Plugging Data Leaks with Security Education

When hacker group Lulzsec posted thousands of stolen usernames and passwords online in June 2011, something troubling happened. Other Internet users around the world started using this information to break into people’s accounts at sites such as Amazon, PayPal and Facebook. Because many people choose the same password for multiple websites, learning someone’s login information…

When hacker group Lulzsec posted thousands of stolen usernames and passwords online in June 2011, something troubling happened. Other Internet users around the world started using this information to break into people’s accounts at sites such as Amazon, PayPal and Facebook.

Because many people choose the same password for multiple websites, learning someone’s login information for one site gave hackers access to that person’s accounts at numerous other sites. What followed were reports of pranks that included changing Facebook profile pictures to disturbing images, and buying and having random items delivered to unsuspecting victims whose accounts had been used for the purchases.

Lulzsec hackers claimed they posted the information and encouraged its misuse “for the laughs,” as well as to prompt users and organizations to implement better security practices.

The widely publicized attacks from Lulzsec are just one example of a growing problem: the susceptibility of organizations to data breaches. Concerns about the security of sensitive information sent over the Internet have existed for years, yet those fears have too often been focused on what happens to information in transit. The recent attacks and the hundreds of data leaks that are reported every year make it clear that the larger issue is what happens to personal data after it reaches its destination.

When you provide valuable information such as a credit card number to an organization, you often have no way of knowing if the organization is storing this data and what steps (if any) it is taking to prevent the data’s theft. Often, you only find out that an organization was storing your information insecurely after receiving a letter notifying you its database was hacked or one of its employees lost a laptop containing sensitive data.

Clearly, many organizations are not doing enough to protect their customers’ information. While few details of the Lulzsec attacks are known, it has been widely reported that some of the compromised websites were poorly designed and vulnerable to simple SQL (structured query language) injection attacks. These attacks, which allow attackers to execute database commands simply by submitting data (e.g., through a Web form) with carefully placed special characters such as quotation marks, give hackers access to entire databases of customer information.

Making matters worse, it appears that in many cases sensitive information was simply stored “in the clear” instead of being encrypted first. This means that once attackers had access to the databases, they were able to immediately see actual customer information instead of only seeing unintelligible, scrambled data. Users also share some of the blame, having reused usernames and passwords at multiple websites, despite the well-known dangers of this practice.

Solving the Problem Through Education

What can be done to prevent these types of attacks from happening repeatedly in the future? A key step toward solving the problem is better security education for everyone involved, but most importantly for those designing and managing the computer systems that interact with sensitive customer information. With reliance on the Internet continually increasing, it has become essential that anyone working in computing be knowledgeable in information security.

To address this growing need for security education, the St. Thomas Department of Computer and Information Sciences created a major in information security in 2008 and has begun offering two new security courses, with more offerings to come.

Our information security curriculum is designed to teach students essential technical skills such as how to prevent SQL injection attacks and properly use encryption, while also teaching them “how to think like an adversary” so that they can better anticipate newthreats. As a result, our majors, when faced with designing or evaluating a system, will be able to foresee potential security issues and will have the technical skills needed to address them.

Additionally, the CISC Department also requires all computer science majors, not just those in the new information security major, to take a course in information security early in the program. This is in contrast to computer science programs at most other universities, which either do not teach a security course at all or only offer it as anupper-level elective.

Making security a required course ensures that all our computer science graduates are knowledgeable in current attacks and defenses, and placing the course early in the major gets students thinking about security issues right from the start of their college education. It is tempting to think, based on the well-publicized attacks from Lulzsec and others, that the information security field is in a dire state. While it’s true that many organizations have inadequate security, it’s actually a good thing that leaks have been in the news.

The publicity undoubtedly will lead to more security awareness in average users, spur governments to enact tougher regulations and ultimately force organizations to take precautions to protect customer data.

Our graduates, with their training in information security, will be well-positioned to fill the accompanying need for security expertise.

Read more from CAS Spotlight

Next in CAS Spotlight