The 10 Best & Worst College & University Security Rankings
A University Security Audit for 2015
Data breaches and data theft at colleges and universities are a very common occurrence. From the 80,000 students recently affected at California State colleges to the 29 employee records hacked at the University of Calgary last week in Canada, higher education is a frequently targeted playground for security attacks. This week, Rutgers University in New Jersey, which has been a highly targeted school for DDoS attacks in the past year, experienced another attack.
Recently, we released our 2015 Higher Education Security Report where we highlighted the security postures of the top 10 and bottom 10 ranking schools in higher education. Using our proprietary security-risk benchmarking platform, we analyzed 485 colleges and universities with 1,000 or more public-facing IP addresses.
In the number 1 spot: Merced Community College in Northern California. Merced has an enrollment of roughly 11,000 students and scored an ‘A’ grade with a percentile rank of 98.6%. Other schools that ranked well with a strong security posture included the University of North Alabama, and Pepperdine University in Malibu, California, among others.
At number 485: Massachusetts Institute of Technology (MIT). MIT is one of the most regarded and influential computer science and engineering schools in the world. The Cambridge, Massachusetts school scored a ‘D’ at the time we collected data with a percentile rank of 61.3%.
Why Did MIT Rank Poorly?
The renowned institute has a sizable IP footprint with a propensity for computer-science openness with an extensive technology research discipline. As SecurityScorecard’s Chief of Research, Alex Heid, told CSO magazine at the time of the report’s publishing:
They do their own malware research. They run honeypots. They’re running TOR exit nodes… When we dug in, we found that there’s a lot of exposed passwords, old legacy systems, and a bunch of administrative sub-domains that seem to have been forgotten about.
Other schools that ranked in the bottom for their security posture included the University of Southern California and the University of Virginia. UVA reported a data breach in mid-August, though it states that no personal information had been stolen in the breach. In June, Harvard University reported it had experienced a data breach in May affecting 8 of its colleges and administrations.
For the ten schools that ranked the poorest in our study, all of them received ‘F’ grades for password exposure. Heid told Dark Reading on the day of the report’s release:
Across the board at all of them, there were weak passwords. Once a password is circulating, it’s assumed at least one person uses the same one for everything. It’s just a matter of the scale of the breach and whether it’s publicly announced.
A single overall SecurityScorecard grade is an indicator of relative security health, but it only takes one exploitable issue in any one specific security category to allow an intrusion, data breach, or advanced attack. According to 2013 research from OpenDNS, universities are 300% more likely to house malware in their networks than businesses or government agencies.
Security-Risk Benchmarks With Deep Visbility
Our platform gives instant visibility into the security-risk posture of any company. Add a web address and receive a complete, instant security audit. Share the Scorecard information directly with vendors and collaborate immediately.
There are 10 unique security factors that our non-intrusive methods capture and benchmark including: how often an organization patches its vulnerabilities; the health of its domain name servers (DNS); the volume of malware; whether an entity is being discussed on hacking underground forums; and an organization’s susceptibility to social engineering schemes, among others.
SecurityScorecard gives grades for the following 10 specific categories and factors which then roll up to one individual grading based on a weighted average. Our security-risk benchmarking platform grades the following categories:
1. Web Application Security
2. Network Security
3. Endpoint Security
4. Hacker Chatter
5. Social Engineering
6. DNS Health
7. IP Reputation
8. Patching Cadence
9. Password Exposure
10. Cubit Score™
Cubit Score is a proprietary algorithmic module that reveals an assortment of misconfigurations, such as poor SSL configurations and weak encryption ciphers. Each category consists of dozens of security-risk indicators, resulting in a holistic security assessment.