By Anthony Bettini, CTO, WhiteHat Security
For decades, researchers and students from around the world have come to study and collaborate, research, and innovate at American universities and colleges under the auspices of academic openness at our schools. Unfortunately, that academic openness has resulted in universities and colleges becoming attractive targets for nation-state hackers, cybercriminals, and reportedly, espionage operations. Part of the reason for this could be because these institutions possess massive amounts of valuable data, as well as vital information pertaining to government projects and research, personal data of students and professors, financial and health information, and much more.
While higher education has been gradually increasing the number of online classes, the recent global pandemic has accelerated the process dramatically. Now, universities and colleges have had to quickly procure or build additional applications to accommodate distance learning and deliver to their students the same quality educational experiences they would have previously had on campus and in person. The emergency transition to online classes for students this past spring and the uncertainty for the upcoming fall adds to risks for security vulnerabilities and compounds the stress for IT administrators, who are responsible for safeguarding staff and student privacy.
In fact, New York City-based security analytics firm Security Scorecard ranked education last among 17 major industries for cybersecurity preparedness. This lack of vigilance is further illustrated by the increasing number of cybersecurity-related incidents at higher education schools in recent years. For example, Harvard University, Stanford University, University of Connecticut, Oregon State University, and many others are reported to have all experienced security breaches of varying degrees.
Make Application Security a Priority
One of the first and easiest steps to ensuring that security remains a priority, either on or off-campus, is to focus on application security.
For some time now, universities and colleges have used software applications in the classroom and throughout the campus experience to aid students, professors, researchers, and visitors in their work. However, the current global health concerns have forced many schools to re-examine remote education tools and implement new applications, to augment distance learning capabilities amid uncertainty. This is especially true for schools that plan for classes to remain online-only in the fall. Under the high-pressure circumstances of managing expectations for professors, students, and even parents, it might be easy to overlook proper security protocols in the technology, when preparing for a non-typical college experience. There are several causes of this security oversight, and not all of the responsibility falls on the universities. Sometimes, software vendors cut corners in the software development process, and that can result in vulnerabilities that are easy for hackers to exploit within applications.
Applications Need Rigorous Testing Before Deployment
Most higher education institutions rely on a mix of in-house and third-party applications for instruction including Blackboard, Canvas, and others. Regardless of where or from whom the applications are sourced, they must be rigorously tested for vulnerabilities and exploits before they are deployed for use at the university.
To know if an application has been properly tested and secured, university IT teams should thoroughly research the products the universities are considering for use and understand the apps as much as possible. If they are confident in the development process used and are assured that appropriate testing and scanning was completed with dynamic application security testing (DAST), static application security testing (SAST), and software composition analysis (SCA), that is a step in a positive direction. Any failure to properly test and secure applications will undoubtedly leave students, professors, administration, and university property vulnerable to exploits and hackers.
Security Training for Students
Another priority to securing a university or college is educating the students and faculty about common practices used to launch cyberattacks on applications and campus networks. These include phishing attacks, human error, and techniques like for jacking. Most, if not all schools, offer an orientation for new students, and an orientation session just might be a perfect opportunity to highlight cybersecurity risks and help students to understand how to safeguard themselves and their personal data from any attempts by malicious actors to gain unauthorized access to campus applications.
Of course, it is always a good idea to remind returning students of the practical security measures to protect themselves. To be sure all students are helping to prevent data exposure or cyberattacks, these reminders can be given via an informative video shown during class, or perhaps as a required gate for the class registration process.
Share the Responsibility of Security
No matter the circumstance, application security must not take a backseat when developing applications for use in higher education systems. Similar to the concerns for K-12, higher education institutions must share the responsibility for security in the applications they use. This means investing time and resources into ensuring that the tools, software programs, and applications are safe and secure, and free of known vulnerabilities and exploits.
About the Author
Anthony Bettini is the CTO for WhiteHat Security, the leader in application security, enabling businesses to protect critical data, ensure compliance, and manage risk. Previously, Anthony ran Tenable Research where he joined via Tenable’s acquisition of FlawCheck – a leading container security startup where he served as the CEO & founder. Before its acquisition by Symantec, Anthony was CEO & founder of Appthority, a leading mobile security startup and winner of the “Most Innovative Company of the Year” award at the RSA Conference.