Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:45 PM
Connect Directly

Higher Education CISOs Share COVID-19 Response Stories

Security leaders from Stanford, Ohio State, and the University of Chicago share challenges and response tactics from the COVID-19 pandemic.

Back-to-school looks a lot different in a pandemic, as college students and faculty are learning as classes resume. Security leaders in higher education face a new level of technical challenges as their institutions implement remote-only or hybrid learning models for the 2020-2021 year. 

As Helen Patton, CISO of Ohio State University, explained in a virtual roundtable of university CISOs, underlying risks haven't changed much. Higher education has a number of remote employees, from on-site researchers to students doing distance learning. What has changed is the quantity of people doing this: Normally, most are on campus and only a small amount are remote.

"Come spring of this year, of course, we flipped that model almost completely and pretty much everybody was not only offsite, but offsite in home environments that we have no visibility into, that we can't control," she said. As a result, the nature of the threat profile changed.

Related Content:

7 Ways to Keep Your Remote Workforce Safe

Attackers Use Unicode & HTML to Bypass Email Security Tools

Most CISOs might approach this in a similar vein to incident response, said Erik Decker, chief security and privacy officer at University of Chicago Medicine. While this is a familiar reaction, they soon found they couldn't run an incident response-type of program in the longer term.

The indefinite nature of this pandemic forced CISOs to sit down with their teams and examine how the threat profile changed, where the attack surface is, and where they should rethink their current strategies. It started with a short-term plan to get over the initial hurdle; now, they're creating new policy changes and planning for following quarters in the "new normal."

"For us and pretty much every single one of my CISO peers I've spoken to, this was a very big event where all of our plans shifted dramatically, and we had to shift with the organization to be able to support what needed to be done," Decker explained.

Among the core threats CISOs are most concerned about are dramatic increases in phishing and vulnerability of user devices given the lack of visibility and control mechanisms. As part of the discussion, they shared tactics for addressing security threats that are top of mind. Common attack vectors include credential theft, phishing, malware droppers, and remote desktop exploits.  

How to Catch a Phish
Stanford, for example, had already implemented a program called Cardinal Key that was intended to eliminate passwords. Students use the Cardinal Key in lieu of their user IDs and passwords for Web-based logins so they don't need a username, password, and multifactor authentication.

"That Cardinal Key mechanism not only allows us simpler logins, which is something we've wanted to do for a long time … but it also gives us the mechanism to ensure all of our user devices are secure no matter where they are in the world," said Stanford CISO Michael Duff, who also noted the university already had endpoint management and protection in place.

Ohio State doubled down on user training, said Patton, who noted students aren't quite as technical as widely believed. Sure, they know about their favorite social media platforms or apps, but they don't know that much about new technologies or how to stay secure when handling them. The university sends phishing emails to all students and staff as a training opportunity, she said. An awareness platform it used prior to COVID-19 was adjusted to focus on new topics: "How do you secure a home network?" and "What kinds of COVID-themed scams might you encounter?" 

"We recognize phishing as the single greatest threat to our privacy and security today, by a long shot," Duff said. Similarly, Stanford does biweekly phishing campaigns for all of its employees. The COVID-19-themed phishing attacks have likely been more successful, he said, but he attributed this to pandemic-related panic rather than the increase of people working from home. While phishing normally declines as students leave for the summer, this year it remained constant. Still, Duff added, awareness training won't solve all problems. Universities have accelerated programs to implement new security technologies and data protection strategies. 

'A' for Acceleration
The University of Chicago's Decker said the pandemic accelerated efforts to increase visibility and response. It decided on a hybrid model with a managed service provider and created a formal program for what the MSP would do and what the university would do internally. The team also expanded capabilities they already had in the works: new log sources, new visibility touchpoints, and automation work around threat intelligence and ingestion of data feeds.

"These are great windows where maybe you have some visibility gaps that you've been wanting to shore up for some time, and you can get the attention to get through that whereas before there might've been some drag or resistance," he said. "Capitalizing on that was useful."

Data-related concerns led CISOs to have conversations with academics and researchers about when and how information would be protected. 

"What's unique in higher education, compared to other industries, is you don't just classify data and protect it according to that classification," said Patton. "What happens in higher ed is it depends on where they are in the life cycle of research."

Different points of this life cycle demand different control requirements, she explained. At the start of the research process, academics don't care much about confidentiality. Those concerns arise when they're creating a thesis or putting a patent on it. When it's time to publish, they want to open their work up to the world. This approach is not scalable, Patton noted, and it takes individual conversations with each researcher.

Looking ahead, CISOs are concerned about what may happen if employees stay remote for the long haul. While there are things students can do to stay safe in the meantime – applying OS updates, not reusing passwords, patching apps – permanent remote work will bring challenges.

"The prospect of being at home permanently, and everything that entails, there's a lot of extra things to consider in that front," said Decker.


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the fir...
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact with a malicious web page it could allow for a complete takeover of the router.
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, it is possible to inject arbitrary JavaScript into the router's web interface via the "echo" command.
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1.
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose t...