It is clear that the risks of data compromise are as serious as ever, ensuring that the time and energy spent on security within information technology is a worthy investment for any institution. According to the Identity Theft Resource Center (ITRC), more than 16 million data records were compromised in 2010 corporate and government data breaches. A report from September 6, 2011, shows that there have already been more than 13 million records compromised this year.
While the number of breached records is on track to rise this year, trends are prompting data privacy and security experts to scrutinize the IT practices of many institutions including universities. The Office of the Chief Information Officer (CIO) developed Ohio State University’s new Identity and Access Management (IdM) Program and its accompanying my.osu.edu web site with these trends in mind.
Many university e-mail systems, including Ohio State’s, have become the target of advanced phishing attacks. As the messages are disguised as university business, individuals might unknowingly compromise their password by simply responding to what looks like a request from a university authority.
Phishing attacks can result in a stolen university e-mail account being used for spamming. However most stolen accounts are not used for this purpose, so victims end up giving away more sensitive data the longer they keep their compromised password. By resetting passwords frequently, account holders protect themselves from this covert victimization.
Data privacy and security is especially significant in a university setting. “The University is entrusted with a lot of sensitive data, and it’s everyone’s responsibility to do their part to ensure the security of our networks,” said Shawn Sines, IT security and outreach specialist for the Office of the CIO.
He explained the many aspects of data security that are particular with the university, from student’s personal data and academic records protected by FERPA and HIPAA, to financial account numbers and research data that the university is contractually obligated to secure.
As the university is entrusted with this responsibility, it is clear to cyber criminals that institutional data are of potential value. Sometimes hackers are paid to crack passwords for university usernames. Then, accounts are sold to a buyer with any kind of malicious intentions.
Insecure networks and inadequate security practices can pose a threat to sensitive data such as research findings, collaborations involving intellectual property, and even chemical abstracts within science and medical labs. In order to preserve its professional relationships, integrity and the safety of its community members, Ohio State is continually improving security standards, including Password Practices. This new set of criteria for systems and applications in password security has first made its impact to the university by rolling out new requirements related to Ohio State Usernames and their passwords.
With the reset cycle, users end up utilizing other password safety practices as well. For example, new passwords cannot be reused. This could eradicate the common—but very unsafe—habit of using the same password for multiple accounts, said Al Stutz, CIO of Avetec, a non-profit public benefit research organization.
Matt Curtin, founder of Interhack, an information security firm, emphasized how resetting isn’t the only practice necessary to secure a user’s data within their account. Other good habits must contribute: like maintaining a strong, lengthy password with upper and lower case letters, numbers and special characters.
“The most important thing is to have good intuition about passwords,” Curtin said. “That's actually not too hard to develop; it requires only an understanding of how passwords are used and how they're defeated… Passwords shouldn’t be easily guessed. Not just by people, but by computers that have the ability to try many passwords very quickly.”
Curtin said that some of the worst password habits he has witnessed are “giving your password to someone (or to another application—did you type your Gmail password into Facebook?), using a word that a computer would pull from a list and try, using the same password for every system, and using something that someone else could guess.”
While security is the primary focus, the university is still recognizing convenience to the user. The Office of the CIO has synchronized more systems to utilize the Ohio State Username (name.#) criteria, such as the OSU Wireless network. However, making one password work for so many access points does increase some data security risks, hence the focus on improved password practices.
While Ohio State does everything in its power to keep its systems secure, hackers are continuously adapting. There is a crucial need for partnership between IT security and end-users from the Ohio State community.
“Enforcing a password reset cycle both empowers and equips each user with the responsibility to keep their data, and others’, secure,” Sines said.