Technologic advances occur at a rapid pace, with new devices coming out at frequent intervals. These new devices are appealing to college students who want to do everything as quickly and easily as possible. Because of the numerous smartphones, tablets, and laptops used by students and employees, college campuses face various security issues from mobile devices that connect to the network, often unintentionally. Identification of Threats
There are many threats a network faces when the IT department allows students to connect to the network or Internet using mobile devices. Some threats affect the campus network only, while other threats directly affect students or employees. For the campus network, threats include Social media vulnerabilities,
Unauthorized access to employee or student information, and Email attacks (phishing)
For students, the main threat comes from identity theft, often a result of inappropriate practices connected to social media and email attacks. Often, attacks to a college network occur because of unintentional and misguided errors from students. Information Vulnerabilities
Students use mobile devices, ranging from smartphones to tablets to laptops, to access class schedules, grades, email, and social network sites. Many devices have the capability to store user ID’s and passwords but personal security measures on these devices are not stringent, making it easy for an unauthorized person to intercept this information. Even though a college computer network may have numerous levels of protection, the system cannot easily track student authentication when mobile devices are used. This lack of authentication provides easy access for even a semi-skilled hacker to the user ID/password combination. Once the hacker has this information, he or she can take over social media and email accounts, launch phishing attacks on the contacts of that account, and gain further access to additional personal information. If a contact happens to be an instructor or advisor, the hacker has a chance to access the college network directly, thereby putting all student and employee information at risk. While some attacks are directed at specific targets, most security threats are connected to unintentional or uninformed practices that open a back door. An unethical person will take advantage of this back door to gain access to a network. Value of Information
The personal information of students and employees contained in a college database requires protection for numerous reasons. This data often includes addresses, telephone numbers, bank information, or even credit histories and tax information. Protection for this data is often mandated by legal regulations at state and federal levels. The college values the trust its employees and students place on the protections provided by campus network security techniques. Security breaches threaten this trust, and without trust, the college could lose employees, students, and supporters. There is even the potential to lose federally supplied tuitions or grant money that supports important programs. This puts the future of the college at risk. Additionally, any security breaches could result in regulatory fines at various levels if it is determined that the college network did not sufficiently protect the sensitive information. Risk Management Techniques
If the campus has security techniques in place, there are numerous ways to test the system. One way is through vulnerability assessment, also known as penetration testing. This method allows “an information security professional to thoroughly test an organization’s information assets and their security posture up to and including actually gaining access to the root information” (Whitman & Mattord, 2011, pg. 64). This testing is part of a risk management assessment and allows the college IT department to see where additional security protocols are needed. Risk management includes the “overall decision-making process of identifying threats and vulnerabilities and their potential impacts, determining the costs to mitigate such events, and deciding what actions are cost effective to take to control these risks” (Conklin et al, 2012, pg. 678). For the proper development of risk management techniques, every person at every level of the organization, especially those involved in the Information Security (IS) department “must be actively involved in the following activities: Evaluating the risk controls
Determining which control options are cost effective
Acquiring or installing the appropriate controls
Overseeing processes to ensure that the controls remain effective Identifying risks, which includes:
Creating an inventory of information assets
Classifying and organizing those assets into meaningful groups Assigning a value to each information asset
Identifying threats to the cataloged assets
Pinpointing vulnerable assets by tying specific threats to specific assets Assessing risks, which includes:
Determining the likelihood that vulnerable systems will be attacked by specific threats Assessing the relative risk facing the organization’s information assets, so that risk management and control activities can focus on assets that require the most urgent and immediate attention Calculating the risks to which assets are exposed in their current setting Looking in a general way at controls that might come into play for identified vulnerabilities and ways to control the risks that the assets face Documenting the findings of risk identification and assessment Summarizing the findings, which involves stating the conclusions of the analysis stage of risk assessment in preparation for moving into the stage of controlling risk by exploring methods to mitigate risk” (Whitman & Mattord, 2010, pg. 278).
Legal, Ethical, and Regulatory Requirements
People deliver sensitive data to organizations that have a clear need of it and that they trust to have their best interests in mind. Because a college campus has access to sensitive financial data, including tax information, bank accounts, and federal financial aid, there are many ethical and legal reasons to have enhanced network security. If a breach does occur, not only is it detrimental to the people involved, but the college could face the loss of reputation, large financial penalties, and possibly expensive lawsuits. From an ethical standpoint, the personnel in charge of analyzing, developing, and maintaining security protocols should have the proper training and knowledge about what data the campus believes important and what protocols or procedures are in place to protect it. Integrity and honesty are also important for ethical practices.
The college must validate and authenticate each person having access to the system, especially those handling sensitive information. Additionally, employees should receive training on the best practices needed to follow the college policies on password and network access and what threats to watch for. From a legal perspective, there are state, federal, and international regulations governing protection of confidential information. There are various laws and repercussions covering the types of crimes committed using computers and the Internet. These crimes are also known as cybercrimes and include Computer-assisted attacks,
Computer-targeted attacks, and
Each type of attack is dependent upon how intensive the computer use was when the attack happened. Because most cybercrimes involve an attack to gain unauthorized access, many laws focus on computer-targeted crimes designed to commit fraud or identity theft. One major set of laws, developed to levy fines and punishments when fraud or theft occurs, is the Computer Fraud and Abuse Act (CFAA). The second set of laws that govern the personal information collected by organizations is the Electronic Communications Privacy Act (ECPA). This act was passed in 1986 and “resulted from the increasing use of computers and other technology specific to telecommunications [and] address[es] e-mail, cellular communications, workplace privacy, and a host of other issues related to communicating electronically” (Conklin et al, 2012, pg. 615). The use of smartphones and mobile devices by students and employees at a college campus make the rules contained in the ECPA more valid than before because of the numerous avenues of access available to an unauthorized user. Conclusion
Security breaches are serious problems in the computer age because data and information are stored electronically and people have an expectation of privacy. The Internet and other web services make it easy for a user to obtain unauthorized access to confidential information. When an organization, even a college campus, recognizes the value of the information and assesses the risks, threats, and vulnerabilities, appropriate security practices and risk management techniques help secure confidential and personal information in this constantly growing, electronically connected environment.
Conklin, W. A., White, G., Williams, D., Davis, R., & Cothren, C. (2012). Principles of computer security: CompTIA Security+™ and beyond (3rd ed.). New York, NY: McGraw Hill. Whitman, M. E., & Mattord, H. J. (2010). Management of information security (3rd ed.). Boston, MA: Course Technology. Whitman, M. E., & Mattord, H. J. (2011). Readings and cases in information security: Law and ethics. Boston, MA: Course Technology.