Ransomware. Cryptocurrency mining. Social media–borne vulnerabilities. The threats keep coming in a cybersecurity landscape already bristling with risks.
Behind a bulwark of shared frameworks and their own strategic defenses, security professionals must deploy the most effective tools, services and procedures to neutralize each threat as it arises. Yet there’s no simple formula for making those choices, says Lanita Collette, CISO at the University of Arizona, a public research university with more than 44,000 students.
“We take a hybrid approach to choosing technologies and services to address each risk,” she says. “You have more control in your own data center with your own staff, but sometimes the best solution is in the cloud or from a consultant. We explore the options for each case.”
Outside Experts Support NIST Compliance Goals
For ransomware protection, UA deploys next-generation firewall modules, endpoint security software on computers and laptops, and services that track websites generating malware, Collette says. To safeguard against illicit digital currency mining, the university relies on existing procedures, making sure that servers have up-to-date patches, as well as monitoring and logging server activity.
As an example of a hybrid approach, using a combination of in-house staff, consulting services and cloud resources, Collette and her staff were able to meet a Dec. 31, 2017, deadline requiring certain federal government contractors to comply with standards outlined in the National Institute of Standards and Technology Special Publication 800-171. The university is planning to contract with outside professional services around a NIST Cybersecurity Framework checkup on the cloud environment that houses many of the university’s enterprise applications.
“We wanted to make sure we have another set of eyes on our systems,” Collette says.
When the university considers new security solutions, Collette and her staff look to the tools and services that colleagues in other institutions are using successfully, and they pay attention to analyst reports. They rely on trusted vendors and service providers, returning to those with which UA has had good experiences. And they invest carefully.
“In higher ed, we can’t afford to always look for the cutting edge,” says Collette. “We have to be good stewards of our funding, especially because we’re a public institution. We look for the tried and true. We also, however, select tools whose capabilities can grow with our needs and that allow us to do sophisticated analysis, which is essential to modern security.”
In addition to resource constraints, security pros in higher education have an added challenge: They work in an environment that values both the free flow and the protection of information.
“There’s an inherent tension between our need to provide an open environment where people can collaborate easily and the need to protect private information,” Collette says. “From a human perspective, this is not a controlled environment that can be locked down, even if we wanted to.”
IT Pros Take a Strategic Approach to Risk Mitigation
Increasingly, security specialists in higher education are acknowledging that they can’t lock out every threat, says Joanna Grama, who directs programs in cybersecurity and in governance, risk and compliance for EDUCAUSE. That said, they can mitigate or eliminate potential risk, she adds.
“The idea used to be to stop everything, to be constantly reacting,” says Grama. “The shift now is toward layered and multiresponsive security technologies: defense in depth. The question isn’t if you’ll be breached but when you will be — or have been — breached, and how you respond.”
To build a strategy that can liberate security efforts from whack-a-mole reactivity, institutions should inventory systems and data to understand their assets and risks, says Grama.
“Then you look at your top-10 risks and ask, ‘Where can I invest modest money and effort for maximum gain?’” she says. “You turn your inventory and analysis into a procurement strategy.”
Institutions are holding their own against cyberthreats, but their budget limitations are worrying, says Grama, citing a 2016 EDUCAUSE survey indicating that, on average, institutions spend just 3 percent of their central IT budgets on information security.
“There’s a looming cybersecurity crisis in higher ed,” Grama says. “Necessary security skill sets should be evolving along with threats and technologies, and colleges often lack the resources to hire or train for them. Many small colleges can’t even afford a dedicated security specialist.”
Multilayered Security Helps Colleges Manage Emerging Threats
Earlier this year, when news broke of the computer chip vulnerabilities Spectre and Meltdown, Northwestern University CISO Tom Murphy knew two things: The threat was potentially catastrophic, and there was no easy fix.
“The question was how to deal with a flaw that could potentially impact every modern computer. We were dealing with very large numbers of endpoints,” says Murphy. Northwestern enrolls 21,000 students at campuses in Evanston, Ill.; Chicago; and Doha, Qatar.
To defend against the vulnerabilities, Northwestern mobilized its best-of-breed endpoint management systems, pushing out patches at an accelerated pace and stepping up monitoring functions.
“That was definitely all-hands-on-deck as we worked with the platforms we had deployed,” says Murphy. “We didn’t need new technology to block a threat. We needed to make full use of the tools we already had in place.”
At Northwestern University, any new solution must mesh well with the existing ecosystem and skill sets, says CISO Tom Murphy. Photo: Bob Stefko
The distribution and heterogeneity of the university’s various campuses, schools, departments and labs makes it imperative that the security strategy can “bend and flex,” says Murphy. “Research requires open forums and sharing, so our direction is to create the least restrictive but most protective environment.”
As part of that effort, Northwestern uses overlapping security frameworks: those from NIST and the International Organization for Standardization, along with those imposed by specific regulations, such as HIPAA. Security tools and services are chosen to fit the appropriate framework and the specific situation.
To combat ransomware attacks, Murphy and his team deployed Splunk Insights software, which uses statistical models and visualizations to provide real-time views of network activity that could be associated with the malware. On the other hand, a task such as log analysis, which requires the aggregation and storage of massive amounts of data, is more appropriately handled by external service providers, he says.
Many of the security technologies and services used by Northwestern are leaders in their categories, but solutions must fit into the university’s ecosystem and be a good match for existing technologies, processes and staff skills, Murphy says.
“That’s why we stress collaboration and communication from all areas of the university,” he says. “My biggest fear is that someone will make an individual decision to use a tool or service that’s not on our radar and inadvertently expose us to risk, which might even include the loss of research funding.”
Best Practices Call for Campus-Specific Security Plans
Unknown threats from newly introduced technologies are among the worries that keep Bob Turner up at night as well. For Turner, CISO of the University of Wisconsin-Madison, each new tool that a research lab or a department office deploys requires staff to quickly learn to manage its particular patch-and-update process.
“In order to deal with risk, you have to deal with the pace of technology, along with the pace of the threats that are coming at your organization,” says Turner, whose campus (the flagship of the UW system) serves almost 44,000 students.
UW-Madison relies on the NIST Risk Management Framework to shape its overarching security strategy. It uses the NIST Cybersecurity Framework when the security staff believes an event is, or could be, in progress.
The frameworks, along with the team’s knowledge of the needs of its customers, guide decisions about which technologies and services the university will deploy.
High on Turner’s list of worries are ransomware, cryptocurrency mining and the perennial threat of bad user behavior. Blocking these threats has mostly been a matter of doubling down on the procedures and technology capabilities already in place, he says.
“Protecting against ransomware has meant investing time and energy in understanding the signatures of the malware,” says Turner. “You also have to ensure that your data backup strategy is up to date and identify your most vulnerable systems, like network-attached storage, and provide extra protection.”
Safeguarding servers against cryptocurrency mining requires patches and aggressive monitoring. For certain research projects, Turner says, the loss of resource availability is potentially calamitous. The risks caused by users are rarely malicious; they’re usually the result of people ignoring or being ignorant of basic data security practices, he says. The only way to reduce those dangers is through education programs that promote good cyberhygiene.
Even more crucial, says Turner, is that security staff have a comprehensive understanding of the computing environment and the data within.
“Know your data, its attributes and the attitudes of users toward it,” he says. “And know yourself as an organization: Know your technological limitations, know your technology options, know your key players and give them the support and attention they need. Decisions about how to meet threats will fall out from there.”