In answer to the question “Are University Records Safe from Cyber Attacks?”, the answer is no, they are just as safe as any other complex and extensive, often multi-site corporate network. To be sure, the University will take all possible and reasonable measures to ensure cybersecurity. Still, as the FBI said, the only secure system is one that hasn’t been hacked yet.
While a University is often thought of in purely academic terms, it has all the characteristics of any other large organisation. It has Business Management, Education Management, and Student Management components.
Typically, a University has an extensive network supporting these functions. In recent times, many Universities have moved from a cabled environment to one based around ubiquitous WiFi coverage providing network access to all areas of campus instead of just buildings. This brings new security challenges.
A stable, reliable, robust, and performant network with supportable and effective Cyber Security Solutions is essential for a University to be able to function in all three areas of operation.
In practical terms, therefore, a University operates at least three primary networks over the same physical infrastructure. An Administrative staff network, an academic network, and a student network.
Similarly, Cyber Security needs will vary between the three primary networks:
- Highly controlled access to operational systems like access control, recording of examination results and financial systems;
- Controlled access to other operational systems; and
- Controlled access to an Internet Gateway. Guest users will stay outside the Institutional firewall, with access only to the Internet, usually with time-based and usage restrictions. Registered users will have full access to internal systems and to the Internet, perhaps with time-based and usage restrictions to implement a fair-use policy.
With few exceptions, it is unlikely that any single user will have access to a full range of functions.
The common goal in a University is user-based authentication which restricts the user to a predefined suite of functional areas and operations within those areas. This will be a combination of overall network access control and access controls within the application itself. The ultimate objective will be for a Single-Sign-On (“SSO”) environment leading to a single menu of available functions.
With the advent of WiFi and ubiquitous Internet access, the primary security model is built around casual and authorised users.
An authorised user is anyone that has a defined relationship with the University and has credentials that allows them to use University systems and data within their limits of authority. Examples include Academic and non-Academic staff, undergraduate and postgraduate students, contractors, and visitors.
Casual users have no such formal relationship. They can connect to the network, but are not allowed inside the Institutional firewall. They will be restricted to Internet access only and may be subject to time-limited access, restricted website access, and bandwidth and download restrictions.
Universities are open to cyber attacks in the same way as any other extensive network, but in this case, the enemy could already be inside the gates. Remember that the Computer Science department will have many highly skilled and competent hackers. In many Universities, ethical hacking is a study subject.
The objects of an attack can be the standard business objectives of financial gain, and because academic qualifications can be essential to professional advancement, an individual’s academic records. Intellectual Property can also be under threat.
One typical student hack is to set up virtual private networks inside the University network to support closed-group role-playing games and to bypass any usage restrictions.
In terms of hacking of administrative systems, they can be hacked, with similar objectives to those of hacking commercial businesses. Most known attacks have been by administrative staff misusing access credentials to enable traditional paper-based frauds. Not actual hacking, but mostly stealing other user’s passwords.
Academic systems are also targets for hacking. They could be hacked to enable enrolment, falsify exam results, the class of degree awarded, or indeed if a degree was awarded at all. There has been a court case recently in the US where the administrative staff was suborned to adjust potential student’s attainment records to ensure they were offered a place at the Institution.
Again, specific security measures are adopted to protect academic records from unauthorised tampering, both by cybersecurity measures and by administrative oversight. Thee are usually legal requirements to archive academic records for some time after graduation, and the archives are also subject to protection against intrusion.
A further potential area of attack is research records. Many companies supporting, and paying for research assistance from a University are fearful of their research data being stolen. They often require that any computer facilities supporting their research team are entirely physically or logically separate from the University network, even air-gapped in some cases.
In broader terms, most Universities are keenly aware of the need to protect Intellectual Property, both their own and that of their research partners.