Colleges and universities face a wide variety of risks, stemming from the diverse users of institutional resources and the many different devices those users bring to campus networks. Maintaining secure control of institutional networks, systems and data can be an overwhelming challenge. Successful institutions use a comprehensive risk management strategy that identifies threats and vulnerabilities and then prioritizes remediation activities that will result in the greatest risk reduction.
Regularly Conduct Vulnerability Scanning and Penetration Testing
One of the most important risk management processes that institutions can implement is a technology risk identification program that incorporates two security processes: vulnerability scanning and penetration testing. Vulnerability scans use automated tools to test the security posture of servers, desktops and other systems on both enterprise networks and cloud providers. Initial scans of higher education networks often reveal thousands of vulnerabilities. Robust vulnerability scanning tools allow security administrators to identify high-value assets and then prioritize vulnerabilities based on a combination of asset value and the severity of the vulnerability.
Penetration tests go a step beyond vulnerability scanning, using white-hat hackers to conduct actual attacks against institutional infrastructure to identify security vulnerabilities. These tests are more labor-intensive than vulnerability scans, but often reveal security issues that might go undetected by automated tests. Institutions building out their security programs may wish to begin with vulnerability scanning and then move on to penetration testing after completing the remediation of high-risk vulnerabilities that automated scans identify.
Server Authentication and Certificate Management Are Key
Most institutions operate a wide variety of technology services that require careful security analysis and the implementation of effective controls. For example, email services are among the most frequently compromised servers in higher education environments. Attackers know that colleges and universities operate high-volume email systems and often have lax controls around user authentication. Email services that fail to implement strong authentication practices are ideal targets for attackers who wish to leverage those high-bandwidth, trusted connections to send spam messages to third parties. Institutions should ensure that any mail sent through institutional servers, inbound or outbound, is either sent to a legitimate institutional recipient or authenticated with the credentials of a campus user.
Institutions now operate the majority of their services using a web-based, self-service approach. Web portals allow faculty to record grades, students to register for classes and employees to access payroll information, among other sensitive activities. These web-based processes rely on the use of strong HTTPS encryption to protect their confidentiality, and that encryption depends on valid digital certificates. Institutional security programs should include a robust certificate management effort that automates the prompt renewal of expiring certificates and ensures that servers do not support vulnerable encryption technologies.
Learn more about cybersecurity in higher education by downloading the white paper, "Threat Detection: Keep Campuses Safe. "