Higher education institutions face numerous IT security issues regarding data security these days, and against Advanced Persistent Threats (APT). Budgets are tight, students and staff want unrestricted access to mobile and online learning resources, and regulations are increasing. These factors unfortunately also make higher education institutions easier targets for APT hackers using spear phishing tactics and more vulnerable to loss of electronic Personally Identifiable Information (PII). Educause, a leading higher education IT security "think tank," noted in a 2011 survey that data security breaches ranked in the top five IT security concerns facing higher education institutions. According to the report, "hackers [are] repeatedly finding ways to defeat the best technical, organizational, and social countermeasures created by IT security experts. We are seeing new advanced persistent threat exploits that automated intrusion detection fails to recognize, malware that is difficult to remove, and whole new waves of risk associated with the rapid deployment of smartphones and the new generation of tablets on institutional networks." Although security is on the radar of higher education IT security departments, there often isn't visibility into exactly what the magnitude of the advanced persistent threat really is across the entire spectrum of the institution's infrastructure.
Highly Sophisticated Advanced Persistent Threats (APT) Create Unique IT Security Challenges
Recent attacks against many industries are highly sophisticated, well organized, and often connected to nation-state activities or cyber-crime organizations around the globe that are motivated by financial, political and ideological objectives, and higher education is no exception. The external threat landscape in higher education data security is a force with which to be reckoned, and one that presents a unique set of challenges for the IT security professional.
APTs are an insidious genre of attack with generally malicious intent that greatly compounds the risks inherent in colleges and universities. APT actors (the adversaries guiding the attack) target specific organizations for a singular purpose, and attempt to gain a foothold in the target's environment, often through tactics such as targeted emails, or "spear phishing", that contain malicious web links or attachments designed to compromise a particular computer. The attackers then typically use the compromised systems as a conduit into the target network and as a method to deploy additional tools that help fulfill their primary objectives.
The spear phishing tactic is concerning, since it is particularly effective. Hackers may research potential victims via social networking sites, and then target them with specially crafted messages that appear to come from fellow students, friends, or professors. In fact, a recent eWeek article reported that 70 percent of people who got a targeted e-mail opened it, and half of those unwitting victims then clicked through to the malicious website or opened the infected attachment. Since younger people are often impressionable, this creates a perfect opportunity for APT actors (and an imperfect risk posture for the institution).
Planning for and enforcing student access and endpoint management on a continual basis, as well as the organization's anticipated response, makes it much more difficult for APT actors to conceal their actions, and will make incident response efforts more effective, both for internal and external threats.