University Business - July/August 2011 - (Page 84)
Thwarting ID Thieves
balancing act.” It’s also difficult to balance new technologies—which come with new threats—with security. Gone are the days when hackers were “teenagers or smart computer types” breaking into a system to post a pornographic image on an institution’s Blackboard or registration site, quips Larry Conrad, vice chancellor for information technology and chief information officer at The University of North Carolina at Chapel Hill and HEISC co-chair. “The hackers are smart, they’re capable, they’re experienced, they’re automated, they’re worldwide, they’re persistent, and they’re creative,” he says. And Swartz and Conrad have enough experience fending off these hackers at their own institutions. UNC-Chapel Hill has 60,000 separate IP addresses connected to its campus networks, and wards off 30,000 hacking attempts per day, every day. Swartz says he fends off thousands of attackers per month at American U. With numbers like that, it’s important
IT employees work diligently to protect their community members; identities. At The University of North Carolina at Chapel Hill, the IT department wards off 30,000 hacking attempts per day so students like these don’t have their education interrupted by an identity theft.
stitution, for example, Abraham helps their officials understand where sensitive materials are stored. “From this level of access we paint a picture of a worst-case scenario and how they would go about dealing with that,” he says. The University of Houston System has been working diligently to find and monitor the safety of personally identifiable information within networks of its campuses and administrative offices. “As time goes by
When identity theft happens at a college or university, ‘the image comes off that they’re not taking care of their students’ data, so how are they taking care of their students?’
—John Sileo, The Sileo Group
to start paying attention, identify where your institution’s risks lie, and learn how to protect against identity theft and fraud.
EVALUATE WHERE YOU’RE SENSITIVE
To start, officials must “understand what type of data they’re actually storing as an organization,” says Josh Abraham, senior security consultant and security researcher with Rapid7, a company that provides vulnerability management, compliance, and penetration testing solutions for web application, network, and database security. By taking the perspective of a potential attacker, such as an internal user to an in84 | July/August 2011
and more people are affected by [identity theft], the more people become concerned and want to do something about it,” says Mary Dickerson, the system’s chief information security officer. She has begun using software from Identity Finder that scans every file on a system looking for anything that could be considered personally identifiable information, such as credit card, social security, and driver’s license numbers. The software creates a report, and based on that, Dickerson can choose to delete the sensitive information, delete the file where it resides altogether, or make arrangements to move and protect the information. Because Dickerson knows that some of
the most sensitive personally identifiable information can be obtained from credit cards, devices that process credit card transactions at the University of Houston have their own separate network. On a typical campus, credit cards are accepted at food service venues and bookstores and, at many institutions, tuition can be paid by credit card. Since an identity can easily be stolen by obtaining credit card information, this is one area colleges and universities not only should pay attention to, but are required to pay attention to. The Payment Card Industry Data Security Standard (PCI DSS) states that organizations accepting payments from major credit card companies must prove they have valid controls around cardholder data to reduce fraud incidences. Compliance testing is required for organizations such as higher ed institutions that handle credit card transactions. When Elgin Community College (Ill.) needed to ensure it was PCI DSS compliant earlier this year, it turned to CDW-G to help identify any gaps in its existing compliance effort before going to an official PCI auditor, says Jason Marchant, information security officer at the institution. “One of the good outcomes that came of this is just increasing awareness of information security in the environment here,” he points out. “A lot more people in the college have a better understanding of
universitybusiness.com
http://www.universitybusiness.com
Table of Contents for the Digital Edition of University Business - July/August 2011