Security breaches challenge academia's 'open society'

Computerworld - While all the attention lately has been focused on security breaches at our nation's data consolidators, U.S. universities have also been notifying thousands of employees, students and alumni to monitor their personal accounts for unusual activity. The University of Iowa recently became at least the 16th college this year to publicly disclose a breach of its information security (see table).

What's going on? Have hackers opened up a campaign against our colleges?

The answer is probably no. Computer-savvy students have been probing and exploiting university networks for a long time, ever since the 1983 movie War Games glorified the teenage hacker.

It's likely that we're hearing about these university breaches now because of the California Security Breach Notification Act, which went into effect in January. The act requires notification of California residents if unauthorized users may have accessed their sensitive information. The law has effectively resulted in the notification of all potentially affected people, however, because no organization wants to be seen as caring about the safety of only Californians.

But I don't think we're going to see a drop-off in the number of university breach notices anytime soon. Why? Because a number of factors have converged to put colleges uniquely at risk to ongoing compromises of their information security.

The most fundamental factor is the openness of the university. The free and open exchange of ideas has long been at the core of the university mission. As a result, the typical campus is physically open to all comers; no identification badge is needed. Its intellectual property is openly aired, and members of the college community interact in public forums online and off-line. Names of professors are public knowledge much more often than their middle-management counterparts in private industry, and rosters of students aren't hard to come by, either. The campus is like this because everyone there, except IT security, wants it that way.

But what's the risk of this openness? When it comes to IT security, it means there's more opportunity for social engineering—for a hacker to impersonate a targeted individual in obtaining his access credentials.

A more recent phenomenon contributing to college IT risk has been the widespread webification of university business processes. Within less than a generation, the typical campus environment has transformed itself from bricks-and-ivy to clicks-and-ivy. The list of processes that have made their online debut is a long one:

• New-student application and selection






• Course registration, instruction and testing






• Grade distribution






• Instructor evaluation






• Financial-aid application and awarding






• Dorm-room selection






• Library accounts






• Campus purchases






• Tuition billing and payment






• Campus and alumni directories

How does this colossal move online affect IT security? By bringing more offline information into the realm of what the hacker can access remotely. Universities that still use the Social Security number as a student ID are even more vulnerable, because that single piece of information can often be used as the key to unlock many of these online accounts.