network and evaluates their security.
The data in its report, “An Examination of Data Breaches at Higher Education Institutions,” highlights increasing data-loss incidents at colleges and universities. But it doesn’t clearly distinguish between the business market as a whole and the higher education sub-market, and it does little to put the higher education breaches into context.
For example, the AppSec document cites data from Privacy Rights Clearinghouse to assert that “higher education institutions have experienced a substantially large number of data breaches – nearly 160 breaches and more than 2.3 million records breached since 2008.”
But using the same PRC sortable database, the “Chronology of Data Breaches“, it turns out that other segments, though indeed with a lower total number of data breaches for the same period (ranging from the 60s to mid-90s), have exposed more records: more than 3 million for government and military, and 39 million for financial services companies, depending on the types of breaches considered. Healthcare, with at least roughly 80 breaches, exposed 1.5 million records.
AppSec notes, correctly, that higher ed is on pace to report more breaches this year than last year. But according to the PRC database, so are financial services, retail, government/military, and healthcare, all of which have a larger number of year-to-date security incidents than does education.
Turning to another source, DatalossDB.org, AppSec pulls other data that says roughly the same thing for higher education: 89 breaches affecting “in excess of one million records” in 18 months from January 2009 to August 2010. DatalossDB ranks higher ed as No.2 among markets experiencing database breaches, according to AppSec. But it’s not clear exactly where that data comes from. A page of statistics, in the form of pie charts, shows education with 29% of reported “incidents” (of all types), a general “Biz” category with 49%, government with 18%, and healthcare with 13%.
According to the AppSec document, where “many of these breaches occurred, the institutions had passed PCI compliance audits. Compliance does not equal security.” But the assertion would only be meaningful if college and university security staff believe that compliance did equal security. AppSec doesn’t offer evidence of this, nor any comparative data to show whether breaches are more or less common in other industry segments that are, or are not, PCI-compliant.
The data security weaknesses “can be attributed to a number of factors,” according to AppSec, though it doesn’t go into much detail. For example, “university IT departments are often plagued by resource issues.” That could mean “not enough security staff” but AppSec doesn’t elaborate. Another of the factors is “budgetary constraints,” a problem that is hardly unique to higher education.
But in another section, AppSec explicitly identifies budgetary constraints as representing “perhaps the most rational reason why colleges and universities are experiencing a high volume of attacks.” It cites the “2010 Security Spending Trends” report (from the Enterprise Strategy Group, an IT analyst and business strategy company; the report is available only as a “premium subscription”) to assert that “only 50% of universities in the U.S. plan on increasing their IT security spend for 2010.”
But just as PCI compliance is no guarantee of security, neither by itself is increased security spending. Nor is it clear why AppSec thinks that not increasing security spending is causing the allegedly high number of attacks on campus databases.
Drawing on the same ESG data, AppSec notes that all organizations, not just those in education, “are only spending 20 percent of their IT budget on security and only 20 percent of that security budget on databases.” Again, the unsupported and undocumented implications are that neither percentage is enough, and that increasing them translates into increased security.
Somewhat confusingly, the AppSec document elsewhere suggests another equally if not more rational reason for the higher education data breaches: “The nature of higher ed is to foster an open academic environment, which is a nature at odds with the need to protect sensitive information and be mindful of security issues. Changing this nature requires a philosophical shift in the way these institutions view sensitive data.”
To a degree that’s true, since the assertion hinges on what is meant by an “open academic environment,” it’s not a new challenge for higher education. Educause.org, one of the main associations for education IT professionals, has a collection of information security whitepapers, recommendations and surveys going back to at least 2006. One of them is the May 2006 “Current IT Issues Survey Report,” which noted that “For the first time ever, Security and Identity Management has topped Funding IT as the number-one IT-related issue in terms of its strategic importance to the institution.”
More details of the Educause Cybersecurity Initiative are online.
By means of what the AppSec report calls a “forensic analysis,” the authors conclude that the most common methods used by attackers to gain database administrator privileges are:
– Taking advantage of weak, blank or default access controls.
– Exploiting a database, application or operating system vulnerability.
– Obtaining a valid login and password (for example, by guessing it or by a brute force attack).
Once they have access, attackers can sidestep logging mechanisms intended to record and track their activities. Techniques include: disabling logging completely; loading external libraries (a common database practice to add functionality) to execute code inside the database server process and gain access to process memory and database components; impersonating other database users to perform unauthorized actions; deleting or overwriting logs.
AppSec says some risks are unique to higher education. Among them:
– Using students as IT staff, with less experience, and higher turnover; with access to sensitive information though lacking in security training and in adequate supervision.
– Open student terminals and workstations on the same network as sensitive databases.
– About one-quarter of the user population changes each year, with associated challenges in managing accounts and credentials.
– Multiple IT departments within the university, each with different possibly even conflicting information security policies.
Finally, the document recommends six “best practices” to secure education databases:
1. Conduct automated database scanning to create a complete inventory of all databases.
2. Classify them according to their “business value.”
3. Identify all database vulnerabilities, including improper configurations, shortcomings with regard to compliance mandates, and access control violations.
4. Assess the level of risk for each of these problems and create a prioritized list of remediation steps.
5. Take the remediation steps.
6. Monitor the databases and user activity.