Why are higher education institutions particularly susceptible to cybersecurity threats, and what can be done to mitigate them? IT leader David Shipley, who will be speaking at the 2016 Tech Security Seminar, weighs in. The full-length article originally appeared in EDUCAUSE, a non-profit association and cutting-edge community of IT leaders and professionals committed to advancing higher education.
A flurry of recent cyber security incident headlines is illustrating a growing threat facing nearly every higher education institution in North America. Notable incidents included news this spring that Penn State University’s entire Engineering School had to be taken offline for an extensive investigation and clean-up of its network and systems. That incident was followed in August with similar news from the University of Virginia (UVA) of a targeted cyber attack against two officials whose work was connected with China.
In the summer of 2015, the news that Harvard University suffered a modest hack affecting user credentials in eight schools caused little surprise, nor did news recently that Rutgers University is spending millions this year to strengthen its security in the wake of a series of denial of service (DoS) attacks against its networks and servers.
None of this comes as a surprise. But not because of anything Penn State, UVA, Harvard, Rutgers, or other institutions may have done wrong — odds are pretty solid that their security is no worse (and may even be far better) than most other North American universities and colleges.
No, the news about these incidents isn’t a surprise because schools across North America are under a relentless assault from malicious actors of all kinds, from script kiddies looking to grow their skills to large organized cybercriminal syndicates to nation-state entities. According to the New York Times, Penn State alone dealt with more than 20 million hostile attacks on an average day last year.
Having attended the EDUCAUSE 2015 Security Professionals Conference along with security experts from some of the biggest schools in North America, I can say with confidence that the entire higher education sector is battling the same challenges, with mixed success.
Why Are Universities and Colleges a High-Priority Target?
- They are easier to attack and exploit than other entities.
- They retain hundreds of thousands if not millions or tens of millions of personal records with enough personally identifiable information (PII) to create credit files.
- They store valuable research and intellectual property.
- They often have access to third-party research, intelligence, or intellectual property (government, private sector, etc.).
- They provide a route into more secure organizations that are watching their cyber front doors.
- They are an excellent platform to use to attack others (high-speed networks and massive computation capability available).
And on top of being high-priority targets in this massive cyber siege, they’re also the most difficult networks and systems to defend.
Universities and colleges are among the most difficult environments because they are the pioneers of the modern Internet and have legacy systems, approaches to security, and most importantly cultures that predate our current hostile Internet environment by decades. They’re also the birthplace of BYOD and often operate in highly decentralized IT environments. And universities and colleges aren’t the kinds of institutions that adjust to change rapidly.
As well, in the typical fiscal environment for most public universities and colleges in North America today, it can be a tough sell when talking about the kinds of major investments required to improve their defensive posture when they must cut expenditures and negatively impact the classroom due to decreased public funding or enrollment.
The Extent of the Siege
I know what it’s like to be on the front lines of cybersecurity at a university. It’s what I do every day with team members in the Information Technology Services (ITS) department at the University of New Brunswick (UNB).
UNB is one of North America’s oldest public English-language universities, with roots going back to 1785. We have two main campuses — the founding campus in Fredericton, New Brunswick, and a rapidly growing sibling campus in the port city of Saint John — with 11,000 students and about 2,000 faculty and staff. UNB has been a technology pioneer in IT for decades, helping bring the Internet to our namesake province, and were the first university in Canada to create a faculty of computer science.
Every day our Fredericton campus experiences millions of attempts to breach the network. In a typical week this year we’ve seen as many as 83 attempts a second to remotely intrude on systems on our network (or about 51 million a week). Our servers are constantly scanned for vulnerabilities, with more than 360,000 such probes in a typical week. The vast majority of these attempts are highly automated attacks that can be dealt with fairly easily, but in some cases the sheer volume of these attacks against a small subset of targets can result in small-scale intrusions, which if not addressed quickly can cause havoc.
We are bombarded with phishing attempts and malware. In a typical year, our automated defensive technologies deal with hundreds of thousands of copies of malware sent to UNB faculty and staff.
Other tools such as our desktop antivirus software are doing a solid job of defeating most garden-variety malware, but it’s not perfect. Thanks to advanced security tools such as IBM’s Qradar SIEM, Trend Micro’s Deep Discovery Inspector advanced threat detection platform, and reporting from our Kaspersky AV system, we know that our malware defenses are 97–98 percent effective.
That still creates a potentially hazardous situation for us.
It leaves the potential for dozens of incidents every day if our automated defenses such as desktop anti-virus fail to detect and prevent threats and malware can take root, opening us up for further exploitation and attack.
We’re doing our best with processes to combat this on a daily basis, but it’s the modern equivalent of cybersecurity Whack-a-Mole.
A Delicate Balance
While we’re moving as quickly as possible in our environment, we still have to balance our security strategy against the overall IT strategy for the university. As a security professional, one of the key things I’ve learned in the past year is that the key to success is using intelligence not only for tactical and strategic responses but also for risk management and prioritization.
There’s also a delicate balance when it comes to security tool selection. While there are some definite, tangible benefits to using a single vendor’s integrated security suite, organizations should carefully weigh those advantages (which in many cases also include cost advantages) against the need to diversify technologies to ensure different approaches to threat detection and increase the odds of successfully defeating threats.
However, too diverse an ecosystem with security tools that don’t work together creates manual processes (or no processes) for sharing intelligence, which significantly slows threat response.