Hackers discover new vulnerabilities in operating systems and applications every day. As soon as vendors learn about those weaknesses, they scramble to address them and to issue security patches that correct the vulnerability, preventing future exploits. However, those patches can’t protect campus systems until administrators take the time to apply them. The period of time between the discovery of a security issue and the application of a patch is known as the window of vulnerability, and it’s extremely dangerous because systems and applications are exposed to a known security flaw.
Given this knowledge, we might assume that campus technology teams place a high priority on prompt application of security patches. Unfortunately, that isn’t the case. In fact, educational institutions lag far behind other industries in their responsiveness to patchable security issues, leaving themselves open to attack. In its “2017 Data Breach Investigations Report,” Verizon found that educational institutions apply only 18 percent of security patches within the 12-week period following their release. That is markedly lower than the cross-industry average of 61 percent completion during that same time period.
It may be tempting to explain this discrepancy as a result of the diverse computing environments found in higher education, but the fact is that failure to apply patches promptly creates an unacceptable risk for information systems. The open nature of higher education computing environments means that these unpatched systems are at greater risk of compromise than their counterparts on closed corporate networks. Institutions seeking to close the window of vulnerability should focus on three core issues: centralized system management, application patching and responsibility for BYOD systems.
1. Centralize System Management for Better Monitoring
Centrally managing both endpoints and servers offers an incredibly efficient way to deploy and monitor security patches across campus. With the number and frequency of security patches issued each month, it’s simply too onerous a workload to apply those patches manually. Centralized system management tools allow administrators to specify the appropriate time to deploy patches, configure a staggered rollout schedule and monitor those systems to ensure that patches are successfully installed. Administrators may then check a report to verify that systems have all current patches and flag exceptions for manual remediation.
While centralized management dramatically improves the efficiency of patch management, it doesn’t absolve administrators from all responsibility. Consumers may configure their devices to automatically download and apply updates, but this approach generally isn’t wise in an enterprise environment, such as a college’s administrative computing network.
For example, if a Microsoft patch interacts negatively with a custom application, automated patch deployment strategies may bring the entire network crashing down. A more reasonable approach to patch management combines manual testing with automated deployment. Administrators should download patches and install them in a test environment to verify proper functioning. Once patches clear this quality assurance hurdle, administrators may then push them out automatically to the entire network.
2. Don’t Forget that Campus Apps Need Patching Too
Operating systems aren’t the only system components that require patching. Applications also contain security vulnerabilities, and vendors such as Microsoft, Adobe, Oracle and Google continually roll out security updates for those applications. Administrators should keep a careful inventory of the applications used on their campuses, particularly on managed systems, and follow the same patch monitoring and deployment processes for applications that they embrace for operating systems. A flaw in Microsoft Office can lead to total system compromise just as easily as a flaw in the core Windows operating system.
3. Devise a Method to Regulate BYOD Access
Another major difference between campus and corporate networks lies in the types of systems resident on those networks. In most corporate environments, network access is tightly restricted and either limited to company-owned devices or managed through a rigorous BYOD policy that includes security screening measures. Campus networks, on the other hand, serve a diverse mix of institution-owned devices and personal devices belonging to students, faculty and staff. It’s easy for administrators to throw their hands in the air and lament their lack of control over those systems, but that’s not a satisfactory way to address the issue.
There are two effective responses to the BYOD challenge on college and university campuses. First, network administrators can segment the networks used by different classes of users and devices. The most common approach is to segregate students and guests on one network, with faculty and staff on another. This places student systems — arguably those at the greatest risk of compromise — in a position that minimizes their ability to harm systems critical to the institution.
Many colleges also implement a network access control solution that regulates the connection of devices to the campus network. Before granting a device access, the NAC product conducts a security scan of the device to verify that it has a properly configured firewall, active anti-virus software and security settings that comply with institutional policy. Systems that fail any of these checks are placed on a special quarantine network, where they do not have access to other network resources while they’re being remediated.
Patch management is a challenging issue on college and university campuses, but it is a solvable one. Campuses that use centralized system management, patch both operating systems and applications, and develop an effective approach for BYOD systems will find themselves well prepared to face future security challenges.