Colleges and universities face some unique challenges when it comes to building a cyber security program. From an ideological standpoint, university campuses are founded on the concept of the free and open exchange of ideas and information. However, universities today must balance this with the day-to-day reality of securing a vast range of critical data that includes student and employee data, as well as valuable financial information and proprietary research. At the same time, they must ensure connectivity across a federated landscape.
With that in mind, here are some practical recommendations for developing a strong cyber security program for your university or college.
Know Your Environment
This is basic, I know. The CIS Top 20 Security controls have hardware and software inventory and control at number 1 and 2, respectively. There is a reason for that – knowing what is on your network is required to secure it.
In many of the assessments I’ve done I’ve discovered rogue servers, and, in one case, an entire subnetwork. In the case of the rogue servers, many of them didn’t have recent patches applied, if any, and most had personally identifiable information (PII).
In a large organization, especially one that doesn’t restrict port access, it’s simple for anyone to add a device to the network. Most of the time these aren’t evil insider threats; they are simply administrators testing a capability or a service on the production network, as opposed to a development environment. But that often leaves an undocumented device on the network, which can be an easy target for an attacker. Maintaining a device inventory and periodically assessing it is foundational for a successful cyber security program.
In addition to the hardware and software, you also need to know what data is stored where. This goes along with the software inventory, as databases are a target for malicious hackers. However, the data inventory should be more detailed due to the complexity of the university environment.
For example, is there a university patent office? Are students and faculty using cloud resources for processing or storing research data? Is research data shared with other universities or organizations? Do vendors have access to your infrastructure? These and many other data points need to be understood and documented so you can get a better sense of where the targets are on your network and better identify potential threat vectors. This information is key in developing your incident response plan, which can be tailored to different scenarios.
When you draft your incident response plan, you should look at the current threats facing your environment and create a baseline checklist for each of the most likely scenarios that could threaten your organization. At a basic level, you should have a plan to cover general malware threats, ransomware, distributed denial-of-service attacks (DDoS), and web page defacement.
For critical systems, identify each system that’s required for the university to conduct business and prioritize those. Some may require reaching out to the vendor or third parties, and their contact information should be included in your incident response plan. The last thing you want to be doing is searching for your vendor’s 24-hour support line during a crisis. The same thing goes for key personnel. Identify who they are and make sure you know how to get a hold of them after hours, and update the list on at least an annual basis, if not more often.
Manage and Monitor Logical Divisions
Large universities can be the size of small towns. Networks must be segmented to handle the nodes, but you also need logical subdivisions to separate business functions, manage risk, and set monitored boundaries. Network segmentation can help isolate traffic on segments and provide boundaries for groups of users for general use (email, web applications users, students). The goal is to separate higher risk populations from sensitive data.
You should have monitoring at the boundaries to log what’s going on and to see what’s happening. Yes, you need to limit bad incoming traffic, but you also need to limit outgoing traffic. You can use firewalls and intrusion prevention systems (IPS), as well as application gateways to provide additional layers of security. These systems can be effective, but they require you to have someone on board to manage and monitor them.
Get a Handle on Phishing with Training and Technical Controls
The majority of compromises still begin with a intrusion prevention systems. In a large enough user base, someone will nearly always click a link. No amount of training will stop this from happening. Let me repeat that a different way: training alone is not an effective strategy to combat phishing. Like any other effective security policy, user training is one important piece. However, you should also have technical controls that will both limit the number of emails that hit user inboxes and limit the impact if a user does click on a link in a phishing email.
Technical controls for phishing generally fall into three main categories. The first is filtering at the server or the gateway level to keep users from ever getting the emails. Some email services like Microsoft Office 365 can do this for you, but you can also filter emails by subject line, throttle large volumes of emails from a particular domain, or strip links from emails so users can’t click them.
Additionally, once an email has been identified as a phishing attempt, blocking it at the server level will stop further instances from hitting user inboxes. Blocking is key. According to the 2017 Verizon Data Breach Investigations Report, the first user clicks on a phishing email 16 minutes after a campaign starts, but doesn’t report it until 33 minutes later. Stopping the emails before they reach users is the most effective strategy.
The second category of controls is host-based. The most basic of these is making sure your antivirus protection is up to date. Of course, many phishing payloads may not have a signature that can be detected, but limiting what can be executed, no matter how small, is still a positive. In addition to antivirus, having a patched system will reduce the attack surface of the individual machine because most malicious software uses known vulnerabilities that have patches available.
The third category of controls is outbound filtering. Yu can use whitelisting for domains, but many organizations don’t like the restrictive nature of not being able to go to any website. Restricting links to known command and control servers will help prevent users from going to links or exfiltrating data, and should also tip-off your security team to any problems. Monitoring outbound HTTPS and DNS traffic can also be used to identify suspicious traffic coming from compromised hosts.
The Insider Threat is Real
Insider threats can mean a lot of things. What we’re talking about in this case is someone who has assumed the identity of an authorized user. In a university setting, this can be difficult to detect. For example, research and development data is often a target for nation-state actors. Some of the organizations that want to steal this information may enroll actual students into a university just to exfiltrate data. This type of situation goes beyond the scope of capabilities of most cyber security professionals in a university setting and is a good example of when you might need to involve an expert third party.
While China is frequently pointed to as a culprit, other nations engage in similar activity. You can’t assume that any or all international student have nefarious motives. However, you should have policies that detail accepted behavior, and technical controls to limit data access to students who have a documented need for it. You should consider Data Loss Prevention (DLP) strategies, including guidelines and technical policies to govern using USB data storage devices, monitoring large data files, using encryption appropriately, and protecting keys and certificates.
Engage with Peers
Many IT and cyber security professionals tend to overlook networking because we’re focused on putting out fires and don’t have spare time to engage with like-minded professionals. Networking doesn’t have to happen only at the big conferences. It can simply be having regular meetings with other professionals who are dealing with similar problems.
For example, ISC2 holds monthly chapter meetings, BSides holds regular regional events, and there are plenty of other local conferences that are free or low cost, like Data Connectors and SecureWorld. And don’t be afraid to talk with vendors at these shows. If you’re looking for help but don’t know where to start, a good vendor can provide you guidance and point you in the right direction.
There are a few key takeaways here. You should always know what hardware and software is on your network and what data is being stored where. Don’t forget to maintain an inventory of all these, as well as devices, and to review them on a regular basis. Get a handle on phishing with training AND technical controls; training alone is not enough. Pay attention to possible insider threats (because it’s better to be safe than sorry), and make it a point to interact more with peers who are dealing with similar situations to exchange ideas. These are all critical pieces to making your cyber security program effective.