By necessity, universities have evolved beyond the old castle-and-moat approach to cybersecurity. In today’s highly distributed technology environment, firewalls alone cannot ensure student privacy or secure critical data.
With a proliferation of endpoints, the present push toward remote work and distance learning has heightened existing cyber risks for colleges and universities. “Traditional, ‘monolithic,’ approaches to cybersecurity are becoming less reliable,” says Richard Rudnicki, a Deloitte security specialist with 15 years of experience delivering cyber-risk and regulatory compliance solutions to higher education. “To address evolving risks, institutions should adopt multilayered approaches that involve people, process and technology.”
Known as defense in depth, this multilayered approach centers on redundancy. Having multiple layers of security controls is likely more effective than ensuring one layer is perfectly secure. Above all, the first layer of security starts with user education: Make sure all students and faculty understand the basics of safe internet use. Let’s examine some further solutions that can help enhance your DiD strategy.
MORE ON EDTECH: Download this white paper to understand effective incident response.
5 Tips for a Strong Defense-in-Depth Strategy
1. Have an intrusion detection system. Bad actors can find a way into even the most secure systems — that’s a given. By automating tasks that could otherwise be unduly burdensome to higher education IT teams, an intrusion detection system offers another layer of protection.
“With an intrusion detection system, if someone gains unauthorized access, that access is detected and you can counter that attack,” says James Globe, vice president of operations at the Center for Internet Security. “For higher ed, if they are resource-challenged or if they don’t have the needed skills, they can use a managed service provider who walks them through the setup and configuration of that system. Getting it configured correctly to detect the threats that attack you is important.”
2. Use endpoint detection and response solutions. This has become increasingly urgent in the current environment. “With so many students, faculty and staff working and learning from home, the bounds of the network don’t exist anymore. Still, a lot of universities have insufficient protections at the endpoint,” says Dell Senior Higher Education Strategist Chris Wessells.
By using behavioral analytics to prevent attacks, EDR systems deploy a lightweight agent to every endpoint. “Products like VMware Carbon Black will leverage artificial intelligence and the power of the cloud to analyze massive amounts of data — to detect and respond to any kind of anomaly that is out there,” Wessells says. “It is a much more sophisticated way to identify and catch these extremely complex attacks.”
MORE ON EDTECH: Here are 3 ways that artificial intelligence can improve campus cybersecurity.
3. Follow the NIST Cybersecurity Framework. Within the National Institute of Standards and Technology’s cybersecurity framework, “the Detect and Respond functions are critical when initial protections are breached,” says Von Welch, an acting associate vice president for information security at Indiana University. Welch is also the executive director for cybersecurity innovation at IU.
When a cybersecurity event has occurred, the Detect function can quickly understand the event’s potential impact. Meanwhile, the Respond function provides appropriate next steps to address such incidents. “The Respond function includes activities that help mitigate the impact of incidents and resolve them altogether,” says Welch. “The function also helps improve overall security posture by including activities that help staff learn from previous events and address current security weaknesses.”
4. Strengthen your data privacy strategy. “Everyone is focused on protecting devices, but in the end, it’s really about the data. Hackers want to steal your data and disclose it. They want to destroy your data, either for money or for kicks. That’s why we are seeing an uptick in ransomware attacks against educational institutions,” says Randy Marchany, Virginia Tech’s information technology security officer. Marchany is also the director of the Virginia Tech IT Security Lab.
Not all data is made equal. A sound data protection strategy starts with inventory. “Is it payroll? Is it student data? You have to know what you have,” Marchany says. “You need to find where it is stored before you can protect it.” Delete anything you no longer need, then classify the remaining data that you need to protect in order of priority. Personal information, intellectual property and financial data should always be ranked as higher-value assets.
5. Secure DNS protection. Typically offered as a managed service, secure DNS offers an automated way to identify and block potential threats. Suppose a student or a faculty member inadvertently sets a malicious process loose in the system; before the system shares data with the threat actor, secure DNS can kick in to stop it.
“That’s a call outside of the network, and those calls are associated with a domain,” Globe says “A secure DNS provider will block that request if that domain is associated with malicious activity. It takes about five minutes to register and no more than 72 hours to get it up and running. You don’t have to be a skilled IT person to do this.”
MORE ON EDTECH: 5 tips you need to know to design a safer DNS.
Factors for a Robust Defense-in-Depth Deployment
Beyond these key layers, a powerful defense-in-depth deployment should also include some essential tools, such as anti-virus software, which is critical to any security protocol. But it’s important to understand the nuances. Many products rely on signature-based detection, which is helpful but not necessarily sufficient.
Forcepoint, for example, offers an anti-virus solution with heuristic features that can scan for suspicious patterns and activities.
Universities also need strong password policies, with rules in place to ensure passwords are sufficiently complex. Hold regular user trainings to support safe handling of passwords. Password lockers, also known as vaults, can also help automate password management. This can bolster security while lightening the IT department’s workload.
Role-based access control is another key element. It limits a user’s access to only necessary information. “If an administrator who has access to multiple servers is compromised, the attacker then has access to all those servers,” Globe says. “With role-based access control, you log in just for your role. It’s also known as the least-privilege approach.”
Always remember, security is a moving target. Once all the important defense layers are in place, conduct risk assessments and make ongoing adjustments. Help these various defense tools meet your institution’s security needs.
“In higher ed, you have a very complex system and it’s also a very open system. You have students accessing the internet from the physical campus and from home. You have faculty and staff using a variety of devices,” says Rebecca Herold, a privacy consultant and member of multiple IEEE security and privacy committees.
“The risk assessment shows you where vulnerabilities exist. You look at who is accessing the data, where it is collected, what it is used for and all the controls associated with that,” Herold says. “It can be time-consuming, but it’s a critical exercise. You need to know what type of connections people have, what type of computers they are using and what risks those might pose to larger university systems. Then you can deploy all these defensive mechanisms accordingly.”
