Colleges: Shields up!

How campus IT leaders are fighting cyber crime while maintaining compliance
By: | Issue: March, 2017
February 23, 2017

Ten years ago, few universities employed chief information security officers. Now these administrators—known as CISOs—lead teams dedicated to shielding information, systems and research from internet thieves, and to keeping up with federal regulations.

CISOs must ensure their schools are in compliance with a wide assortment of federal standards that pertain to the business of higher ed: commerce, health, research, education and industry.

“Universities are microcosms of society at large,” says Donald Welch, Penn State’s CISO. “That makes compliance a challenge.” And it is precisely that rich quantity of information that makes universities alluring targets for hackers.

Helen Patton, CISO at The Ohio State University, explains that much of the information stored on university computers and servers has value on the black market.

Cyberattack terms to know

DDoS (distributed denial of service): Computers from many systems are used—often unknowingly—to attack and stall a network. A common example is a virus that sends a flood of email or comments that bring a system to a halt.

“There are passwords, access to financial systems and personal information. There is also intellectual property theft,” she says. “We see nation-state threats, groups trying to infiltrate our research to get the information now or just to have it available to retrieve as research is developed.”

As campus leaders work to keep data secure, they’re also navigating the need to comply with an increasing number of federal rules and regulations that guide, and in some cases dictate, how data is handled.

Comply and contain

An added compliance challenge lies in the fluid nature of standards. For example, as of mid-February, the Federal Trade Commission was calling for comments on its Safeguards Rule, of which the Gramm-Leach-Bliley Act (GLBA) is a part.

Directed at how to collect and keep financial information on students, parents and employees, GLBA currently offers guidelines that individual colleges can decide how to follow based on their own situation.

But the FTC may make those guidelines hard regulations. Educause has come out against the change, noting that security relies on the flexibility allowed by the current system.

Overall, officials at individual colleges and universities are developing their own compliance and security plans, using existing frameworks along with suggested or required levels of compliance and security to meet or exceed standards.

CISOs must figure out the big picture of how to comply while providing adequate data security—a daily concern. “You can be completely compliant and still experience a breach, and this is one of the challenges,” Patton says.

Cyberattack terms to know (cont.)

Internet of Things attacks: Automated systems such as lighting and heating can be hacked and used to mount attacks on larger networks, such as Amazon or Netflix. And the lighting and heating systems themselves can be breached, leading to cold, dark classrooms.

Within the frameworks, the minimum levels of security controls are designed to meet standards set out by federal regulations, whether those are GLBA or other federal standards.

Robert Turner, CISO at University of Wisconsin–Madison, uses a six-step approach to security and compliance:

1. Categorize within the system, which involves assessing and assigning low, moderate or highly classified.

2. Assign security controls based on categorization.

3. Ensure secure control design and implementation, with code developers and system architects involved.

4. Make risk assessments. Turner’s team assesses the risks in an operational environment, making sure the system meets security standards.

5. Providing system approval. Turner notes that “the intent is to have the risk decision made at the level where it makes the most sense.”

6. Manage continuous surveillance and mitigation, if needed.

Internal and external audits help CISOs identify weaknesses. The security officers interviewed for this story say the smart move is to do these audits independently and regularly, because audits will definitely come if a breach occurs.

Cyberattack terms to know (cont.)

Malware: A software virus that enters a computer or system by hiding in an infected link or download. A user who clicks on that link or file unknowingly disables or infects that computer or, worse, an entire network.

Training to fight cybercrime

Many schools have online training modules that walk users through the rules and regulations they need to know for compliance and security.

Each module focuses on a particular set of regulations needed by each department—Health Protection and Promotion Act (HPPA) regulations for medical departments, or GLBA regulations for financial services, for example—but training should go beyond that.

CISOs want all system users to practice “good cyberhygiene” by creating strong passwords, using two- (or multi-) factor authentication, learning to spot phishing emails and performing regular system backups.

At Dartmouth College, CISO Steven Nyman counts on the school’s roughly 70 information security representatives, who work in different departments throughout the college. The reps ensure that the baseline controls are in place.

Penn State’s Welch says only credible strategies will lead a campus to understand the importance of training and compliance. “If you come in and say we are going to lock things down like the Department of Defense, you won’t get buy-in. Research universities have to allow for innovation, creativity and discovery.”

Cyberattack terms to know (cont.)

Phishing (and vishing): Email scams that appear to be from a legitimate source but are really ways of obtaining confidential information. Vishing is a term for a similar phone or voicemail scam.

Costs of a breach

Just how much could an IT security breach cost an institution? That varies according to the scope of the attack, says Patton.

If you do not have a security team in place and you have not thought about breaches ahead of time, it can be costly to do the forensics when an incident happens—identifying where the breach occurred, how long it existed before discovery and what was lost.

Financial losses include fines from governmental agencies if compliance is found lacking—fines are attached to HPPA breaches, for example. Legal fees fees and the costs of credit monitoring for individuals if personal data was compromised add up quickly.

And compromised software or equipment may need expensive repairs or modifications.

Cyberattack terms to know (cont.)

Ransomware: Hackers lock users out of their network and demand payment to unlock it. While some victims think it is easier to “just pay” the ransom, that’s a big gamble, says Bob Turner, from University of Wisconsin. His advice: Keep a recent backup, detect the breach quickly, rebuild lost data and move forward. Don’t pay.

A breach may lead to a subsequent loss of federal research funding or financial aid.

Finally, a breach hits any institution’s reputation. Students, staff and faculty rely on institutions to protect all sorts of private information. A big, well-publicized breach might scare away potential faculty and students—with their tuition dollars.

Never-ending vigilance

CISOs need to move fast to embrace effective risk-based management strategies, as federally backed research grants and programs now have compliance requirements built in, says Turner.

“The struggle is that in focusing on compliance, we do not fully address security concerns. But when we focus first on security—cyberhygiene 101—we have a better chance of being compliant out of the gate.”

The work will never be done. “This is a constant battle,” says Welch. “When I got into this business I looked at the simple things we could do. Twenty years later, the problems are still there.”

Cyberattack terms to know (cont.)

Zero Day attacks: Hackers exploit undetected weaknesses or vulnerabilities in hardware or software before developers know they exist or before they patch the vulnerability. Hard to detect and impossible to anticipate, systems security administrators have “zero” days to respond to the attack, and often need time to even identify what, if anything, has been compromised.

OSU’s Patton sounds a bit of a wakeup call to all universities: In general industry, security accounts for seven to 10 percent of IT spending. In the financial services sector, seven to 10 percent of net profit is spent on security. But in higher education, less than 2 percent of the IT budget goes to security, according to Educause data.

“We are behind the eight ball,” she says. “We should be spending more than the industry average, not less, to catch up. We have underinvested in security and it will come back to haunt us.”

Barb Freda is a North-Carolina-based writer who frequently covers technology.