Why Hackers Love to Attack College Campuses

Contributing Writer

Credit: Monkey Business Images/ShutterstockCredit: Monkey Business Images/Shutterstock

When you live in a college town, you can tell when students return from vacation. Road traffic increases, there are longer lines at grocery stores and Internet service slows down, thanks to the sudden influx of 40,000 more users.

There is another, less obvious, sign that classes are back in session. Cybersecurity incidents on the campus network rise as hackers also "return to school."

It's no surprise that college campuses should be treasure chests full of gold for cybercriminals. Each university and college database can contain an amazing amount of information, sometimes on hundreds of thousands of people.

MORE: 10 Worst Data Breaches of All Time

Consider my own alma mater, a state-affiliated research university with a big-time athletics program and an alumni association of more than 500,000 members.

Not only does the university store the personal information and medical records of 70,000 students and 20,000 faculty members and other staffers, but it also has financial data for sports and theater season-ticket holders — fans and residents who may not otherwise be part of the campus network.

Then there is all of the intellectual property generated by professors, graduate students and other research professionals. Holders of campus parking permits even have their driver's licenses and vehicle data stored in school databases.

Like shooting fish in a barrel

It's no wonder that malicious hackers love university networks. Even better for the bad guys, college campuses are frequently easy targets.

"Students are not often well educated on safe computer use," said Kevin Jones, chief information security architect for Thycotic Software, an information-security company based in Washington, D.C., and himself a former university information-technologies staffer.

Too many campuses, Jones said, provide only a basic IT security overview to incoming freshmen — if they provide anything at all.

The biggest risk to college networks is malware that enters through illegal file-sharing networks, Jones said.

"Younger people are more willing to use piracy to acquire movies, games and software, due to tighter budgets," he said. "Depending on the university's network and [its] segmentation, this can quickly spread to other students and computer labs within the school. This malware could steal passwords or credit-card data when used online."

Which schools pass — and which fail

However, as a recent study by BitSight Technologies of Cambridge, Massachusetts, indicated, each campus is unique in the type of security threats it faces.

In the study, entitled "Powerhouses and Benchwarmers," BitSight researchers studied the schools in the five power athletic conferences (ACC, Big Ten, Big 12, Pac-12 and SEC), plus the Ivy League, from mid-2013 to mid-2014. Overall, more than 2 million students and 11 million IP addresses were included in the survey.

The researchers used their findings to rank each conference according to a security-rating system. Topping the list was the Big 12; the other five were clustered together, with the ACC at the bottom of the cluster.

There was one common denominator in the study's results, BitSight said: Campuses that had an on-staff security director did a better job with overall campus information security than campuses that didn't have one.

When conferences were compared, there was some overlap in the types of threats facing the campus networks. For example, all of the conferences dealt with outbreaks of the Flashback Mac malware, but the problem was much worse for the Ivy League and SEC, in which Flashback infections far outnumbered other types of infections.

On the other hand, Flashback was a much smaller concern for the Big Ten and the ACC. Instead, the Big Ten's biggest concern was "unidentified," in which the exact reason for the infection couldn't be pinpointed. One school in the ACC skewed the entire conference's results, thanks to a nasty infection of a Trojan called Jadtre. (Individual schools were not identified in the study.)

Conference alignments are no longer as tightly regional as they once were, so BitSight cannot definitively say that certain regions have different security problems — although it does appear that students attending Ivy League or SEC schools may be fonder of Macs than their Big Ten counterparts, or perhaps haven't figured out how to protect their computers as well.

How to make a school network safer

The company did notice that schools that took a more active role in improving network-security performance had better overall security ratings. The Big 12 came out on top with security ratings, while the ACC finished at the bottom, but BitSight did not explicitly link the rankings with the individual schools' policies. (One ACC school, presumably the one with the Jadtre infection, was an outlier with a terrible security record.)

"Although IT departments can be well-versed in security diligence tasks, we find that having dedicated personnel who address these issues often results in better performance," said Stephen Boyer, founder and chief technology officer of BitSight.

"While simply having a security leader is not a guarantee of good security posture," Boyer said, "it demonstrates a commitment to positioning network security as an important issue within the institution, and can help ensure that it gains the resources and attention it requires to keep the network safe."

Each school needs to do its part in raising awareness of good security habits, Boyer added. This starts with being diligent about network configurations and settings, being prepared to identify and remediate events occurring in the network and performing awareness campaigns for network users, both students and staff, to teach them best security practices.

MORE: Best Mac Antivirus Software 2014

Improved security shouldn't entirely fall on the security director's office, however. Students need to understand that they can also help with security vigilance, said Mark Bermingham, director of global B2B product marketing with Moscow-based Kaspersky Lab.

"Recognizing common phishing attacks and/or [not] clicking on files from unknown sources is always a good practice," Bermingham said. "Also, requiring security scans for drives and USBs while connected to campus networks might slow them down, but is a good best practice. They'll also likely require some coaching, as administrative policies like Web, device and app controls may limit their perceived Internet freedom."

Students should also install and use antivirus software — even those who use Macs. Many colleges and universities provide free antivirus software for students and staff.

There are many issues that make security on campus a challenge, ranging from the variety of devices used to the diverse needs of thousands of users. The best approach may be to provide a security education for all students as they return to campus each semester, as well as regular security training for faculty, staff and anyone else connected to the network.

If security doesn't become a higher priority for everyone, only the hackers will succeed.

Follow us @tomsguide, on Facebook and on Google+.