The Arizona Auditor General has found that the three state universities’ information technology security practices “can be improved.”
According to the Auditor General, “relatively few university employees were susceptible to simulated social engineering attacks, but some employees took actions that could have provided an attacker with access to sensitive data. The Auditor General found that the universities “need to improve security awareness training.”
“In addition, although the universities’ security controls limited our attempts to gain unauthorized access to their IT systems, we were able to exploit some vulnerabilities to access sensitive data.” according to the Auditor General’s report. “The universities should enhance their existing policies and procedures in five key areas to further reduce these potential vulnerabilities. Further, each university has established components of an IT security governance framework, but NAU and UA should continue to develop and implement their frameworks.”
The Auditor General called on the Arizona Board of Regents to “expand its oversight of the universities’ IT security efforts.”
The Auditor General recommended that each university “improve its data classification processes.” Specifically, the Auditor General called on NAU and UA to “improve their IT risk assessment and incident response processes.”
Report highlights:
Universities responsible for safeguarding IT systems and data
ASU, NAU, and UA use computerized electronic systems to support numerous functions such as payroll and student admission applications. To perform these functions, the universities use IT systems to store and process various types of sensitive data, including social security numbers, financial and health information, and educational records for approximately 34,000 faculty and staff, approximately 161,000 students, some of the more than 850,000 alumni, and others, such as prospective students applying for admission. The volume of sensitive data the universities obtain and maintain makes them a potential target for attacks by malicious individuals or organizations, and federal and state laws and regulations specify the universities’ responsibility in handling and protecting sensitive data.
Universities should improve security awareness training efforts and enhance IT security controls to further protect IT systems and data
Relatively few employees susceptible to simulated social engineering attacks but security awareness training efforts can be improved—Social engineering attacks attempt to persuade an entity’s employees to provide information about, or direct access to, the entity’s network using specially crafted means. Although a relatively small number of university employees were susceptible to our simulated social engineering attacks, some employees disclosed information or took other actions that could have provided an attacker with unauthorized access to the universities’ IT systems and sensitive data. For example, one attack strategy provided us the means to potentially access IT systems and sensitive data at ASU and UA, and information obtained through another attack strategy allowed us to gain unauthorized access to NAU’s internal network, which could have allowed us to potentially view, modify, or delete sensitive student information. Information security awareness training is important for reducing successful social engineering attacks.
Although each university requires their employees to complete some security awareness training, not all university employees have done so. Specifically, as of March 2018, training completion rates were 68 percent at ASU, and as of April 2018, 61 percent at NAU, and 40 percent at UA. The lack of completed training at all three universities may have contributed to employees’ susceptibility to simulated social engineering attacks.
Universities’ security controls slowed simulated attacks, but vulnerabilities allowed unauthorized access to some IT systems and sensitive data
We conducted simulated attacks on the universities’ IT systems, but our ability to gain unauthorized access to these systems was limited because the universities employ automated security tools and have separated portions of their respective networks into smaller, protected subnetworks.
However, after ASU removed some controls to allow us to more quickly identify and exploit vulnerabilities, we gained unauthorized access to sensitive data at ASU, including names, contact information, and grades. At NAU, we identified some vulnerabilities that allowed us to gain unauthorized access to legally protected data such as records related to
CONCLUSION: Arizona State University (ASU), Northern Arizona University (NAU), and the University of Arizona (UA) have implemented several information technology (IT) security practices consistent with IT standards and best practices, but these practices can be improved. Specifically, relatively few university employees were susceptible to our simulated social engineering attacks, but some employees took actions that could have provided an attacker with access to sensitive data, indicating a need to improve security awareness training. In addition, although the universities’ security controls limited our attempts to gain unauthorized access to their IT systems, we were able to exploit some vulnerabilities to access sensitive data. The universities should enhance their existing policies and procedures in five key areas to further reduce these potential vulnerabilities. Further, each university has established components of an IT security governance framework, but NAU and UA should continue to develop and implement their frameworks. The Arizona Board of Regents (ABOR) should also expand its oversight of the universities’ IT security efforts. Finally, each university can improve its data classification processes, and NAU and UA should improve their IT risk assessment and incident response processes.