Nishant Shah

In my opinion, ITACS students do represent information security vulnerabilities to Temple University, and Temple represents information security vulnerabilities to ITACS students as well.

Based on the readings, Information security vulnerabilities can be considered to anywhere, anyone and anytime. First, Temple students can access to secured and sensitive information easier through internal way. For example, an ITACS student studying at Temple University, has some access passwords and codes for some rooms, software and public laptops, etc., so he would steal some sensitive information of Temple University by accessing from internal internet through these ways, and Temple would lose its secured and sensitive information because of this ITACS student uses internal way, rather than other outside people use external way, which is harder. Second, the trust from a professor would also be an information security vulnerability. If a person has the trust from a professor, the professor may behave negligence by allowing this student to access to some accounts which would be considered not allow to students. For example, if a professor wants to show something through his account, the student is there to watch the professor to access the account, and then, the professor may act negligence by typing his account name and password in front of this student, and the account may be stolen easily. Third, students or professors may have bad behaviors and collude with classmates and friends to steal information of Temple University. The possibility of this is tiny small but I think it can be also considered as information security vulnerabilities to Temple University.

In addition, Temple University also represents information security vulnerabilities to ITACS students as well in several ways. First, Temple University experts who control sensitive information of students and colleges may behave negligence and errors of operations to exposure information. Second, Upper management of Temple University also has a possibility to behave badly if the person is angry and criminal. Third, the change of MIS department dean or upper management may also bring some information loss and errors, because if the previous management person left, he may not have everything (information, account passwords, or secret system controls) to the new person.

ITACS students and Temple University both represent information security vulnerabilities to each other. Temple University stores Personally Identifiable Information (PII) of each student, which include grades, and financial information, and in some instances health-care information. A data breach to Temple University could target student’s social security numbers, personal banking account information, and medical information if a student is enrolled in a university sponsored plan. Temple University stores large amounts of sensitive information about students, which creates an attractive target for cyber criminals. Medical identity theft is a growing exposure for Temple University because medical information is more lucrative than financial information. Not all students enroll in the sponsored plans, some do, and others may use a medical service during their tenure at Temple. Students trust the university with sensitive data, which poses a risk to Temple because it is now responsible to safeguard the data.
While Temple represents vulnerabilities to students, students also pose security risks to Temple. The university must create a tuportal account for every enrolled student, from which campus computers, and many other university services are accessed. There are over 30,000 students at Temple University, not including faculty and staff, which is a lot of accounts to monitor. Any student can find a flash drive on the ground, and then immediately connect it to a campus computer to download documents. Flashdrives can contain viruses and malware and can potentially spread to the network from a single access point. Prevalent use of removable storage is an important security vulnerability to Temple. Students can also access file attachments through email on the university network. If an attachment is infected with malware, it can now spread to the computer and then network. It would be difficult for Temple to limit access through the network because many departments rely on online software, require students to submit work online, and need to access data themselves. The same methods that are used to augment student academics also increase security vulnerabilities.

I think everyone at Temple University represents information security vulnerabilities to Temple University. In fact, ITACS students and regular students do more than sending emails while on Temple internet connection. Even though, the university blocks some sites it does not stop students to go to insecure sites. I have been seeing some students shopping on the school computers. Somebody can voluntary or involuntary download a virus on the computers or the network.
Also, the laptops in MIS labs in rooms 602 and 603 are not really password protected as everyone knows the password. The only really credentials you need is your TU access username and password for the Wi-Fi. Once again an ill-intentioned individual can take advantages of this system. He/she can do bad things without being traced.
Temple University and its third parties’ partners can represent information security vulnerabilities for its students. What will happen if someone can hack the university system? In fact, some students have received phishing emails asking them to provide their passwords. The University system contains a lot of sensitive information like medical records, payments information… If there is a data breach, more than 30,000 persons will be affected.

I believe when we are entering into any account, we might have lot of people around and we do enter our credentials in front of them. That is the reason why passwords are masked.
I agree with your point that eavesdropping can happen. Hence being alert while handling sensitive data is important.

ITACS students represent vulnerabilities to Temple university and vice versa.

Both entities have access to confidential and restricted data of each other.

Vulnerabilities that students bring in:
1. University provides wifi to all students. The laptops, mobiles phones via which they connect to wifi is a door for hackers to plan Wireless network attacks. ex. Denial of Service, man in the middle, eavesdropping on the wifi, If data is not encrypted they payload is exposed and a sniffer can capture emails, passwords etc

2. Students have access to confidential university data. If a student does not follow basic security practices university data like university intranet, contacts of faculty and other students, university news and events details is at threat.

3. Students have access to course work, assignments, lectures, power point presentations which are IP of the university.

4 Students can bring in visitors and if visitors if have malicious intend can cause harm.

5. If students use illicit software to develop a university software, it can cause huge damage.

How is student data vulnerable while it resides on university servers

1. University servers can be prone to data attacks on which student confidential and restricted data resides. Ex. student personal identifiers(SSN,address, contact numbers), financial details like bank details, transactions etc.

2. Student grades, resumes, photographs, medical information is also with the university. Data is present with the university not only in digital format but in form of paperwork which is easily vulnerable.

Am I the only one not being able to enter answer to other questions?

Anyways below is questions 2 and my answer :

Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.

Information security is not only a technical problem but also a business issue. It is true that for an organization to be very secure, some software and hardware may be needed to protect the assets of the company. However, as the book (VACCA) mentioned in chapter 1, thinking that information security is only a technical matter is a myth; “firewall […] antivirus program …are just some of the tools available to assist in protecting a network and its data” (pp9). In fact, most of the time employees are the main reason why there are data breaches in organizations. A lack of awareness and training on information security can lead to severe losses for the organization.
Similarly, failure to immediately terminate former employees’ access to data can potentially be dangerous for a company especially if the former employees work for competitors. Security measures can be implemented, but the human factor must be taken into consideration. Management should educate employees about their impact on security programs. That is why in addition to be a technical issue, information security should also be seen as a business problem that must be solved to prevent tremendous risks.

I agree with Priya, Temple represent information security vulnerabilities to students because they have sensitive data, such as social security or bank account number, about us. Should a data breach happen we will all suffer consequences.

Said made a good point here. Temple university system doesn’t seem to be well protected and i’m not sure not all students are aware of the importance of information security. I personally went couple of times to the computer lab and witnessed students watching movies on third party website, shopping or networking on social media. Logically , one would think that an ITACS student is aware of information security and should be careful. However, that is not always the case. Human beings can be negligent and this is why students represent information security vulnerabilities to Temple.

Good point Alexandra. While doing activities like online shopping or online banking, a cross site request forgery attack can be launched. CSRF is combination of social engineering along with.

It becomes easy to launch CSRF attack when user session cookie details are stored. ex. IP address or credentials. The server will not know if it is a forged request.

Sometimes a attack can be launched with a hidden image which executes while the page is loading. The user does not understand the difference. If credentials are already stored by the browser, it becomes easy to authenticate.

In my opinion ITACS students represent vulnerabilities to Temple university and vice versa. Temple ITACS students are vulnerabilities to the university because they are they constantly logged into the system and are active users and therefore, their actions while on the system affect the university directly. The users ability to nagviate through the web without domain regulations not only, contribute but enable threats such as malware, which may affect the computers operation systems and the protection of personal information. However, the students aren’t the only ones who provide vulnerabilies, the university has an abundant amount of personal files of its students and employees, which can be accessed through hacking and software breeches. Thus, versatile vulnerabilities that are result of ITACS students and the university are subjected to human error. Human errors affect both entities as a whole and therefore, they are both to blame for vulnerabilities.

Do ITACS students represent information security vulnerabilities to Temple University, each other, or both?

Explain the nature of the vulnerabilities ITACS students represent in the context(s) you chose?

I do believe that ITACS students represent information security vulnerabilities to Temple University and the other way round.

Some vulnerabilities that ITACS students may bring in to Temple:

1. Computer hardware that students bring in such as flash drives or laptops may contain viruses that could infect Temple’s system when the hardware connects to Temple’s computers or wifi.

2. ITACS students will eventually learn how to hack. A student may attempt to try their newly attained skill on Temple’s computers or sites which may or may not cause harm.

3. A student may accidentally download malware, spyware or virus into Temple’s system when the visit insecure sites or click on suspicious links.

Some vulnerabilities that Temple may bring to students:

1. Temple University is a host to all students data and private information. Students can link their bank information in order to pay their tuition bills. Student Personal identifiable information such as SSN, contact information and address are all in Temple’s database. This can post as a target to potential hackers.

2. Temple employees who have access to all students data may not adhere to Temple’s control and may perform activities that increase the risk of security threats

3. Temple employees may also be negligent when handling students’ data. Wrong data may be inputted which may cause a chain reaction that can affect the student.

I believe ITACS students represent information vulnerabilities to Temple University; on the other hand, Temple University represent information vulnerabilities to ITACS students as well.

As Temple students, we have access to Temple’s wifi and computers. Everyone could possibly bring viruses to Temple’s network system when he or she connects hardware such as USB drives to Temple computers. This not only damage the computer that has the viruses, but it will also spread the viruses to other computers in the school because they all sharing the same network. In addition, a student may accidentally entering a website when they are click on links that they are not aware of. It is very essential that students should have awareness of the websites they are viewing. In addition, one other vulnerabilities that students may bring into Temple University is we all have access to blackboard and MIS Community site, students are able to download or make a copy of any documents that they have and share it with someone else who are not a part of the class or even not a part of Temple community.

Of course, Temple University represent information vulnerabilities to ITACS students as well. Temple has not only students’ unrestricted and sensitive information, but also restricted information such as social security number, Temple University ID, as well as billing information. The database that Temple has storing student information can rise a major potential target to hackers

Do ITACS students represent information security vulnerabilities to Temple University, each other, or both? Explain the nature of the vulnerabilities.
The ITACS students represent information security vulnerabilities due to several reasons. The students connect different types of devices to network (Laptops, Cell phones) that may not be secured and potentially spread viruses, malware, smart dust, or BOTNET on temple network proper. Students access university wide network and applications from their personal devices, opening the door for data leakage in case student device is hacked.

ITACS students are a great vulnerability to Temple University. Vacca points out that power users, in this case students who have just started an advanced program, may know enough to install software while ignoring security policies. Bad guys looking to exploit vulnerabilities will target these users to get access to a network (Vacca, 4). Unless all students undergo security training, some may not understand the significance of some policies that are in place. There has been times where Temple has had to send out mass emails warning of phishing attacks targeted at Temple emails, meaning that someone must have let something bad in at some point. Another vulnerability that students have is their passwords. Some students may make theirs very weak or save them in obvious locations. The requirement to change your password every few months may make Temple systems less secure as students may lean towards easier passwords. An article I read a while ago showed how a hacker may try to decrypt hashed password files by comparing changes knowing that the user is only changing theirs slightly (https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes).
Temple University is a security vulnerability to ITACS students as well. Large organizations are seen as more lucrative targets for cybercrime groups. Temple holds a lot of PII, and for some students, PHI, which criminals can sell for a profit. Students need to trust that temple is taking all the steps to keep their information safe. Is Temple conducting background checks on IT employees? Are they spending money on security as a priority? Does Temple require IT professionals to continue to learn as the security environment changes? The real list that Temple has to do to stay secure is much longer than I can list here. The security issue is compounded by the multiple devices Temple must support. There are multiple buildings, multiple Wi-Fi networks across campus, and many new cellphones and tablets being hooked into the network every day. If a bad guy ever finds a way in, they can take a student’s information and exploit it.

Agreed. Bringing in visitors may be a big concern to Temple University. because these people may be your friends, however, people’s behaviors are hardly to see clearly.

Software development is also a concern. Universities always develop new and professional students in the world. So if these kind of students want to try their solution of their new creation, Temple’s internal internet and all Temple computers and laptops may result in risks.

You are correct that Temple students are a security vulnerability to the university. On the other side, the university is also a security vulnerability to students. Temple stores a large amount of personal identifiable information on its students, from social security numbers to payment information and anything in between. Because the university has so many students and faculty connecting to its network with various personal devices, the university must be more vigilant in protecting its information. While students can bring viruses and other nefarious software to the university, the university has a lot more sensitive information about its students that if lost, would cost its students, and by result the university.

Your comment about larger organizations being more lucrative targets for cybercrime made me think about what a unique situation universities are in as opposed to other large organizations. In your average company the employees are supplied with the devices that they will use to connect to the organization’s network. At universities students all have their own devices. Even at organizations that have bring your own device policies, generally IT has some screening processes on the personal devices that are allowed to be used. The university has no control over what devices students are connecting to their network. They can monitor the traffic and prevent a student from downloading malware while on the network, but if they student picked up the malware while on another network and then connects to Temple’s network, Temple must have strong defenses in place to protect itself. Employees are also generally not downloading as many things from random websites on their work computers. People are generally more couscous with what they download onto their work computer than their personal computer. Since students are on their personal computers they may be less couscous with what they download.

As a student it is easy to see how your information is at risk and take that side. Priya, do you think that the university is more at risk with all of the students on their network or do you think that students are more at risk that their information could be stolen and held for ransom?

I just hope Temple practice what their Information Security professors teach. I hope that Temple invests an appropriate amount to keep their students’ data safe. I hope they invest in educating their employees and their students who are not in the IS field, I hope they have cross-department collaboration on this effort because successful Info Security takes an “all-in” approach. .

Hi Wenting,

I think you bring up some valid points as to how a data breach can be a problem with all the PII of students on the server. To go with that, restricting access to worker students is a huge issue too. For those say working in admissions, you need to make sure that access to PII is restricted from those student workers. Likewise, if students do have access to that information, you need to make sure that those student workers have the integrity to not steal that information or not be negligent enough to allow someone else access by not practicing standard computer security policies. A hacker can easily see a student worker as the weakest link and use them as an avenue to steal information.

I agree with you all. Not only ITACS students but everyone at Temple represents information vulnerabilities to Temple, and Temple represents information security vulnerabilities for all students as well because Temple stored our sensitive data in its database where it can be the target to hackers. Let’s say the “TUpay” got hacked, our payment card information including our account numbers or routing numbers may get stolen.

Temple should work with professors to offer workshops for students to learn about how to protect their personal information from being stolen at Temple.

Nice post Priya,

I just want to add some of my thoughts to your point 1. Temple provides wifi and printing services to all students. We can get access to the networked printing servers through Temple’s computers or our personal computer by sending email. It is easy, convenient and comfortable. However, the printer will store our documents in its hard drive which can easily become a target to hackers. Some students even print their sensitive information at Temple. We often ignore and overlook the vulnerability of the security of networked printer. Hacker with malicious intent may hack the printing system if it is not encrypted.

Yulun,

Great post! It reminded me about an incident that happened in one of the dorms at the Temple University. As you know that students living in dorms have access to use “TURESNET,” which is Temple’s own network for its dorm students. One of the students had connected his Xbox or Playstation onto the network and he got into an argument with a player online. Turns out that other player wanted to retaliate, and Temple student’s IP was tracked and there was a series of DDOS attacks, which disturbed the Temple’s network for a couple of days until they identified the cause. Student was not allowed to connect his Xbox/PlayStation on the network again.

This story was told by Prof. Larry Brandolph in the MIS intro class.

Ian,

Nicely point out, I think students are more at risks, and all personal or financial information might be stolen. I think these processes are not properly implemented and the network are properly secured!

Ian, I agree with Shahla

I also think that as students, we are more at risks.
The reason is that Temple has database that store over 30,000 students’s confidential data such as SSN# and bank information. If someone hack in Temple’s database, then it will bring a tremendous impact on students because all of their restricted information are stolen. In addition, Temple’s reputation will also be ruined.

Wow! Inspired me!!!!! My professor said in MIS 2501(Mart Doyle) before, you can always plug a cord to the internet of your apartment’s building and see what your neighbors do. Trust me, for majority (like 99% of our students and professors) are still good to trust!

Thanks for sharing!

I was going to bring that study up but see you already mentioned it. I’ve seen other studies conducted where the percentage was extremely high, The one I’m linking below shows that the Department of Homeland Security found 60% of ‘dropped’ flash drives plugged in. I think people see them as if someone dropped a wallet and want to check to see if they can find the owner by identifying the files on the drive. If its blank, its like picking up a lottery ticket. People who have never heard of these risks will just plug it in to check to see if they’ve won.

http://www.slate.com/blogs/future_tense/2013/07/30/don_t_touch_that_flash_drive_you_have_no_idea_where_it_s_been.html