Penn State and Rutgers University join the ever-growing list of victims to cybersecurity attacks. In only the past two months, both universities have suffered distributed denial of service attacks, or as they are more commonly referred, DDoS attacks.

A DDoS attack is intended to render a server or network unavailable to its users. DDoS attackers use multiple devices and multiple internet connections to flood a victim’s computer system with web traffic until it is crippled by the requests and goes offline. Aside from the debilitating effects of DDoS attacks, they are difficult to combat. Victims cannot focus their efforts on deflecting attacks from a single attacker or a single source. Rather, the victim is flooded with requests from hundreds or even thousands of sources. While DDoS attacks are often just a frustrating nuisance for a victim to deal with, these attacks are continuing to evolve into a serious threat for network operators across the world. For Rutgers, the DDoS attack not only caused multiple internet outages, but affected the university’s final exam schedule.

So, what makes universities such a target for DDoS and other cybersecurity attacks? As explained in a recent article in the New Jersey Law Journal, universities are relatively easy targets. The article quotes Vincent Polley, the head of technology consultancy KnowConnect to explain that because the university structure is a “confederation of schools that are fairly loosely coordinated…[there’s] frequently not a lot of top-down management.” Universities store vast amounts of their students’ personal and financial information, as well as sensitive research materials.

This begs the question: what can universities and colleges across the country do to protect their students’ information? According to a recent article in the New York Times, Penn State, like many other universities and colleges across the country, are beefing up their authentication requirements. Authentication requirement are generally used before a university system can be accessed remotely. Authentication techniques can be broken into three categories: (1) things only a specified individual knows (i.e. a password, pin number, mother’s maiden name, or other type of security question; (2) things that only a specified individual would have (i.e. a key, card badge, token, one-time password); or (3) something specific about the specified individual (i.e. an encoded fingerprint, voice recognition or an iris scan).

To further beef up security, schools like Penn State are requiring a two-factor authentication, which incorporates two of the above mentioned techniques to create a multilayer defense against unauthorized access. However, how effective these measures are against DDoS attacks and other cyberattacks remains to be seen.  Thanks to Erica Woebse for her contribution.  Please email Brian Gibbons with any questions.