The cyberattack that crippled Rutgers University for the past three days was part of a string of attacks that attempt to exploit weaknesses that are unique to the way colleges operate.
The attack, which was the third at Rutgers since November, came as institutions of higher education try to make it as easy to use a computer at school as at home, allowing students to do everything from downloading a song to accessing information from around the globe, all while keeping vast computer networks operating.
“It’s not to say we don’t also protect,” said Neal Sturm, chief information officer at Farleigh Dickinson University, which also was hit by a cyberattack last month. “But a university has students and has faculty, and it becomes much more challenging for universities to completely lock the door from a security perspective because universities are supposed to be open by their very nature.”
Related: Internet service at Rutgers improving but isn’t fully retored
In the attempt to infiltrate colleges and universities, cyber criminals are using smarter, more sophisticated methods than ever. They set out to steal financial information, make a splash or a statement or carry out a vendetta against a school. School employees update programs and block suspicious users daily while they plead with staff and students not to open those links that pretend to be from a bank or a friend.
At Rutgers this week, Internet service was crippled just nine days before finals were to begin. Students couldn’t finish papers, take online classes or register for courses. The university has made no public statements on the attack except to tell students two to three times a day that they were working on the problem.
Outside Internet traffic bombarded the university, overwhelming its network and making it difficult for legitimate users to get online or access pages on the Web. To carry out the “denial of service” attack, a cyber criminal builds up a “botnet,” or an army of computers that they infiltrate and set up to do repetitive tasks, like flood a school’s server with requests.
Botnets are built when computer users click links sent by spam email that lead spyware and viruses to be installed on their computers.
It has gotten easier and cheaper to launch a denial of service attack, and infected computers can be rented for that purpose, experts say. It’s hard to prevent them and even large companies, like Sony and Microsoft, have been victims.
No comment from FBI
A spokeswoman for the FBI, which is investigating, declined to comment.
The attacks are intended to make a statement or make demands like ransom and not to steal data, although they can be used as a diversionary tactic.
In a spate of attacks last year at schools, including Indiana University and the University of Maryland, student and staff data were exposed. The hackers gained access to the names, addresses and Social Security numbers of thousands of current and former students.
The FBI has also warned that foreign interests are trying to steal research from universities for political and economic gain.
Even when personal data aren’t stolen, there are financial costs and damage to a school’s reputation. It costs thousands of dollars to remove a computer infection because the technology staff has to reinstall programs at every workstation, said Peter Streips, president of the Network Security Group, a business that consults with colleges in the Northeast on security matters.
Certainly, Rutgers’ reputation has taken a hit, with its problems being aired in the media as high school seniors are deciding which colleges to attend.
Students have vented in hundreds of online comments. They complained that they couldn’t get their work done and that they needed to use their own phones at their own expense for Internet service. A few said on Twitter that they felt like switching schools.
Crime rings and hackers are going after universities because they view them as easy targets, security experts say. Colleges and universities want to promote learning and want students living on campus to feel like they’re home. At the same time, they store a wealth of information, like credit card and Social Security numbers and faculty research papers.
“All those file-sharing applications — while it’s nice to be able to share information, this is basically a back door for hackers to be able to access other people’s computer remotely,” Streips said.
Meanwhile, thousands of students and faculty are using the networks on their own laptops and tablets and are linking up with organizations across the globe — giving hackers and criminals plenty of ways to break in. More than 30 percent of cyberattackers infiltrate networks through a computer that belongs to a student or employee, Streips said.
“The uneducated user is just as risky as the person in China trying to track your network,” he said.
And the threats are constant and ever-changing with new methods of attack being devised every day, college security professionals say.
“We’re growing in our abilities to monitor and prevent and mitigate it, but it’s going to be a never-ending challenge,” said Candace Fleming, vice president of information technology at Montclair State University.
Schools also are often limited by how much they are willing to spend, especially compared with the private sector, said Kim Milford, executive director of the Research and Education Networking Information Sharing and Analysis Center. So they often use free, open-source programs to improve security and share information.
Two-thirds of the higher education institutions surveyed last year by the SANS Institute, which specializes in cyber security, said they needed more staff while 43 percent said they couldn’t compete for highly skilled workers against higher-paying organizations and businesses.
New protections
Universities are taking steps to improve security. They are adding new password protections and hiding personal information in code. They are keeping sensitive information, like financial records, on networks separate from the ones used by students. They run programs all day long to check for suspicious online traffic and to make sure computer controls are working.
Many universities, including Fairleigh Dickinson and Montclair State, also have created response teams that can be activated in case of a breach.
Rutgers, meanwhile, put an advertisement in the student newspaper that appeared online this week urging students not to share their passwords. “Don’t be the weakest link to security,” the ad said.
But more can and should be done, experts say.
In the SANS Institute survey, only about half the respondents reported that they encrypt sensitive information that can identify students and faculty members, like Social Security numbers and credit card information. And just 57 percent said they classify and create special guidelines for sensitive data.
In response to the growing threat, schools have to revise their plans constantly and be prepared for a crisis, Streips said.
“It’s not if it happens, it’s when,” he said.
Source: http://ift.tt/1zu4IeD
from hacker samurai http://ift.tt/1bGVO21
via IFTTT
No comments:
Post a Comment