Preventing Data Breaches: Lessons From Higher Education

By Alex RothackerSince 2008, higher education institutions have experienced a staggering 158 data breaches resulting in over 2.3 million reported records compromised. In 2009 alone there were 57 reported data breaches, and year to date through July of 2010, there have already been 32 breaches.   

Since 2008, higher education institutions have experienced a staggering 158 data breaches resulting in over 2.3 million reported records compromised. In 2009 alone there were 57 reported data breaches, and year to date through July of 2010, there have already been 32 breaches.

Considering that most breaches are not reported until well after the fact, 2010 is on pace to surpass the 2009 breach totals. So the question is:  Are higher education institutions familiarizing themselves with the threats and regulations, and costs associated with protecting sensitive data?  And are they being as diligent as necessary to protect that data?

The impact of these breaches can be felt by multiple parties – the university, administrative/faculty, the student body, alumni, the parents and the IT department. As a result, institutions and individuals are at increased risk of having their information compromised by hackers, insider malicious activity, or insider mistakes.

Budgetary constraints contribute to the reasons why colleges and universities are experiencing a high volume of attacks. This is evidenced by a new report stating that only 50 of the universities in the U.S. plan on increasing their IT security spend for 2010. But beyond spending, the very nature of higher education computing and the open academic environment, conflicts with the need to protect sensitive information.

Vast amounts of data = Gold for Hackers

Databases at colleges and universities store a wealth of personally identifiable information (PII).  This information includes names, addresses, financial information, credit card numbers, social security numbers, and health care records of employees, students and parents.

With major colleges enrolling tens of thousands of students a year, along with the large amount of employees involved with running an institution, a university or college could be housing potentially many millions of records containing PII.

The database also represents the most significant source of data that can be exploited for monetary gain. As an example, databases accounted for nearly 75 percent of the 258 million records breached in 2008.  And once stolen, there is a ready market for the information.
Some colleges and universities operate on legacy equipment and software, so the protective solutions aren’t always effective. Many speculate that the recent economic downturn has accelerated hacking attempts, but the truth is that a significant uptick in data breaches started in 2005, when the economy was booming.

In addition, the characteristics of users at higher ed institutions contribute to the university’s exposure.  The culture of higher ed is to foster an open academic environment, which is naturally at odds with the need to protect sensitive information and be mindful of security issues. Changing this culture requires a philosophical shift in the way these institutions view sensitive data. Students and professors frequently log in and out of both personal and public computers.  Accounts are left open, computers are left logged on, and data can be easily lost amid the day-to-day shuffle.

Inside-Out Approach to Identifying the Gaps

Taking a forensics-based approach is critical to effectively determine the techniques attackers are using to perpetrate database breaches. This helps identify any existing gaps in university systems that have been exploited and which applications are most prone to being penetrated.

The two key issues that help get the forensics process started are to determine what has been done to gain access to the sensitive data, and to figure out how those actions steps been disguised so that the perpetrators avoided being identified.

These actions can be traced by different logging mechanisms such as error logs, backup logs and transaction logs. It’s important to understand the techniques that attackers use to gain access to sensitive data and cover their tracks.

Some of the most common methods of obtaining database administrator privileges include:

  • Taking advantage of weak, blank or default access controls
  • Exploiting a vulnerability
  • Finding a valid login and password (by brute force, guessing, social engineering, or with the help of a Trojan)
  • Exploiting a vulnerability in an application or in the operating system (OS)


It’s critical for universities to understand the threats, how the attacks are executed and how to identify if their systems are potentially vulnerable. But it’s equally as important to understand what it takes to remediate against vulnerabilities, and to put a process of continuous protection and compliance in place.

Universities should use the following three-step process as a starting point to quickly improve their database security posture.

  • Discover all databases on the campus network – – Due to the open nature of the today’s academic technology demands, it’s likely that there are databases, or copies of databases that no one knows about. It’s critical to perform a full assessment that provides a comprehensive discovery of those databases. Once that discovery is finished, you can start the remediation process.
  • Assess all databases for compliance with campus-wide policies – – The enforcement of compliance across the university is essential for employees and students. For employees, an efficient way to enforce access controls for example, is to ensure that all faculty and administrative staff have the access to data they need solely to perform their jobs, in correspondence with the principle of least privilege. For students, enforcing strict access credential policies is extremely important for email systems and e-Learning platforms that store user information.
  • End-of-life any systems that are not supported/patched by vendors anymore – – It is imperative to disable those applications that are not currently being used that might be either outdated, or are now unsupported. This is especially important at the database level because attacks through web applications have become a dominant method for penetrating the database. So if the applications are disabled and no longer available on the network, there’s less of a risk for insider attack, or for malicious external activity.

Alex Rothacker is the manager of the Team SHATTER research group at Application Security Inc. You can download the company’s white paper on analyzing data breaches and protection methodologies here.

Suggested articles