The Barbarians Are Adapting and Evolving, Are We?

Sam Segran, CIO, Texas Tech University

From the early days of pranks in college computer labs by inquisitive students to today’s government-sanctioned cyber-espionage, hacking has evolved to become a full-fletched profession. It is nourished by a growing industry of cybercriminals whose annual spoils far exceed the gross national product of many third world countries. A press release from the Bureau of Justice Statistics showed 16.6 million fell victim to Identity Theft in 2012 with financial losses totaling $24.7 billion in the United States alone. These criminals avoid legal scrutiny by using cross-border hosts, botnets, mules, bitcoins, etc. It is also relatively easy for hackers without scruples to find ready employers from across a world that has become ‘smaller’ since the advent of the Internet.

“The goal of a security program should be to minimize the cyber threats to the institution caused due to the inherent vulnerabilities in protecting the assets (data)”

Cybercriminals have evolved from pranksters to malicious and deviant hackers, economically motivated thieves and organized criminals; nation-state trained and/or sponsored hackers, hacktivists, and modern day terrorists. Cybercriminals no longer have to depend on their personal hacking skills. A thriving underground community enables them to find each other and trade in tools, stolen data (including credit card information), botnets, etc. They are constantly updating their attack methods.

A common threat vector used by cybercriminals is social engineering. They have progressed from the days of the badly written ‘Nigerian Scam’ to the current day sophisticated spear phishing schemes that use compromised email accounts and well-crafted websites with the correct logos to trick almost any-one.

These nefarious cybercriminals equipped with sophisticated attack tools, coupled with vulnerable computer systems and cyber-unaware employees, will overwhelm most organizations that have not kept up with the fast changing cyber security landscape. Higher education institutions are no exceptions.

By its nature, higher education institutions have larger attack surfaces than most other industries such as banking, energy, retail, health, government, and more. A higher education institution is, by design, an open environment that is conducive to teaching, learning, research, and outreach. Collaboration, across institutions, is crucial to achieving the learning and research missions of these institutions. Students are encouraged to pursue knowledge and external/global engagements, which are very difficult to achieve in a closed, locked-down, environment. Higher education institutions also push the limits of technology from all groups, including students, researchers, faculty, and staff.

Higher education, in general, has a constantly changing or growing population in the tens of thousands in many institutions, with entering and graduating students, and employees. It is also a test bed for an ever increasing number of mobile devices of all kinds. Some of these get thrown onto the campus networks, if not specifically restricted, the day they are released to the public, without any testing or security measures enabled.

Furthermore, traditional higher education institutions tend to be quite decentralized in terms of information technology operations, making it more difficult to implement best practices for operational controls to protect data. In addition to the difficulty in gaining the efficiencies needed for every IT dollar spent, it is also challenging to implement best practices in heavily decentralized environments to achieve the operational effectiveness in IT and data security. Given the nature of higher education, a totally centralized IT environment may not be possible either, unless the institutional culture is sufficiently accepting or if it is a smaller institution with a limited number of programs. The key is in finding the right balance to maximize the security profile of the institution without significantly impinging on the institution’s missions or the open culture of these institutions.

There are many defensive security strategies and architectural approaches to protecting institutional data. The implementation and effectiveness of these strategies are subject to available resources, IT security staff skills, capability of IT in the organization, organizational maturity, organizational culture, and senior campus administrator engagement and commitment in protecting institutional data. Higher education institutions should strive to minimize the Network, Software, and Human attack surfaces.

For data security, the general protection strategies involve one or more of three components –People, Process, and Technology. Of the ‘People’ component, maintaining a skilled, dedicated, and happy IT workforce is paramount for long-term and productive implementation of a successful IT security program that adds value to the institution instead of being a hurdle for the institution to conduct its business. Except for a few wealthy institutions, it is nearly impossible for most higher education institutions to match industry salaries to retain highly skilled IT staff, including IT security staff. Higher education needs to compensate with fair salaries, better working environments. It includes both tangible benefits like personal skill development opportunities, retirement plans, health plans, office space and intangible benefits like titles, opportunities for work-life balance, respect in the enterprise, fair treatment, and good management to enhance the work satisfaction.

While IT security staff should be continuously trained, including in appropriate security certifications (e.g. CISSP), other IT staff should also receive basic security training since security is not a standalone function. Systems designers, database administrators, server admins, programmers, and web designers should all be trained to minimize vulnerabilities in source codes, system designs and processes to mitigate known attack vectors such as SQL injection, cross site scripting, buffer overflow, and man-in-the-middle exploits. Additionally all administrators, researchers, employees, and students should also be provided awareness training to minimize opportunities for them to fall victim to phishing schemes.

It will be cost-prohibitive and operationally difficult to have the state of the art security for protecting all institutional data. Hence, institutional data should be classified into appropriate categories, e.g. sensitive, confidential, regulated, and restricted, and then the appropriate methods of data protection should be applied to each category of data according to the type of classification. These data protection strategies may include firewalls, intrusion detection systems, intrusion prevention systems, network access control, network segmentation, encryption, anti-virus, role-based access, white-listing, physical protection, and other technologies and processes. As a best practice, institutions should adopt a standard for securing data such as federal NIST Security and Privacy Controls, Top 20 Critical Controls, or a set of control standards customized for the institution.

In order to protect institutional data, it is also important that the institution have an updated set of security policies that are based on industry best practices, with appropriate exemptions. A periodic environmental assessment of the Cyber security landscape, independent 3rd party audits, coupled with intelligence from peers, security industry sources, and key vendor partners should provide a basis for tweaks to the security policies and the security posture. In a decentralized IT environment, and IT procurement review process is essential to ensure that the institution is not investing in non-supported or disapproved hardware, software, or cloud service. Information Technology will need to partner with key departments such as Purchasing, Contracting, and Legal to monitor these purchases.

Ultimately, the goal of a security program should be to minimize the cyber threats to the institution caused due to the inherent vulnerabilities in protecting the assets (data). The institution should work towards eliminating, remediating, minimizing, or accepting the vulnerabilities based on the asset value.

No institution is immune to being probed and attacked by hackers, and no amount of preparation will make us 100 percent secure. A determined cybercriminal will find a way in, given enough time. Hopefully, a well-coordinated plan, implemented successfully, will delay the attack long enough that the cybercriminal moves on to an easier target.

With a supportive leadership, a collaborative partnership, skilled IT professionals, and a Cyber security-aware University community, higher education institutions can use technology for teaching, learning, and research instead of constantly deflecting and/or recovering from cybercriminal attacks. Ultimately, real support from senior institutional leadership is crucial to protecting institutional data.