《UpGuard:2023大学网络安全现状白皮书(英文版)(16页).pdf》由会员分享,可在线阅读,更多相关《UpGuard:2023大学网络安全现状白皮书(英文版)(16页).pdf(16页珍藏版)》请在三个皮匠报告上搜索。
1、The State of University CybersecurityThe State of University Cybersecurity:3 Major Problems in 1IntroductionCybercrime is a growing problem for higher education.Between 2020 and 2021,cyberattacks targeting the education sector increased by 75%.In line with other industries,the education sector is al
2、so experiencing a dramatic increase in ransomware attacks.According to the 2022 Verizon Data Breach Investigations Report,30%of data breaches in the industry were attributed to ransomware attacks.To better understand the risk that universities face,we used UpGuards cybersecurity ratings data to anal
3、yze 1500 universities and 5000 University vendors.Specifically,we compared the subgroups of universities that experienced data breaches with the rest of the cohort,as well as vendors that used the Higher Education Community Vendor Assessment Tool(HECVAT)with those that didnt.The post outlines the to
4、p three findings of this study and suggested responses for addressing each identified 2Problem:Universities Have Excessively Large Attack SurfacesIn cybersecurity,an attack surface refers to the total sum of all the possible entry points through which an attacker can enter and exploit a system,netwo
5、rk,or application.Its the collection of all potential vulnerabilities within a particular digital environment.The majority of the attack surface for universities and colleges is comprised of web-facing assets,such as domains and sub-domains linking to sensitive internal resources.When an attacker ex
6、ploits a vulnerability in one of these assets,they gain access to an internal network,resulting in a data 3Even if a security flaw doesnt weaken a domain,its still a potential doorway to an internal network and an extension of its attack surface.So the greater the number of domains associated with a
7、 higher education entity,the greater its chances of suffering a data breach.Our research revealed that educational entities have many domains and IPs in their attack surface.The cybersecurity risks associated with a large domain network are further inflated when this network contains unmaintained si
8、tes-sites that remain connected to the internet despite no longer being required.By searching for indicators like default server pages and nonfunctional status codes,UpGuard was able to identify the number of unmaintained sites associated with each University.The average number of unmaintained sites
9、 for each University was 13,approximately 5%of the average number of domains.-Findings of UpGuards University security rating data research 2023.616The top 500 universities in the U.S.have an average of 616 domains.1,580The top 100 universities in the U.S.have an average of 1,580 domains.244The top
10、1,500 universities in the U.S.have an average of 244 4Interestingly,our data showed that as a Universitys digital footprint grows,the percentage of unmaintained sites slightly decreases;however,the absolute number continues to grow.For the top 500 and 100 universities,approximately 3.7%of their doma
11、ins were unmaintained,sometimes totaling hundreds of domains that could be pruned from the attack surface.-Findings of UpGuards University security rating data research 2023.The reason universities have such a large domain network is likely due to faculty staff creating additional websites to better
12、 serve different educational requirements.With each website usually requiring the submission of sensitive student data,each new internet-facing asset becomes a high-risk target for cyber attacks.Unmaintained sites could lead to security incidents since they likely use end-of-life software with explo
13、itable vulnerabilities.Our research confirms this is the case.45%of all universities were observed with at least one asset running a version of PHP past its end-of-life date.Amongst the top 500 universities,an average of 30 domains were using end-of-life PHP,indicating software that had not been upd
14、ated in at least two years.-Findings of UpGuards University security rating data research 5Solution:Reduce Your Attack SurfaceThe solution to an excessively large attack surface is to liberally prune it down to its absolute minimal volume.Most of this excess fat can be removed by decommissioning all
15、 dormant internet-facing assets.This can very quickly be on the UpGuard platform.UpGuards automated discovery process identifies all IPs and domains linked to your organization based on indicators like active and passive DNS,certificates,web archives,and other fingerprinting techniques.This allows y
16、ou to quickly identify all of your assets and any unmaintained pages.Domain discovery on the UpGuard platform.Unmaintained page detection on the UpGuard 6Problem:Universities are at a High Risk of Suffering Data Breaches and Ransomware AttacksData breaches can occur through many attack vectors,but R
17、emote Desktop Protocol(RDP)is among the most popular contenders.During a cyber attack,RDP allows attackers to access a compromised computer remotely,establishing the necessary foothold to install ransomware and exfiltrate sensitive data.According to the FBI,in 2020,RDP provided the initial foothold
18、in 70-80%of data breaches.Our research data revealed that many universities have at least one open RDP port,significantly increasing their risk of falling victim to data breaches and ransomware attacks.Across all 1,500 universities,approximately 10%had an open RDP port at the time of our analysis.Am
19、ongst the top 500 universities,23%had at least one open RDP port.-Findings of UpGuards University security rating data research 7These findings further highlight the importance of attack surface reduction,as larger footprints tend to increase the likelyhood of data breach vectors like open RDP ports
20、.RDPs arent the only web-facing vulnerabilities being actively targeted by threat actors.Software vulnerabilities also pose significant data breach risks to the higher education industry.Software products with known exploited vulnerabilities were detected for 48%of all universities and 70%of the top
21、 500.-Findings of UpGuards University security rating data research 2023.Most universities have experienced an attempted ransomware attack,with outcomes ranging from limited service disruption to data exfiltration.Our research shows a correlation between lower security ratings and universities that
22、fall victim to ransomware attacks.The average security score of ransomware victims is in the bottom 25%of all organizations.While security ratings cannot predict a data breach in any one particular case,in the aggregate,they correlate with data breach susceptibility and can,therefore,be useful for a
23、ssessing an organizations security 8Solution:Implement Data Breach Prevention Security Controls Address Data Breach Attack VectorsOne of the most effective strategies for reducing data breaches is to deploy security controls across two stages:Stage 1(Outside the network)Defend against unauthorized I
24、T network access.Stage 2(Within the network)Focus on obfuscating access to sensitive resources inside the IT 9Ideally,the stage 1 controls will be successful enough to prevent unauthorized network access and the activation of stage 2 controls.In the unfortunate event that stage 1 controls fail,stage
25、 2 controls will hopefully either prevent sensitive resource compromise or stall the attack long enough for security teams to intercept it.For a comprehensive breakdown of this data breach prevention,refer to this free resource.Some examples of stage 1 and 2 security controls include:Cyber threat aw
26、areness training-Equipping employees to recognize and correctly respond to phishing attacks,Internal Vulnerability Detection-The use of risk assessments and security ratings to detect threats such as product misconfigurations,open ports,unmaintained websites,etc.Ransomware data leak detection-The de
27、tection of sensitive data leaks on the dark web resulting from successful ransomware 10Problem:Universities are at a Higher Risk of Suffering Third-Party Data BreachesThird-party vendor relationships add a significant complication to the effort of preventing data breaches.Whenever you establish a th
28、ird-party relationship,your attack surface combines with that of your new third-party vendor,making their security risks your security risks.Because vendors often process sensitive internal information,when their security risks lead to a data breach,any internal sensitive data they have access to is
29、 also compromised-a phenomenon known as a third-party breach.For example,a legal entity outsourcing document processing to a third-party solution also suffers a data breach when that vendor is compromised and any shared client information is 11Our research revealed a security posture disparity betwe
30、en universities and their vendors,with vendors almost always exhibiting poorer performance.From a sample of 5,000 vendors monitored by universities using UpGuard,the average security score across 1500 universities was 751.For the vendors,it was 712.More importantly,there was a large percentage of ve
31、ndors with very low scores.36%of vendors were below 700,and 17%were below 600.-Findings of UpGuards University security rating data research 2023.These finds show that many Universities are unknowingly increasing their risk of suffering third-party breaches through the poor cybersecurity standards o
32、f their 12Solution:Universities Should Use HECVAT to Reduce Vendor Risks.The Higher Education Community Vendor Assessment Tool(HECVAT)provides a set of security questions tailored to the cybersecurity challenges of higher education.HECVAT is a free assessment option for identifying third-party breac
33、h risks as part of a broader Vendor Risk Management program.Our research found that vendors participating in the HECVAT Community Broker Index(CBI)-a public directory of vendors who completed HECVAT assessments and incorporated HECVAT in their cloud services,exhibited superior security ratings.For v
34、endors participating in the HECVAT CBI,the average score was 786,a good average security rating.Across the control group of university vendors not in the CBI,the average score was 712.-Findings of UpGuards University security rating data research 2023.Though HECVAT is designed to assess vendors,our
35、research also found that universities that apply the tool to their internal IT ecosystem increased their security posture-likely due to increased security awareness.In comparing the security ratings of the approximately 100 universities using HECVAT to those not,the HECVAT users fared slightly bette
36、r,with an average score of 774 compared to 739.-Findings of UpGuards University security rating data research 13UpGuard Helps Universities Prevent Third-Party BreachesUpGuard Vendor Risk is a complete Vendor Risk Management(VRM)solution helping universities detect and address security risks leading
37、to third-party breaches.UpGuard leads by example by implementing HECVAT into its own Vendor Risk Management tools and services,as demonstrated by the platforms inclusion in the HECVAT Community Broker I14Some of UpGuards features specifically addressing the cybersecurity needs of the higher educatio
38、n sector include:HECVAT Questionnaire-UpGuards library of industry-leading questionnaires also includes a HECVAT questionnaire for assessing the security of all cloud services Vendor Tiering-UpGuards tiering feature helps universities prioritize vendors with security risks most likely to develop int
39、o data breaches.Continuous Attack Surface Monitoring-By combining security ratings based on 70+attack vectors,and point-int-time assessments,UpGuard provides universities with real-time awareness of their security posture and data breach risks.Third-Party Data Leak Detection-UpGuard helps universiti
40、es shut down vendor data leaks on the dark web that could expedite third-party data breaches.Were here to help,shoot us an email at Looking for a better,smarter way to protect your data and prevent breaches?UpGuard offers a full suite of products for security,risk and vendor management +1 888-882-32
41、23650 Castro Street,Suite 120-387,Mountain View CA 94041 United States 2023 UpGuard,Inc.All rights reserved.UpGuard and the UpGuard logo are registered trademarks of UpGuard,Inc.All other products or services mentioned herein are trademarks of their respective companies.Information subject to change without notice.