Employing strategies to reduce campus cybersecurity threats can help limit nefarious actor access and reduce your exposure.
Long before the term ‘nation-state hackers’ was coined, the education industry had been in the crosshairs of opportunistic cyber threats. According to the most recent Verizon Data Breach Report, these attacks have moved from executing annoying denial of services and access to sensitive information, to being motivated by financial gain, most often from criminal hackers who ransom the institution’s or district’s encrypted data. Attacks of this nature can disrupt operations for months, and take money sorely needed for programs and educational missions. Fortunately, there are strategies that can be taken to reduce your threat surface area.
When analysing how attackers entered education networks, the Verizon report identifies ‘Social Engineering’ (46%) as the top vector. Next are, ‘Miscellaneous Errors’ and ‘System Intrusion’ (20% each). Social Engineering was exploited using ‘pretexting’ mainly for fraudulent payments or transfer of funds, and phishing, which tries to acquire credentials or access to the system where malware can be installed. Miscellaneous Errors were due to misconfiguration of servers without proper access controls. And System Intrusion was all about hacking and malware using credentials that had been exposed on the Dark Web and never changed or acquired through Social Engineering.
Armed with this knowledge, following are four strategies we’ve come up with that can be employed to help limit access or exposure.
1. Training: While the month of October has been designated as cybersecurity awareness month, diligence should not stop there. Educating students, faculty, staff, and administration on how to recognise phishing has been extremely effective. However, further training should be available for those who continue to get ‘fooled’ by increasingly sophisticated and professional emails. In addition to phishing training, employees responsible for handling payments or the transfer of funds need to have special training on financially targeted attacks. As well, an audit should be undertaken of the workflow and credentials needed in order to transfer funds. Speaking of workflow — with misconfiguration of servers ranked second highest in terms of attack surface — implementing the correct access controls must be a top priority for data centre operations engineers and research IT teams.
2. Multi-Factor Authentication (MFA): MFA is becoming a standard requirement from cybersecurity insurance companies. Almost everyone has used MFA when accessing an online account, and for universities and school districts, your Microsoft® or Google licensing should include this feature. For more advanced MFA features like conditional access, you may have to pay for additional licensing. Employing MFA creates an additional barrier the bad guys must hurdle. Luckily for end users, the prevalence of smart phones and tablets make it easy to implement for end users.
3. Privileges: In many cases, once you authenticate to the network you are placed in a VLAN and the expectation is the firewall will protect against unauthorised access. This construct is problematic and should be replaced with micro-segmentation strategies that permit the user to access all the content and resources needed for their role, and no more. Similar to how a cruise ship is compartmentalised so that a hull breach doesn’t fill the entire ship with water, micro-segmenting users can limit the damage incurred by a compromised account. Implementing unified network policies that apply micro-segmentation rules to the user whether their access is from campus Wi-Fi, Ethernet, or VPN, will reduce the network administration burden.
4. Security architecture: Traditionally, a defense-in-depth architecture is the most popular paradigm for protecting digital assets. The ‘Castle-and-Moat’ design is where everyone in the ‘Castle’ is considered ‘trusted’ and those outside are kept outside by the ‘Moat’ which could include firewalls, VPNs, and other technologies. Unfortunately, with the rise and sophistication of phishing, these trusted individuals could actually be the unwilling threat vector. Another architecture seeing renewed discussion and popularity is ‘Zero Trust’. The United States National Institute of Standards and Technology (NIST) has published several documents on Zero Trust and how to implement it. Zero Trust Architecture aligns with previous advice about privilege and access, and at its root is about verifying the need of a device or user to access resources or network segments.
Additional resources you may want to check out
There are many resources available to educators within their communities and from the organisations that support them. EDUCAUSE is one example of a nonprofit association whose mission is to advance higher education using information technology. This association has community groups that enable peer-to-peer conversations about cybersecurity, network management, privacy and wireless networking. The group provides information on how to subscribe to a free service (for educators, non-profits, and governments) called Dorkbot which can help identify high-risk vulnerabilities in your web applications.
Another valuable resource is the Research and Education Networks Information Sharing and Analysis Center (REN-ISAC) which serves more than 650 member institutions within the higher education and research community by promoting cybersecurity operational protections and response.
The Council of Australasian University Directors of Information Technology (CAUDIT) is another organisation that provides leadership for educators. Their reference model for higher education is a valuable document to consider when undertaking a digital transformation. Additionally, their cybersecurity initiative helps members adopt appropriate risk profiles and counter ever-increasing cybersecurity threats, and in doing so, helps safeguard Australasia’s universities’ intellectual property and reputations.
For more information on this topic stay tuned for my upcoming whitepaper which will share insights into how Alcatel-Lucent Enterprise can be part of your defense-in-depth security plans. It will focus on enabling a Zero Trust Architecture to the edge of the network, including Internet of Things (IoT) devices, guests, and BYOD.