Back Back from the BREACH MOVING DATA OFF-SITE Well aware that data
breaches are be- coming more and more commonplace, The University of some
IHEs are choosing not just to pro- Notre Dame tect sensitive financial
data, but to ac- experienced its first major IT security tually remove it
from campus servers breach in January. altogether. tough firewalls and
intrusion systems. But instead of if for just about every IHE. Higher One,
a firm offering integrated when another virus attacked, IT staff found But
that doesn't mean campuses have to financial aid disbursement services,
has they couldn't identify where the threat had simply brace for the
onslaught and try to seen a great deal of interest lately from originated
so cleaning infected departments clean up as best they can. Many schools
that schools that want the firm to handle stu- before the infection spread
was difficult. have been hit are leading the way in show- ing how to
recover from breaches, minimize dent financial records, putting the data
damage, and prevent future headlines. Appropriate Alerts behind Higher
One's firewalls rather The news isn't all dire. Despite many inci- than
within a campus network. dents of data breaches, there has yet to be
Locked Doors, I f you're looking for a data-rich any widespread identity
theft as a result of Open Windows the exposed information. Attackers some-
Unlike corporate networks, which can be target, universities are it, says
Sean times find themselves with data, but no idea controlled and monitored
through strict IT Glass, chief marketing officer for how to exploit it.
policies, IHE setups have to be flexible, al- Higher One. The advantage to
a ser- Data can be stolen or lost, but without lowing for multiple types of
devices and often vice like ours is that we have to com- an application
that can tie that information for decentralized pockets of IT management.
into other databases, usually it's not useful, That makes schools tempting
to hackers, who ply with banking regulations that de- says Tom Chomicz, a
network security en- can crack networks through system flaws, vi- termine
how we protect information. gineer at CDW-G, a technology provider ruses,
and spyware. Schools don't have to follow those to government and
educational institutions. The Privacy Rights Clearinghouse re- mandates.
Selling it takes time and connections, and if cently stated that of the
113 data breaches any part of it is encrypted, it's just not worth
reported since February 2005, almost half K e n n e s a w State University
Ga. it to the attacker. took place at colleges, universities, and uni-
chose to go with the company to try and Most hackers don't break into
campus net- versity-related medical centers. avoid even the potential for
a breach, works specifically to get sensitive data, Cho- The prevalence of
breaches is likely to says Earle Holley, vice president for micz adds, but
instead to create channels for continue, according to the security firm
Sy- sending spam. Purveyors of unsolicited mail mantec. In its annual
threat report, released Business and Finance. After he heard pay hackers
for these zombie connections, last fall, the company noted that education
about incidents at other schools, Hol- so spam can't be traced back to
them. Much is now the most attacked industry, ahead of ley found that his
university was using like breaking into a bank and emptying the small
business, financial services, and gov- encryption to send data out, but
that cash drawer but neglecting to peek into the ernment. IHEs are
attractive targets due to open vault, hackers take advantage of vulner-
their large, diverse networks and stores of on campus, no encryption
existed. abilities to exploit networks, yet don't always highly sensitive
information. Also, a false Rather than develop a plan to deal with use
data that is right in front of them. sense of ownership exists among
students breaches, Kennesaw chose to move the At Boston College, for
example, letters and faculty. They often install wireless access sensitive
data off its servers. had to be sent in March 2005 to 120,000 points or tap
into campus networks without alumni describing an exposed database that
firewalls in place, the report notes. We feel that it's easier to avoid
is- contained Social Security numbers. College Sometimes, even seemingly
bulletproof sues with data on campus, notes Hol- officials noted that the
attacker's real mo- protection isn't enough. After a worm dis- ley, if we
limit what kind of informa- tive seemed to be embedding a program that
rupted its systems in 2003, the University tion is on the servers in the
first place. could be used to attack other computers. of Washington School
of Medicine installed 80 | June 2006 universitybusiness.com Data.indd 80
5/22/06 10:09:31 AM
http://universitybusiness.com
Table of Contents for the Digital Edition of University Business - June 2006