Could America’s ticking time bomb for the next major data breach be found on a college campus? Quite possibly, suggests a new study on cyber-preparedness from IT security firm BitSight.
According to the “Third Annual BitSight Insights Industry Benchmark Report,” the education sector ranks far below several corporate sectors and the federal government when it comes to security performance. Further, the open culture and broad range of personal information they collect makes educational organizations especially vulnerable to attack.
“Educational institutions–and higher education in particular–are trailing other industries when it comes to protecting their networks,” the study notes. “While educational institutions have unique network challenges to overcome, they are also becoming prime targets for the important intellectual property that they hold.”
As evidence, the report cites the recent intrusion of the University of Virginia’s network by Chinese hackers.
But the report is a mixed bag of news overall when it comes to the cyber-preparedness for specific industries.
Some–such as finance—are doing fairly well.
Others –notably the federal government–are better prepared than one might think.
While still others–including the energy and utilities sectors–“are performing lower than the retail sector and in line with poorly performing health care,” the report reveals.
Tracking security vulnerabilities
To come up with its industry security ratings, BitSight looks at a number of factors that help reveal how well organizations are doing (or not) at securing their networks. Taken as a whole, these factors are intended to help organizations benchmark themselves within their industry and against other industries; to better assess vendors within those industries; and aid in cyber-underwriting decision making.
“The security rating is a compilation of dozens of different data sources, largely in a few different categories,” according to Jay Jacobs, a senior data scientist with BitSight.
The first category is events, taking into account known breaches and intrusion attempts.
“We look at publicly disclosed breaches … and any sort of outbreaks that are observable,” Jacobs said. These include “events where you get something in your network that is broadcasting malware or sending spam, or somehow doing some unsolicited communication kind of thing. So we look for all of those types of events as one category.”
“Then we look for diligence, which is how you configure and present your organization on the Internet and how your email is configured–does it support phishing or spamming or something like that or is it configured correctly,” Jacobs said.
“And we look at the services being offered on the Internet. Are those configured with SSL? If they’re configured with SSL, is that running correctly? Are the services open and unencrypted? All these things we try to factor into that category,” Jacobs said.
The firm has a new category it will add to future studies–user behavior.
The best defense is a strong offense
The good news in the report is the efforts that finance organizations have made to secure their networks.
“BitSight has consistently rated the finance industry as a top performer. Finance institutions often make substantial investments to combat threats, with PwC noting that banks are planning on spending about $2 billion more in cyber-security over the next two years,” the report states.
The Obama administration has made cyber-security a top priority in recent years, which would seem to indicate that federal agencies should enjoy relatively good cyber-security for the most part. And despite the recent data breach of the Office for Personnel Management, that is generally the case the report says.
But as noted, the report also brings bad news to many organizations beyond just colleges and universities. Not surprisingly, another high quality target is the health care organization.
“Health care has definitely been a growing target and that is because of the personalized information available. Not just for the medical aspect, but for the personally identifiable information” coupled with clinical data, Jacobs said. Medical claim fraud is big business, and cyber-attacks are all about profiting from data.
But the sad reality is that companies across all industries still have major SSL vulnerabilities.
“Companies in every industry sector are vulnerable to major SSL vulnerabilities such as Heartbleed, POODLE and FREAK,” the report states. “Given the widespread publicity surrounding some of these vulnerabilities, it is surprising that companies have servers running outdated and vulnerable versions of OpenSSL.”
The report notes that while some organizations have since updated their servers to protect against Heartbleed, “many companies have failed to act when it comes to POODLE and FREAK. For FREAK, industry vulnerability runs from 30 percent in finance to 75 percent in education.”
Worst still, “POODLE results are even more astounding: Not one industry has more than 69 percent of companies protected. These SSL vulnerabilities can provide attackers with the ability to perform man-in-the-middle attacks and extract sensitive information or gain private keys.”