The two-year cyberattack on Pennsylvania State University's (Penn State) College of Engineering disclosed last month is likely part of a larger hacking effort against the entire industry, according to one security expert.
The FBI notified the school of two attacks on their servers, which indicates the breach was just one part of a larger campaign, says Ken Westin, a senior security analyst at cybersecurity company Tripwire.
"It's very rare that a group is going to target one particular institution," says Westin. "Usually, they will target an entire industry or a network looking for intellectual property."
This means that all schools may need to step up their cyber protections.
Penn State administrators are investigating the over two-year long cyberattack on the college, at least part of which was led by a Chinese group.
Investigators say the attack exposed personal data of more than 18,000 people, but there is no evidence that attackers stole the information. The university says it will put two-factor authentication in place to limit future attacks.
Additional, undisclosed attacks
Legally, Penn State had to announce their attacks because they involved personally identifiable information (PII).
But other schools that also have been attacked may remain silent to protect their brands, their partnerships with private companies, or to study the attacks without the hackers' knowledge.
Schools are not safe from attacks
"Universities don't think they are targeted," says Westin, when in reality the higher education industry is especially vulnerable. Colleges and universities cannot view the Penn State events as a single attack, he says.
"For a lot of espionage groups, higher education is usually their training grounds, where they may work with some of their younger or more junior hackers," says Westin. "Higher education networks are usually a lot easier to penetrate, and there's less likely to be blow-back."
While financial services companies can devote major resources to private security, colleges and universities have more limited budgets, although some have recently increased support.
From 2012 to 2013, University of California at Berkeley doubled its cybersecurity resources, according to the New York Times.
Steps to improve security
But not everyone needs to go so far. "A little bit of effort can make you a lot more secure," says Westin.
The most important change is to implement and follow the correct security policies. Outsourcing the responsibility to a third party may make schools even safer, he says.
Both the Center for Internet Security and the National Institute of Standards and Technology offer security frameworks, says Westin. But whatever colleges choose to use, officials must be certain it covers the whole "attack surface" through which hackers may gain entry—this requires examining how third-party networks connect.
Additionally, colleges and universities should form an information sharing group—similar to the financial sector's FS-ISAC—to compare attacks on their networks and identify common IP addresses and tools, argues Westin. (Editor's note: A reader points out that the Research and Education Network Information Sharing and Analysis Center, or REN-ISAC, at Indiana University already fills this role for the higher ed community. Anyone looking for more information on campus IT security is encouraged to explore their resources) (Barbour, eCampus News, 6/2; Pérez-Péña, New York Times, 7/16/2013).
Next in Today's Briefing
Around the industry: After accidentally flunking seniors, WSU apologizes with chocolate