Eight out of 10 colleges included in a recent study were deemed vulnerable to cyber attacks that could cost IT departments thousands of dollars, highlighting the security downfalls of decentralized campus networks.
WhiteHat Security, a California-based web site risk management company founded by a former Yahoo information security officer, published a white paper last month saying that 83 percent of educational sites managed by the company are susceptible to viruses, hackers, and other security breaches. The white paper is the eighth in an annual series that examines web site security statistics.
WhiteHat’s analysis is the latest national report suggesting higher education’s decentralized IT networks create problems for technology officials in safeguarding the dozens of various web sites maintained on a campus—make colleges and universities an attractive setting for internet hackers looking to steal data.
Social networking web sites aren’t the only sites more vulnerable to cyber attacks, according to the white paper. The analysis included likely reasons for college networks’ vulnerability.
Cross-site scripting, which often contain “malware-laced … web worms,” allow web attackers to bypass a computer’s access controls. The impact can be minor if the hacked web site does not contain sensitive information.
University networks, though, are jam-packed with personal data such as students’ IDs and Social Security numbers. Cross-site scripting in a school’s site can leave student and faculty information open to anonymous attackers.
Content spoofing is another common tool employed by internet hackers, according to the WhiteHat white paper. Web users receive a link that transfers to a screen instructing them to type in a user name and password. These sites are often hosted with interfaces that mimic a legitimate site, making it difficult for users to tell that they are on a fraudulent site designed specifically to steal their personal information.
“Decentralization translates into a lack of control in respect to security,” said Stephanie Fohn, WhiteHat’s chief executive officer. “People pretty much do their own thing … and often the university will then try to institute global policies after the fact, but it is very difficult to enforce those.”
Information leakage also has posed a persistent threat to campus computer security, according to the report. The leakage occurs when a campus web site “knowingly or unknowingly” reveals software version numbers, error messages, developer comments, source code, and internal IP addresses. A hacker can use any of this information to compromise campus networks.
Shannon Ortiz, director of IT security at Fordham University in New York, said relying on automated machine-run scans of a college’s massive network can produce false-positives—a series of warnings that might not be harmful to campus computers—while destructive malware lurks in the background, slowing down internet connections across campus.
“We have a human verify every vulnerability we find,” said Ortiz, who has been at Fordham for 18 years and uses WhiteHat security tools. “We get the data back so we know what we’re actually finding … and it definitely weeds out the necessary information.”
Creating a centralized IT infrastructure and having staff sort through potential security threats, Ortiz said, can help campus decision makers avoid network breaches that impact the college’s bottom line.