Retired Brig. Gen. Charles “Charly” Shugg of the United States Air Force provides strategic guidance and insight for Sylint Group, a cybersecurity and forensics firm that addresses breaches and precedent-setting court cases for higher education and multiple entities, including Fortune 500 companies. He was a key architect and strategic planner of the U.S. Air Force’s cyberspace operations program.
Shugg will share a prioritized list of cybersecurity measures to reduce risk and maintain security awareness in higher ed at UB Tech® 2020, to be held June 15-17 in Las Vegas. He will also describe the intents, tactics and appearances of cyberattackers.
How seriously are higher ed leaders taking cybersecurity breaches?
The level of seriousness isn’t as high as it should be, but there has been a rise lately due to increased awareness. Unfortunately, a large amount of that awareness comes from leadership’s firsthand experience with breaches against their own institution.
Many leaders don’t realize the amount of accessible sensitive data that’s associated with their institution. This doesn’t just include alumni information, but data of prospective students who applied yet didn’t even attend. Most institutions don’t purge that data from their systems, which is simply an unnecessary risk.
What is an example of a cybersecurity breach you plan to share at UB Tech®?
We recently had a university fall victim to a phishing email that targeted a student account. Phishing attacks are inexpensive and easy for attackers to employ. The attacker got into the university system, moved unimpeded throughout the whole network, and then monetized the breach by encrypting files. If university officials had followed five basic security principles, they could have broken a long chain of malicious events before succumbing to the unauthorized encryption.
1. The university didn’t have an email filter in place that could have blocked most of its potential spam and malicious emails.
2. Even though the university had anti-virus software, it was not updated. To be effective, this software has to be deployed on every device in the network and constantly updated to keep up with threats.
3. The university didn’t employ network segmentation. Segmentation minimizes the potential impact of breaches by creating internal barriers that require credentials to access. For example, only give students access to student databases, so if a student account becomes compromised, the attacker’s access is limited.
4. IT wasn’t properly trained for potential security incidents and didn’t have a notification plan. IT misdiagnosed the incident numerous times before bringing in incident response experts to investigate; it was too late.
5. The university didn’t retain security logs so mediation and notifying people whose files were affected or stolen were more difficult if not impossible. If there isn’t enough data to prove what happened, then a legal team has to get involved to notify affected stakeholders and potentially litigate; this is expensive.
How can leaders ensure IT security investments are a good use of funds?
First, universities do not have to equally protect their entire network. Leaders can save money by identifying where the sensitive data resides and condensing security efforts to protect those areas.
Second, many universities unfairly expect too much from their IT department. Let IT manage day-to-day operations and respond to initial crises. Audit and compliance should have a more active role in developing long-term cybersecurity strategies and concentrate on monitoring and ensuring that basics are being accomplished. Requiring IT to do everything relating to the network can easily overwhelm their resources.
Third, realize that most breaches are the result of overlooking basic security vulnerabilities. Instead of concentrating on the most advanced threats, or acquiring the newest technologies, focus on basics, such as ensuring that anti-virus software is properly employed.