Back-to-school looks a lot different in a pandemic, as college students and faculty are learning as classes resume. Security leaders in higher education face a new level of technical challenges as their institutions implement remote-only or hybrid learning models for the 2020-2021 year.
As Helen Patton, CISO of Ohio State University, explained in a virtual roundtable of university CISOs, underlying risks haven't changed much. Higher education has a number of remote employees, from on-site researchers to students doing distance learning. What has changed is the quantity of people doing this: Normally, most are on campus and only a small amount are remote.
"Come spring of this year, of course, we flipped that model almost completely and pretty much everybody was not only offsite, but offsite in home environments that we have no visibility into, that we can't control," she said. As a result, the nature of the threat profile changed.
Most CISOs might approach this in a similar vein to incident response, said Erik Decker, chief security and privacy officer at University of Chicago Medicine. While this is a familiar reaction, they soon found they couldn't run an incident response-type of program in the longer term.
The indefinite nature of this pandemic forced CISOs to sit down with their teams and examine how the threat profile changed, where the attack surface is, and where they should rethink their current strategies. It started with a short-term plan to get over the initial hurdle; now, they're creating new policy changes and planning for following quarters in the "new normal."
"For us and pretty much every single one of my CISO peers I've spoken to, this was a very big event where all of our plans shifted dramatically, and we had to shift with the organization to be able to support what needed to be done," Decker explained.
Among the core threats CISOs are most concerned about are dramatic increases in phishing and vulnerability of user devices given the lack of visibility and control mechanisms. As part of the discussion, they shared tactics for addressing security threats that are top of mind. Common attack vectors include credential theft, phishing, malware droppers, and remote desktop exploits.
How to Catch a Phish
Stanford, for example, had already implemented a program called Cardinal Key that was intended to eliminate passwords. Students use the Cardinal Key in lieu of their user IDs and passwords for Web-based logins so they don't need a username, password, and multifactor authentication.
"That Cardinal Key mechanism not only allows us simpler logins, which is something we've wanted to do for a long time … but it also gives us the mechanism to ensure all of our user devices are secure no matter where they are in the world," said Stanford CISO Michael Duff, who also noted the university already had endpoint management and protection in place.
Ohio State doubled down on user training, said Patton, who noted students aren't quite as technical as widely believed. Sure, they know about their favorite social media platforms or apps, but they don't know that much about new technologies or how to stay secure when handling them. The university sends phishing emails to all students and staff as a training opportunity, she said. An awareness platform it used prior to COVID-19 was adjusted to focus on new topics: "How do you secure a home network?" and "What kinds of COVID-themed scams might you encounter?"
"We recognize phishing as the single greatest threat to our privacy and security today, by a long shot," Duff said. Similarly, Stanford does biweekly phishing campaigns for all of its employees. The COVID-19-themed phishing attacks have likely been more successful, he said, but he attributed this to pandemic-related panic rather than the increase of people working from home. While phishing normally declines as students leave for the summer, this year it remained constant. Still, Duff added, awareness training won't solve all problems. Universities have accelerated programs to implement new security technologies and data protection strategies.
'A' for Acceleration
The University of Chicago's Decker said the pandemic accelerated efforts to increase visibility and response. It decided on a hybrid model with a managed service provider and created a formal program for what the MSP would do and what the university would do internally. The team also expanded capabilities they already had in the works: new log sources, new visibility touchpoints, and automation work around threat intelligence and ingestion of data feeds.
"These are great windows where maybe you have some visibility gaps that you've been wanting to shore up for some time, and you can get the attention to get through that whereas before there might've been some drag or resistance," he said. "Capitalizing on that was useful."
Data-related concerns led CISOs to have conversations with academics and researchers about when and how information would be protected.
"What's unique in higher education, compared to other industries, is you don't just classify data and protect it according to that classification," said Patton. "What happens in higher ed is it depends on where they are in the life cycle of research."
Different points of this life cycle demand different control requirements, she explained. At the start of the research process, academics don't care much about confidentiality. Those concerns arise when they're creating a thesis or putting a patent on it. When it's time to publish, they want to open their work up to the world. This approach is not scalable, Patton noted, and it takes individual conversations with each researcher.
Looking ahead, CISOs are concerned about what may happen if employees stay remote for the long haul. While there are things students can do to stay safe in the meantime – applying OS updates, not reusing passwords, patching apps – permanent remote work will bring challenges.
"The prospect of being at home permanently, and everything that entails, there's a lot of extra things to consider in that front," said Decker.