Aug 06 2019

Colleges Manage and Minimize Security Threats via Advanced Solutions, Peer Networks

Strategic security planning is holistic, comprehensive and collaborative.

Franklin & Marshall College may be 232 years old, but it has a thoroughly modern approach to cybersecurity.

Today, F&M protects its network with Palo Alto Networks firewall appliances, Splunk SIEM software to audit security logs and Duo security solutions. The technology is the easy part of cybersecurity, says CISO Alan Bowen. 

The bigger challenge, he says, is creating a holistic strategy, with input from major stakeholders.

“Ultimately, none of us are equipped to make these decisions in a vacuum,” he says. “The first thing we did at F&M was develop a governance council to handle the policy, strategy and mission of our information security program.”

After evaluating various security frameworks, the council adopted the Center for Internet Security’s Critical Security Controls. Then it began measuring the college’s practices against that framework. 

As guidance, Bowen identified 171 questions in 20 categories the council needed to address.

“For each of those control questions, we discussed and ultimately gauged where we think we are and what we thought we could achieve,” he says. “This was a time-consuming undertaking, and the council does not look forward to our annual framework update, but its importance to our security posture can’t be overstated.”

Alan Bowen, CISO, Franklin & Marshall College
We’re just one double-click away from someone installing ransomware that would encrypt every file they have access to.”

Alan Bowen CISO, Franklin & Marshall College

The council identified the top 10 issues with gaps between goals and performance, and then assigned risk and priorities. One key area was security awareness training.

“Our users are really smart people, but we’re just one double-click away from someone installing ransomware that would encrypt every file they have access to,” says Bowen.

Another critical element is an incident response plan that’s practiced at least once a year, he adds. Recently, F&M augmented its plan with some of the philosophies behind the Federal Emergency Management Agency’s National Incident Management System, to improve communication and the effectiveness of response efforts.

“As security people like to say, it’s not a question of whether you’ll be attacked, it’s when,” says Bowen. “Everybody is a target, even smaller schools like ours.”


The Cybersecurity Risks and Vulnerabilities Unique to Universities 

Universities’ security needs are much like those of other large enterprises — with a few key differences, says Kim Milford, executive director of the Research & Education Networks Information Sharing & Analysis Center. Headquartered at Indiana University, REN-ISAC serves as a computer incident response team for its more than 600 member institutions.

A 2016 threat analysis by REN-ISAC and the Department of Homeland Security found that colleges and research centers are slightly more likely to be victims of intellectual property theft and denial of service attacks.

At the same time, universities have far more complex environments to protect than even big businesses, with offices, classrooms, convention centers, sports arenas and even their own power plants. There are also greater demands on the budget available to pay for it all.

“We’re constantly balancing the risk of information security with other very real risks,” says Milford. “Are our classroom buildings in good repair? Do we have enough enrollment for the coming year? Is our faculty aging? If so, what can we do about that?”

Like F&M’s Bowen, Milford says user education is central to a secure campus.

“It’s easy to plug in automated controls or implement two-factor authentication,” she says. “But not training users on what to look for in a phishing attack makes them more vulnerable at home and on different computers, which leaves us all more vulnerable.”

MORE FROM EDTECH: Check out what a proper data governance policy can do for your campus.

Elgin Community College Simplified Its Firewall Protections 

At Elgin Community College, limited resources are a fact of life. 

Located 30 miles west of Chicago, the college serves roughly 15,000 students and 1,600 staffers and faculty. With just seven IT employees to handle the college’s server ​maintenance and network architecture, Elgin needed to streamline its security posture, says Information Security Officer Bill Forg.

To do that, Elgin had to resolve two issues. First, its firewall was nearing end of support and needed to be replaced. Second, the network used multiple firewall devices, each of which had to be configured and updated individually, putting a strain on the team’s limited resources.

Elgin Community College Information Security Officer Bill Forg

A firewall upgrade at Elgin Community College simplified maintenance while giving IT staff better visibility into systems, says Information Security Officer Bill Forg.

After evaluating a range of security solutions, Elgin chose two Palo Alto Networks PA-5220 appliances for its main campus — one to ensure high availability in case of failure — and a PA-220 appliance for each of two branch locations.

One advantage to the new firewalls are built-in intrusion detection systems, says Forg. Another is that they simplify firewall rules. Rather than manage permissions by port number, the Palo Alto dashboard lets staff implement rules for each application.

“Instead of opening Port 80, you’re managing permissions for Facebook or another application,” he says. “It raised the bar for what we can see happening on the network and the types of traffic traveling over it.”

MORE FROM EDTECH: Check out what universities can do to limit the vulnerability of mobile devices on campus.

5 Universities Band Together for Security

When it comes to protecting cyber assets, speed is essential. The more quickly staffers can identify and mitigate threats, the faster they can prevent them from spreading and causing more damage.

Fast analysis depends on information sharing. That’s why five members of the Big Ten Academic Alliance (Indiana University Bloomington, Northwestern University, Purdue University, Rutgers University-New Brunswick and the University of Nebraska-Lincoln) launched OmniSOC, a joint security operations center.

Each day, OmniSOC security engineers pore over 4.5 to 6.5 terabytes of security alert data generated by the five institutions, looking for indicators of compromise. When they identify a possible attack on one university, they notify the others so they can mitigate the threat more quickly.

“If we see a threat that hits Indiana first but hasn’t yet hit Nebraska, we can immediately notify their security teams to respond appropriately,” says Tom Davis, executive director of OmniSOC and associate vice president of information security at IU.

Cyberattacks on universities have grown more prevalent and insidious over time, and the value of the data held by institutions is greater than ever, says Davis. Collaborative efforts like OmniSOC allow colleges to use their limited defense resources more efficiently and effectively.

“Higher education is under increasing financial restrictions,” he says. “We need to do a better job of finding ways to collaborate and pool our resources to combat a common threat. OmniSOC is our way to deal with the changing cyber landscape and increasing financial pressure.”

Michael Austin/The Ispot (Illustration); Photography by Matthew Gilson (Bill Forg)

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT