In several previous posts, we talked about a series of malicious incursions against major universities. In one of them — an attack on the University of Maryland — more than 300,000 people associated with the university found their information compromised. Stemming from the attack, the university realized it needed to strengthen its identity enterprise security and relocated much of its infrastructure to a cloud platform.
The news that the University of Maryland sought a solution in the cloud should perhaps have received more press, particularly as it would have helped other educational institutions strengthen their own defensive platforms.
But news of university data breaches was overshadowed by the emergence of the Heartbleed bug, and the revelation that large swaths of the Internet were susceptible to easy attack.
Still, just because Heartbleed grabbed headlines did not mean that other breaches simply ground to a halt.
As a NetworkWorld article points out, the distraction provided by Heartbleed has actually been giving way to even more cybercrime against educational entities.
According to a Security Expert, Sudden Lack of Focus on Universities Has Emboldened Hackers
A security expert with a broad range of educational clients said the general fervor surrounding the Heartbleed bug has created an environment where a brand new batch of university attacks were able to take place largely undetected. Alex Holden, the security professional, said that, without naming names, a university-connected hospital client of his is currently coping with the fallout of a phishing email that was sent to 17,000 of its clients.
“Somebody had access to a student account that had an entire list of employees,” Holden said regarding how the phishing attack surfaced.
This explanation illustrates the ease with which an attack can take place. Literally all it took was a single user’s information to hack the internal infrastructure of the hospital. What this seems to suggest is a major oversight on the hospital’s part.
After all, it is not the student’s fault that he or she was breached. That responsibility lies with the institution and its certificate authentication structure. Without a stringent system of validating user identity, the hospital placed itself at constant risk of getting attacked.
Holden pointed out that where proactive strategies are lacking among universities, they are positively alive and well within the hacking community. According to him, cybercriminals are going to great lengths to continue their criminal streak against universities, including selling lists of domains that are vulnerable to attack.
Why are universities such a common target these days? Because although a single attack may not reap massive profits, hackers see longevity in infiltrating educational platforms, particularly because these systems often hold student information that can be capitalized on monetarily.
University hackers “may not have a lot of money in their accounts but when exploited in bulk they may be as profitable as a number of people further in their careers,” Holden said.
Iowa State is Latest Victim of High Profile Breach
The list of university systems that have fallen into the hands of cybercriminals is expanding every week, and now Iowa State University has joined the ranks of the attacked, according to The Gazette. As with other similar recent attacks, the breach on Iowa — which focused on five departmental servers — targeted student Social Security information. This data can be used by criminals to assume a victim’s identity and extract money from their personal accounts.
The Iowa attack involves the theft of information for almost 49,000 students both current and past, although no direct financial data was stolen. ISU News Service director Annette Hacker said that the covert nature of the incursion will make it very hard to identify the culprits.
Since there is “no evidence of the information being used, it is unclear whether we will ever be able to find those responsible or be able to charge them with the crime,” she stated.
As with many malicious attacks, the one against Iowa State will very likely go unpunished. This is a central difference between virtual criminals and those who carry out physical thefts. For the thieves of the cybersphere, so many safeguarding measures exist that their deeds will often never be traced to them.
That’s all the more reason for universities to invest in a robust certificate management system. Just because attackers aren’t going anywhere doesn’t mean educational institutions need to wait to become the next victim.