Here’s a scenario that could happen to anybody in any organization. But with the staggering number of information security breaches occurring at colleges and universities recently, this scenario is perhaps more common in within educational institutions.

A university professor receives an email from another colleague working in the university. The subject line says, “Here’s a good way to stop students from cheating on assignments and exams…” When the email is opened, there is a forwarded message that has a pitch for a free teleseminar on iron-clad techniques that discourages student sharing of assignments. This sounds like a panacea in a world where students are getting too street-wise for professors to maintain control over their evaluation system. So, the prof clicks on the link.

Without knowing anything is wrong, he looks at the website and decides it’s just hype, and goes back to work.

With that one mouse click, the prof’s computer is now infected with a “Zombie” program, putting his system under the control of a remote master who may use it to launch attacks on other computers in the network, or may simply collect online banking information. At this point, the possibilities are endless.

There are many approaches to protecting against this type of event. However the first order of business should be to restrict access to any directory containing email addresses of university staff, students and other individuals using the institution’s network. Very often, according to Paul and Larry (the two very respectable, if somewhat irreverent, security experts and proprietors of the http://www.PaulDotCom.com website and podcast), email addresses are all too easy to harvest at educational institutions. Perhaps it is because of the informal mixing and collaboration of employees (professors and researchers) and customers (students) on campus that there is pressure to extend this relaxed atmosphere to the computer network infrastructure they all share.

This makes it very easy for hackers or spammers to use tools that can locate and collect email addresses. The next step in creating a successful attack is more complicated, though. The attacker needs to find a system with a vulnerability they can exploit through having the victims visit a website designed to infect their computer.  It won’t be successful with every visitor, depending on what versions of software they are using and what type of anti-malware (anti-virus, anti-spyware, etc.) protection they have.

At this point, all the attacker has to do is create an enticing email with a link, and put a colleague’s email address as the sender, which is very easy to do if they’ve just harvested everybody’s email addresses from the university’s central directory. By the way, email sender names are easy to forge, which means you shouldn’t automatically point the finger at the apparent sender of the message in your inbox. They may have done nothing more than have their name in the directory of the organization being attacked. Hackers use this method to deflect the blame, which buys them lots of time.

This type of attack is known as phishing, or spear-phishing if it is targeted specifically at a certain person or group of people that have a common interest. The personalized nature of the email makes it more compelling to open and follow the links. The website can tell in an instant if the computer has any of the currently known vulnerabilities that can be exploited to gain control of the computer, and can launch the attack without the user’s knowledge.

So, why not raise the bar for the attackers? They should not be free to roam your institution’s directories without authenticating themselves - usually with a userid and password. Authentication not only limits who can access the service, but if somebody with legitimate access collects the email addresses, there are ways to identify them and take action against them.

When you read the reports of information security breaches at The Breach Blog (see http://www.breachblog.com) and SC Magazine (see http://breach.scmagazineblogs.com), one of the most remarkable patterns is the frequency of breaches occurring in colleges and universities. It can be a challenge to secure such a large and complex environment, but by breaking the problem down and addressing the issues one step at a time, the rate of security breaches can certainly be improved to a less embarrassing frequency.

It’s about time, we started educating all staff and students at universities on the many specific types of risks that they are facing in their environment. They can’t be happy about being at the top of the breach list every week.