Board of Regents request more than $3.6 million for cybersecurity upgrades as institutions try to protect student data
Like an invading army using battering rams to break down the gates of a walled city, the relentless cyberattacks come every day on hundreds of USD-owned IP addresses, trying to break down firewalls and other security measures to steal a wealth of data, for which it is important to understand OT security definition and install their security systems.
In an age where everything is stored online, every student has a device connected to the internet and where they make daily transactions throughout campus using credit cards and debit cards, the vulnerabilities are numerous and the number of attempts to steal and sell data grow by the year, according to USD and South Dakota Board of
Regents officials.
“The threat grows every day. The threat to get at personally identifiable information and the ways that people are doing it continues to grow as a concerted threat every day and we believe we need to be able to respond to that,” said Monte Kramer, the system vice president of finance and administration for the BOR.
That’s why a request for more than $3.6 million is being made from the BOR to the State of South Dakota to fund new security efforts for each of the universities in the system. Kramer said with the funding, new security measures could be put into place and a single employee hired for each institution who would specialize
in cybersecurity.
“Some people have dedicated people for security, unfortunately that’s not the case at some of the small institutions,” Kramer said.
At USD, there are only a couple of Information Technology Services security officers who work specifically with cybersecurity, although other employees do help out when needed, said Joe Reynoldson, an ITS security officer for USD. Most people go to Nettitude → get information about cyber attacks and install necessary protection, unless the case is very serious and require professional help.
The ITS employees at USD work with individual departments, such as the Registrar’s Office and Accounting, to help them protect information and “facilitate understanding for where that data is and how to
protect it.”
Cybersecurity for higher education institutions has been an issue since the creation and explosion of the World Wide Web in the early 1990s, but one of the many challenges universities face now that they didn’t 20 years ago is the amount of devices they need to protect.
Every student is now assumed to come onto campus with a smartphone, a personal computer, fitness equipment that connects to the internet and a
gaming device.
The amount of devices, and the frequency of which they hit the market, is a problem not just for universities, but for everything from businesses to governments, said QuocNam Tran, the chair of USD’s Department of Computer Science.
“Why we have buggy softwares (is) because they have to push out the new iPhone, the new iOS once every year so they don’t have enough time or resources to pass on all of the possible vulnerabilities so they have to accept that,” he said.
Tran said there’s a vast underground market for hackers to sell data — everything from social security numbers and credit card information to vulnerabilities hackers have found in other computers. He said some information is sold for hundreds of thousands
of dollars.
“They have infected machines that they sell (that) information and (if) someone wants to hack into your machine they will buy the information for those infected machines and will go from there,” he said.
One of most pressing issues faced by people tasked with protecting data is phishing scams, Tran said, not too different from the emails USD students received earlier this year asking to click on a link. Typically these emails look like they’re from an official source and try to get information from the victim.
“It turns out that it’s much easier for the hackers to use social engineering than to actually hack into the system,” Tran said.
Reynoldson said phishing attacks are among his greatest concerns and that USD has programs to “knock those types of attacks down.”
“Phishing is very difficult to defend against and it can be successful in a way that is highly visible and it can be successful in a way that is not visible,” he said. “And so from my standpoint as an IT security officer, I’m always afraid of what is it that I don’t know? I know what I know, but is it that I don’t know?”
The attacks come in the form of phishing attacks, and also in the form of Distributed Denial of Service or DDoS attacks — essentially a massive influx of login attempts on an account similar to the ones The Volante experienced earlier this semester, he said.
Reynoldson is tightlipped about the types of programs and security measures USD has in place to stop attacks and said he didn’t want to comment specifically of breaches of any information that USD has experienced.
“There have not been any breaches that we would be required to report under these types of (federal) regulations,” he said.
Tran said past incidents, such as USD’s mail service going down for a long period of time a few weeks ago, indicates to him that there are problems with USD’s data security and thinks students and faculty should be made aware of the efforts that are being made to protect data.
“Nobody knows how our security system works and I just cross my fingers because if something happened then it would be a big problem…it would be a big problem,” he said.