Cybercrime is a growing problem for higher education. Between 2020 and 2021, cyberattacks targeting the education sector increased by 75%. In line with other industries, the education sector is also experiencing a dramatic increase in ransomware attacks. According to the 2022 Verizon Data Breach Investigations Report, 30% of data breaches in the industry were attributed to ransomware attacks.
To better understand the risk that universities face, we used UpGuard’s cybersecurity ratings data to analyze 1500 universities and 5000 University vendors. Specifically, we compared the subgroups of universities that experienced data breaches with the rest of the cohort, as well as vendors that used the Higher Education Community Vendor Assessment Tool (HECVAT) with those that didn't.
The post outlines the top three findings of this study and suggested responses for addressing each identified risk.
Problem: Universities Have Excessively Large Attack Surfaces
In cybersecurity, an attack surface refers to the total sum of all the possible entry points through which an attacker can enter and exploit a system, network, or application. It's the collection of all potential vulnerabilities within a particular digital environment.
The majority of the attack surface for universities and colleges is comprised of web-facing assets, such as domains and sub-domains linking to sensitive internal resources. When an attacker exploits a vulnerability in one of these assets, they gain access to an internal network, resulting in a data breach.
Even if a security flaw doesn't weaken a domain, it's still a potential doorway to an internal network and an extension of its attack surface. So the greater the number of domains associated with a higher education entity, the greater its chances of suffering a data breach.
Our research revealed that educational entities have many domains and IPs in their attack surface
The top 1,500 universities in the U.S. have an average of 244 domains.
The top 500 universities have an average of 616 domains.
The top 100 universities have an average of 1,580 domains.
- Findings of UpGuard's University security rating data research 2023.
The cybersecurity risks associated with a large domain network are further inflated when this network contains unmaintained sites - sites that remain connected to the internet despite no longer being required. By searching for indicators like default server pages and nonfunctional status codes, UpGuard was able to identify the number of unmaintained sites associated with each University.
The average number of unmaintained sites for each University was 13, approximately 5% of the average number of domains.
- Findings of UpGuard's University security rating data research 2023.
Interestingly, our data showed that as a University's digital footprint grows, the percentage of unmaintained sites slightly decreases; however, the absolute number continues to grow.
For the top 500 and 100 universities, approximately 3.7% of their domains were unmaintained, sometimes totaling hundreds of domains that could be pruned from the attack surface.
- Findings of UpGuard's University security rating data research 2023.
The reason universities have such a large domain network is likely due to faculty staff creating additional websites to better serve different educational requirements. With each website usually requiring the submission of sensitive student data, each new internet-facing asset becomes a high-risk target for cyber attacks.
Unmaintained sites could lead to security incidents since they likely use end-of-life software with exploitable vulnerabilities. Our research confirms this is the case.
45% of all universities were observed with at least one asset running a version of PHP past its end-of-life date. Amongst the top 500 universities, an average of 30 domains were using end-of-life PHP, indicating software that had not been updated in at least two years.
- Findings of UpGuard's University security rating data research 2023.
Solution: Reduce Your Attack Surface
The solution to an excessively large attack surface is to liberally prune it down to its absolute minimal volume. Most of this excess fat can be removed by decommissioning all dormant internet-facing assets. This can very quickly be on the UpGuard platform.
UpGuard's automated discovery process identifies all IPs and domains linked to your organization based on indicators like active and passive DNS, certificates, web archives, and other fingerprinting techniques. This allows you to quickly identify all of your assets and any unmaintained pages.
Decommissioning unmaintained pages is the fastest and easiest method of reducing the size of your attack surface and its complexity, establishing a foundation for secure scaling.
The process of reducing your attack surface and addressing its vulnerabilities is known as Attack Surface Management. If you're unfamiliar with this cybersecurity discipline, the video below will help get you up to speed.
Problem: Universities are at a High Risk of Suffering Data Breaches and Ransomware Attacks
Data breaches can occur through many attack vectors, but Remote Desktop Protocol (RDP) is among the most popular contenders. During a cyber attack, RDP allows attackers to access a compromised computer remotely, establishing the necessary foothold to install ransomware and exfiltrate sensitive data.
According to the FBI, in 2020, RDP provided the initial foothold in 70-80% of data breaches.
Our research data revealed that many universities have at least one open RDP port, significantly increasing their risk of falling victim to data breaches and ransomware attacks.
Across all 1,500 universities, approximately 10% had an open RDP port at the time of our analysis. Amongst the top 500 universities, 23% had at least one open RDP port.
- Findings of UpGuard's University security rating data research 2023.
These findings further highlight the importance of attack surface reduction, as larger footprints tend to increase the likelyhood of data breach vectors like open RDP ports. RDPs aren't the only web-facing vulnerabilities being actively targeted by threat actors. Software vulnerabilities also pose significant data breach risks to the higher education industry.
Software products with known exploited vulnerabilities were detected for 48% of all universities and 70% of the top 500.
- Findings of UpGuard's University security rating data research 2023.
Most universities have experienced an attempted ransomware attack, with outcomes ranging from limited service disruption to data exfiltration. Our research shows a correlation between lower security ratings and universities that fall victim to ransomware attacks. The average security score of ransomware victims is in the bottom 25% of all organizations.
Learn how UpGuard calculates its security ratings >
While security ratings cannot predict a data breach in any one particular case, in the aggregate, they correlate with data breach susceptibility and can, therefore, be useful for assessing an organization's security posture.
Solution: Implement Data Breach Prevention Security Controls Address Data Breach Attack Vectors
One of the most effective strategies for reducing data breaches is to deploy security controls across two stages:
- Stage 1 (outside the network): Defend against unauthorized IT network access.
- Stage 2 controls (within the network): Focus on obfuscating access to sensitive resources inside the IT network.
Ideally, the stage 1 controls will be successful enough to prevent unauthorized network access and the activation of stage 2 controls. In the unfortunate event that stage 1 controls fail, stage 2 controls will hopefully either prevent sensitive resource compromise or stall the attack long enough for security teams to intercept it.
For a comprehensive breakdown of this data breach prevention, refer to this free resource.
Some examples of stage 1 and 2 security controls include:
- Cyber threat awareness training - Equipping employees to recognize and correctly respond to phishing attacks,
Learn how to develop a phishing resilience program > - Internal Vulnerability Detection - The use of risk assessments and security ratings to detect threats such as product misconfigurations, open ports, unmaintained websites, etc.
See UpGuard's attack surface monitoring solution in action >
- Ransomware data leak detection - The detection of sensitive data leaks on the dark web resulting from successful ransomware attacks.See UpGuard's ransomware blog data leak detection feature in action >
Problem: Universities are at a Higher Risk of Suffering Third-Party Data Breaches
Third-party vendor relationships add a significant complication to the effort of preventing data breaches. Whenever you establish a third-party relationship, your attack surface combines with that of your new third-party vendor, making their security risks your security risks.
Because vendors often process sensitive internal information, when their security risks lead to a data breach, any internal sensitive data they have access to is also compromised - a phenomenon known as a 'third-party breach.'
For example, a legal entity outsourcing document processing to a third-party solution also suffers a data breach when that vendor is compromised and any shared client information is accessed.
Our research revealed a security posture disparity between universities and their vendors, with vendors almost always exhibiting poorer performance.
From a sample of 5,000 vendors monitored by universities using UpGuard, the average security score across 1500 universities was 751. For the vendors, it was 712. More importantly, there was a large percentage of vendors with very low scores. 36% of vendors were below 700, and 17% were below 600.
- Findings of UpGuard's University security rating data research 2023.
These finds show that many Universities are unknowingly increasing their risk of suffering third-party breaches through the poor cybersecurity standards of their vendors.
Solution: Universities Should Use HECVAT to Reduce Vendor Risks.
The Higher Education Community Vendor Assessment Tool (HECVAT) provides a set of security questions tailored to the cybersecurity challenges of higher education. HECVAT is a free assessment option for identifying third-party breach risks as part of a broader Vendor Risk Management program.
Our research found that vendors participating in the HECVAT Community Broker Index (CBI) - a public directory of vendors who completed HECVAT assessments and incorporated HECVAT in their cloud services, exhibited superior security ratings.
For vendors participating in the HECVAT CBI, the average score was 786, a good average security rating. Across the control group of university vendors not in the CBI, the average score was 712.
- Findings of UpGuard's University security rating data research 2023.
Though HECVAT is designed to assess vendors, our research also found that universities that apply the tool to their internal IT ecosystem increased their security posture - likely due to increased security awareness.
Learn more how colleges and universities can reduce vendor securit
In comparing the security ratings of the approximately 100 universities using HECVAT to those not, the HECVAT users fared slightly better, with an average score of 774 compared to 739.
- Findings of UpGuard's University security rating data research 2023.
UpGuard Helps Universities Prevent Third-Party Breaches
UpGuard Vendor Risk is a complete Vendor Risk Management (VRM) solution helping universities detect and address security risks leading to third-party breaches. UpGuard leads by example by implementing HECVAT into its own Vendor Risk Management tools and services, as demonstrated by the platform's inclusion in the HECVAT Community Broker Index.
Some of UpGuard's features specifically addressing the cybersecurity needs of the higher education sector include:
- HECVAT Questionnaire - UpGuard's library of industry-leading questionnaires also includes a HECVAT questionnaire for assessing the security of all cloud services
- Vendor Tiering - UpGuard's tiering feature helps universities prioritize vendors with security risks most likely to develop into data breaches.
- Continuous Attack Surface Monitoring - By combining security ratings based on 70+ attack vectors, and point-int-time assessments, UpGuard provides universities with real-time awareness of their security posture and data breach risks.
- Data Leak Detection - UpGuard helps universities shut down data leaks on the dark web that could expedite third-party data breaches.