The recently detected cyberattacks at Pennsylvania State University may spell bad news for other colleges and universities, according to IT security experts. Hackers such as those that targeted Penn State don’t set their sights on individual institutions, but on entire industries.
“I don’t want to be the harbinger of doom, but usually when you see one breach, there’s more to follow,” said Ken Westin, a security analyst with the IT security company Tripwire. “Penn State is an indicator that there have been more breaches and there will be more breaches that are targeting similar kinds of information.”
Last November, the Federal Bureau of Investigation informed Penn State that the College of Engineering’s network had been breached by two cyberattacks. The university disabled the network for three days in May as it worked with the IT security firm FireEye to set up “robust scanning and computer security protocols” to “take a proactive and aggressive stance against future attempted intrusions.”
Those security measures revealed two more attacks -- this time against the College of Liberal Arts. As opposed to the engineering school attacks, where hackers used malware to gain access to the network, the College of Liberal Arts network was breached by exploiting a vulnerability, the university said.
Beyond those findings, details are scarce. Investigations have so far not turned up evidence that hackers got away with information such as Social Security numbers or research data -- only usernames and passwords. Other than determining that one of the engineering attacks originated in China, the university has yet to identify the perpetrators behind the other three to the public.
Penn State declined to comment for this article, which is standard operating procedure for universities in the aftermath of a cyberattack. L. Reidar Jensen, a Penn State spokesperson, pointed Inside Higher Ed to an informational website the university created to field frequently asked questions about the breaches.
Universities rarely like to discuss how they were attacked and how they responded, in part because of ongoing investigations, but also out of a concern that describing their countermeasures could aid hackers contemplating future attacks. Speaking too freely could also prove costly, should the university later be discovered to have been at fault for the breach.
Penn State did share some details about the scope of the threats the university faces on a daily basis, however. Last year, the university fended off more than 22 million cyberattacks a day, but “in light of increasingly hostile and coordinated threats against large organizations around the world, Penn State has launched a comprehensive review of all related IT security practices and procedures,” it said last week in a press release.
“An adversary only needs to find and exploit one vulnerability -- that’s all they need to do,” said Emma Garrison-Alexander, chair of the master of science in cybersecurity technology program at the University of Maryland University College. “The challenge is enormous for a university or any entity when it comes to cybersecurity, and sometimes that gets lost in the hype of what’s happening in an organization.”
'Wake-Up Call' for Higher Education
In a broader context, Penn State is one of many organizations across all industries and sectors that are reconsidering how to keep data safe on their networks. Other high-profile attacks have breached the networks of the U.S. Office of Personnel Management, which compromised the data of millions of federal employees, and retail chain Target, which settled for $10 million after losing customers’ credit card numbers. In higher education, Harvard University is the most recent to announce a breach.
Judging by how long it can take for an organization to discover the intrusion -- at Penn State, the breach dated back to at least September 2012 -- hackers have likely gained access to other universities’ networks without them knowing. Other breaches may never be detected.
Chad A. Holmes, a chief security strategist with FireEye, said keeping data secure on university networks is more challenging today compared to a few years ago, mostly because the threats against the universities have grown more sophisticated.
The nature of universities also makes their networks tougher to secure, Holmes said. Faculty members and students have more control of their data than do employees of companies and government agencies, for example. The myriad devices people bring to college campuses also represent serious security risks, he said.
“It’s really a playground for hackers,” Holmes said about higher education. He declined to speak specifically about Penn State, stressing that his comments described higher education as a whole.
Experts were reluctant to evaluate how Penn State treated IT security before the breaches were discovered. They did, however, speak favorably of how the university has responded to the attacks. In addition to upgrading its network and working with FireEye on investigating the breaches, the university will also introduce two-factor authentication, which means users have to provide two means of identification -- like a password and a code that changes with every login attempt -- to access their accounts.
Garrison-Alexander, former chief information officer of the Transportation Security Administration, said the university’s response shows “that they recognize that they have a need to do more in terms of protecting the organization’s data and the access to the data.”
Westin previously described the attacks against the College of Engineering as a “wake-up call” for higher education. With the discovery that the College of Liberal Arts had also been attacked, Penn State “woke up,” he said.
Other colleges and universities could use the breaches at Penn State to start a conversation on their own campuses about cybersecurity, the experts said. They recommended colleges work with other institutions through organizations such as the Research and Education Networking Information Sharing and Analysis Center, or REN-ISAC, as well as develop more effective training programs.
“It’s the new reality. There are going to be cyberattacks, and you are going to have to deal with them,” Westin said. “I don’t think it’s something that they have to live with, but they need to figure out how to live with it.”