Cybersecurity is an ever-growing concern in many areas of life, and universities are no exception to this rule. With so many people accessing the network, it’s important for users to know their data is safe and that they can connect with confidence. This year SecurityScorecard did an in depth review of the best and worst universities for online safety, and it produced some surprising results. The research covered several aspects of cybersecurity, measuring ten specific categories including application, endpoint and network security, DNS Health, IP reputation, cubit score, hacker chatter, password exposure, patching cadence and social engineering.
Here are the five institutions that fared the worst in the report:
Massachusetts Institute of Technology
Surprisingly, this prestigious technology school scored worst overall. Receiving F and D grades in many of the ten categories, a plethora of vulnerabilities and weaknesses were identified. The IP reputation was noted as particularly poor with an average malware infection duration of 1.678 days alongside marked risks of attack in the fields of network security and password exposure. It also appeared regularly on hacker forums resulting in an F grade in the “Hacker Chatter” field.
However, this perhaps could be explained due to the vast amount of, mostly harmless, hacker communities within the student body. Another commenter suggested that the scores were low was due to the fact that the institution encouraged a student-led infrastructure to aid learning and so recorded mistakes were a key element of the learning process.
New Mexico State University
Next on the list is New Mexico State University. Only a few percentage points above MIT, this institution also scored a very low D grade over all. This was due to failing to meet the pass criteria in IP reputation, network security, password exposure and patching cadence. The latter of which was measured by checking for both insecure software and exposed vulnerabilities. The results in this field were particularly surprising as in the most extreme cases, 67 pieces of insecure software were identified.
Similarly, 70 percent of the schools in the grouping of the ten weakest on the list were found with 51 or more pieces of unpatched software. Despite the low scores, New Mexico did receive A grades in DNS health, social engineering, cubit score and endpoint security. It was also much less likely to be discussed in hacker forums than its first place counterpart.
Third on the list is Cambridge University, scoring particularly poorly in IP reputation, network security, hacker chatter and password exposure. IP reputation is a point of weakness for most of the lower schools on the list, so it is clearly a factor that requires improvement across the board. This section of the report looks at the quality of the IP address in the past, in particular looking for malware signatures and malware infection duration.
Although the report condemned many institutes in this category, they also offered advice for how to resolve the problem. By setting up proficient malware protection strategies, such as antivirus software, and being vigilant about keeping it up-to-date, you can significantly improve the IP reputation. Similarly, monitoring all traffic incoming and outgoing traffic by using Web Application Firewalls or IDS solutions and accessing or subscribing to OSINT malware feeds will help increase the organization’s cybersecurity.
Although Temple University scored A’s and B’s in many sections, there were four areas where they received an F. Similarly to Cambridge, these categories included IP reputation, network health and, perhaps the lowest rated over all the weakest schools, password exposure. This section of the report looked at exposed email addresses and passwords that are circulating the hacker forums of staff or student aliases from each of the schools.
Due to the nature of the modern world and the cybercrime that has come along with it, this is a significant issue for all internet users. Alex Heid, Chief of Research at SecurityScorecard, even commented “it is difficult to find a person in the modern era who has not been a victim of password theft.” Although it is nearly impossible institutions to tackle this problem as a whole, individual users could greatly benefit from using a VPN to protect and encrypt their data when accessing shared networks.
University of Virginia
Closely following Temple, last on the list is the University of Virginia. This Charlottesville institution came in at number five with 66 percent, leaving it with a D grade. This was due to weaknesses in similar categories as the previously discussed schools.
However, unlike many of the others in the grouping, Virginia managed to far surpass its competitors in IP reputation, being the only school in the top five to receive above an F grade in this section. Its main shortcomings were in password exposure and patching cadence. Also worth noting, when this university was investigated, a particularly interesting data breach was discovered in which two employees were specifically targeted. It was suggested that this occurrence may have been in relation to work they were doing that was connected to China. This brings up questions about the source and purpose of attacks along these lines.
The question of cybersecurity is one that should be taken seriously by everybody and university institutions have a responsibility to ensure users of their networks are protected. SecurityScorecard’s report is a valuable resource when identifying areas of weakness and raises some interesting points about security as a whole. If you have any experiences with the schools mentioned, or just want to discuss any elements of the report, be sure to leave a comment below!