Modernizing Vulnerability Management at Higher Education Institutions
Colleges and universities are heavily targeted by cybercriminals that seek to exploit vulnerabilities and trick staff members to infect systems with malware, spyware, and ransomware. In order to protect their sensitive data, these institutions must apply patches to vulnerabilities that are discovered in any software they’re using.
IT teams, however, often struggle to keep up with patching as vulnerabilities are discovered at a rapid pace. Moreover, taking Linux systems offline so that they execute a reboot that’s necessary to deploy a patch means that maintenance windows need to be announced, which is downtime that nobody wants to deal with.
Fortunately, there are technologies that IT teams or SecOps teams at colleges and universities can leverage to accelerate their Linux patching timelines and minimize patching-related downtime – no matter which combination of Linux distributions they use.
Hackers Continue to Target Universities
Global and national universities are targets of malevolent actors ranging from the typical criminal to state-sponsored cyber attack groups. Higher education institutions often store the personal information of their students and faculty, as well as valuable research data, at the risk of that information being stolen and sold on the black market or taken hostage in a ransomware attack.
Though higher education is becoming more aware of these cyber dangers, the sector faces increased challenges with budgets and internal cybersecurity expertise.
The U.S. Department of Homeland Security evaluated the status of cybersecurity by industry and discovered higher education institutions’ rank was near the bottom. This issue is not just limited to the United States According to a July 2022 report issued by the UK government, an appalling 92% of higher education institutions in that country experienced an attack or intrusion within the prior year.
Cyber Threats from Within
Higher education’s assets include research data and personal information belonging to students, faculty, and donors. While external hackers and cyber criminals continue to develop more sophisticated attack methods to access and steal this valuable data, universities also face a significantly challenging attack vector: insider threats.
University programs around computer science, physics, and engineering become a double-edged sword quagmire. The university educates students on becoming software engineers, cybersecurity engineers, and network architects, but – at the same time – provides them with the skills they need to become better hackers later on.
Hackers will also use ransomware with help from a student inside the school. Many students often become extorted by external hackers through email phishing attacks.
To address this growing concern of insider threats, many universities have begun to create micro-segmentation networks and cloud-based labs in lieu of traditional on-premise teaching platforms. Isolating the educational learning systems away from the core university systems, including finance, research, and student data, reduces the attack surface for student hackers. However, this deterrent still has little hope of reducing the attack attempts from students and disgruntled faculty members.
Security Breaches Against Higher Education
Many universities and research establishments store confidential non-public information, from industry secrets concerning upcoming products to classified military studies. Cybercriminals are after this info for a variety of reasons.
Example 1: The University of Zagreb faced a significant threat. Like other educational institutions, cybercriminals were attempting to access confidential military research data and constantly attacked the networks held within the university’s data centers.
Example 2: Suffolk University reported a data breach to the attorney general’s offices of various states when they found out an unauthorized user had accessed and extracted student information, including passports, driver’s licenses, and financial records.
Example 3: Sierra College informed the Montana Attorney General of a data breach caused by a ransomware attack on the school. This breach allowed hackers to access personal details, including names, addresses, and medical records of specific students and employees.
Example 4: In 2022, Knox College suffered from a ransomware attack targeting university financial systems. This incident marks the first known case in the U.S. in which hackers used their access to contact students directly to intimidate and extort.
Besides research data and sensitive personal data belonging to students and staff, learning institutions host sensitive donor information from private contributors, global corporations, and government agencies. Cybercriminals continuously attempt to steal this sensitive data by exploiting known and unknown vulnerabilities – and a breach of this information could affect future enrollment and funding opportunities.
Protecting Research Data Critical for University Grant Pipelines
A critical source of funding for higher education in the US is research grants. Many institutions, corporations, and government agencies offer to fund universities to build new laboratories and science centers, providing real-world experience for professors and students. The university gains international recognition and attracts top-of-class students through the grant pipeline.
The data created through research grants becomes mutually shared intellectual property of the university and the funding source. This intellectual property can create a future financial windfall for the university.
Cybersecurity attacks can significantly affect current and future grants if the university suffers data breaches or violations of data privacy. Institutions and government agencies often mandate that universities adhere to data privacy compliance regimes before receiving any funding. Many funding sources will periodically require universities to submit for a third-party cybersecurity risk assessment and penetration testing to validate all necessary security adaptive controls in place.
What Compliances Must Higher Education Institutions Achieve?
Higher education systems collect and store various forms of information, including financial and research data. All stored data falls within a compliance or privacy mandate requiring the university to satisfy strict security regulations.
- Many universities process payment card transactions and store payment card data belonging to students.
- Higher education institutions will conduct research for public and private corporations requiring extensive data protection and restrictive access control.
Here are two compliances that universities will likely need to comply with:
Payment Card Industry Data Security Standard (PCI DSS)
Throughout the university and higher education system, payment cards have become accepted for everything from paying tuition, purchasing items at the school bookstore, and buying food and drinks inside the campus coffee shop. Universities accepting payment cards need to comply with PCI DSS compliance mandates. Hackers and cybercriminals will target university payment systems, especially ones outsourced to third-party providers. By attacking these providers, hackers can affect several universities in a single attack.
In 2021, hackers breached the student bookstore at Boston University’s credit card system. It affected Boston University and other higher education institutions by attacking the third-party credit card processing provider.
Patching a Necessity to PCI Compliance
PCI DSS Requirement 6.2 involves protecting all system components and software from known vulnerabilities by installing the vendor’s applicable security patches. It must implement all patches within 30 days after the publication of a CVE on a payment card processing host system.
Organizations often rely on patching only critical CVEs to reduce the downtime of their payments processing platforms. However, regardless of internal risk classification, PCI auditors will hold the organization accountable to PCI 6.2, irrespective of the risk level.
To make complying with PCI DSS patching requirements easier, colleges and universities can automate their patching lifecycles and completely avoid patching-related downtime by implementing a live patching solution. Live patching deploys CVE patches while Linux systems are running so that organizations don’t need to reboot, and these patches can be automated so that IT teams can minimize how much time they spend on patching.
With a live patching approach, vulnerability patching can be one more PCI compliance component that gets put on autopilot so that university staff can spend more time on other critical tasks.
Universities and higher education institutions designated as research facilities receiving federal government grants must comply with NIST 800-171.
NIST 800-171 applies to Controlled Unclassified Information (CUI) shared by the federal government with a non-federal entity. In higher education, the federal government often shares data with institutions for research or in carrying out the work of federal agencies.
Under NIST 800, the maintenance section, or MA, details specific stages requiring organizations to follow a recommended workflow for patching systems:
All systems, devices, and applications used by an organization must be maintained according to manufacturer software patch recommendations or organizationally defined schedules for updating systems.
MA-6: Timely Maintenance
Organizations identify system components that can create risk for operations and assets, individuals, other organizations, and the country if they don’t work correctly. To fix this, they should have patching and remediation capability to update all systems regardless of location.
MA-7 Field Maintenance (Decentralized IT)
Once a system or component is in the field, the organization should do all software and hardware maintenance to ensure that it meets the vendor and industry standards. Universities should take extra care in patching systems, even in a decentralized environment. Many smaller university departments will create their databases, cloud instances, and identity systems while exposing the university-wide network to greater risk.
Simplifying Vulnerability Patching for NIST 800-171
Patching critical systems hosting research data within the university data center or cloud is crucial to maintaining compliance with NIST 800-171. Universities concerned with patching production research systems while expecting lengthy service interruptions can also adopt a live patching approach to shrink how much downtime they need to schedule – as well as avoid patching-related reboots. Leveraging live patching will also minimize the risk of the institution being exploited by a possible zero-day attack.
Cyber attacks and data loss are ever-present threats the education sector faces, as it is often ranked as one of the industries most affected by cyber crime. With vast volumes of sensitive research data, it’s vital that colleges and universities quickly patch vulnerabilities that put their assets at risk.
TuxCare’s automated live patching solutions protect Linux systems by rapidly eliminating vulnerabilities without organizations needing to wait for maintenance windows or downtime.
With TuxCare, SecOps, DevSecOps, and general IT teams at colleges and universities can automate taking new patches through staging, testing, and production on all popular Linux distributions while avoiding patching-related downtime and reboots.
TuxCare also offers live patching for shared libraries, databases, virtual machine environments, and IoT devices. Plus, TuxCare live patching can cover all popular enterprise Linux distributions, unlike many live patching alternatives that are only functional for a single distribution.
Schedule a conversation with one of our experts to get a personalized explanation of how TuxCare’s live patching automation works.