Universities and colleges are fighting a war against terror, waged by cyberenemies. The damage that hackers inflict can be serious — and life-changing. Consider what happened at the University of Central Florida in February, when an attacker stole 63,000 Social Security numbers and the names of current and former students and employees.
Many such hacks are zero-day exploits: attacks against software flaws that are unknown and therefore have no patches or recognizable patterns or signatures. That means it may take time for institutions to become aware of the infiltration. Zero-day threats are a huge problem for universities, which have become a prime target for criminals, says Nick Lewis, NET+ program manager for security and identity at Internet2, a nonprofit, member-owned advanced technology community founded by higher education institutions.
What’s more, the threat often hits the education sector harder than the business world. “Universities are affected by zero-day attacks a little differently than corporations, because many times we don’t have control over the endpoint, which causes some different challenges, especially around malware and infected websites,” says Lewis, formerly the information security officer at Saint Louis University.
A Constant Threat
The University of Arizona can attest to those challenges. With more than 35,000 students and 15,000 staff and faculty, it faces zero-day threats from phishing emails, infected websites and other dubious sources. A major problem is that zero-day threats don’t always make themselves known right away, says Gil Salazar, the university’s interim deputy information security officer.
Ezra Krumhansl, CIO at Spalding University, agrees. His university’s help desk software fell victim to a zero-day attack by Heartbleed malware that ultimately caused some data loss.
“Heartbleed was well publicized, so in the days after that, we reviewed all of our systems, applied the patches and hot fixes to remedy that problem, and discovered that our help desk server was compromised,” Krumhansl says. “After that incident, we became much more intentional in our effort to deal with zero-day attacks. They may be called zero-day threats, but they might not activate until six months or a year later, so sometimes you don’t know that you have them.”
This may be why, according to Mandiant Consulting Services’ “M-Trends 2016” report, hackers can spend an average of 146 days inside an organization’s IT perimeter before being detected.
An Unknown Enemy
Fighting back starts with a good offense, says Patricia Ciuffo, chief information security officer at the Touro College and University System. “Security, like anything, is multilayered. It’s like peeling an onion.”
Touro, which serves 17,000 students in the United States and overseas, uses targeted attack protection software and physical firewalls from various vendors. In addition, the IT department segments the network and enforces a security policy that requires anyone connecting to the network to install up-to-date anti-virus software. IT also keeps its policy updated.
In addition, Touro created an information security steering committee of senior-level managers who meet monthly to report on the information security program and approve processes and policies, Ciuffo says.
How can a university best evaluate its preparedness for zero-day threats? The first step, says Lewis, is to conduct a risk assessment to review responses to previous zero-day threats that affected the institution and identify additional ways to manage risk. For most organizations, that assessment will point to the need for an endpoint protection strategy, Lewis says.
“For managed systems, universities may have endpoint security tools in place that could include protection from zero-day threats,” he says.
Protecting endpoints isn’t always easy, though, when students, employees and visitors own and manage many of them.
One smart strategy is to assume that an infection already has occurred. At the University of Arizona, the IT team deploys OpenDNS coupled with the FireEye Threat Analytics Platform to monitor and defend its network. TAP sits on the network and listens to outgoing traffic to discover if any internal servers or endpoints are communicating back to potential hackers.
“The FireEye solution gives us the heads-up on machines that might be compromised as they go out and try to talk to their home units,” says Salazar. “We get an alert on those, and then we contact the individuals who provide IT support and work to get those issues cleared up. One of the largest attacks we’ve had due to unpatched systems was a WordPress attack that affected many sites.”
The University of Arizona also uses a vulnerability management program to assess its network and servers, says Salazar. University departments and IT support units scan systems for outdated versions, open ports and other concerns. Currently, the university is working to scan as many devices on campus as possible, with the goal of creating a baseline assessment and then protecting and patching systems.
Spalding University took several steps to fortify its system against malicious intruders. Krumhansl reviewed all servers and the network infrastructure to ensure that only required ports and services were in use, blocking or disabling any that were not essential. The university also revised its policy so that when new software or servers go into production, they use only required ports and services. To further reduce exposure, IT no longer clones servers from a standard image, instead setting up each server for a specific purpose to reduce threat exposure. Finally, the university conducts regular penetration tests of internal and external resources.
Touro also employs a multilayered approach, with firewalls that monitor 24/7 and various software resources. “We know many of the threats are on endpoints, so we’ve gone the hybrid route to make sure that those types of threats are identified as soon as they come in,” Ciuffo says. “The technology that we’re using is scanning, and then rescanning, and then notifying us right away of potential malicious attacks.”
Touro’s infrastructure design ensures that if an attack does occur, the damage stays limited, says Ciuffo. “Our IT infrastructure management and staff are security-conscious and plan for potential issues,” she says. “We’re actually isolating parts of the network, so we’re separating administrative parts from student parts and, in some areas, we have separate domains.”
The final step, Lewis says, is a strong remediation strategy based on the risk assessment. Once an institution identifies an infection, it needs to eradicate every instance of the virus or malware from the network and ensure that machines are protected against future infection.
“It’s hard to do because you’re not going to be able to check everything, obviously, and what you do work on is going to be hard and tedious,” he says. “You need standardized processes in place for detection, remediation, and continuous improvement — figuring out how the threat made it in.”
To that end, IT staff may want to connect with standards boards, vendors and other industry groups to share information and lessons learned. Ciuffo belongs to the Information Systems Audit and Control Association and the Research and Education Networking Information Sharing and Analysis Center, while Lewis recommends EDUCAUSE’s Higher Education Information Security Council. The latter offers an active email list where users can compare notes on both threats and solutions, he says.
“One of the things that is really great about the higher ed information security community is that we do work together because we know that we’ve got these exact same problems on our campus,” Lewis says. “If I can talk to one of my colleagues at a different university who maybe had a different sort of experience, I can use that to better inform what we should do on my campus.”
In the end, although institutions may be unable to prevent every zero-day attack, they can reduce risk, says Krumhansl.
“We are making every effort to prevent future attacks, but we are also continuing to develop our capability to respond to and manage attacks to mitigate the impact they have on our infrastructure and our faculty and students,” he says.