Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

8/26/2020
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Higher Education CISOs Share COVID-19 Response Stories

Security leaders from Stanford, Ohio State, and the University of Chicago share challenges and response tactics from the COVID-19 pandemic.

Back-to-school looks a lot different in a pandemic, as college students and faculty are learning as classes resume. Security leaders in higher education face a new level of technical challenges as their institutions implement remote-only or hybrid learning models for the 2020-2021 year. 

As Helen Patton, CISO of Ohio State University, explained in a virtual roundtable of university CISOs, underlying risks haven't changed much. Higher education has a number of remote employees, from on-site researchers to students doing distance learning. What has changed is the quantity of people doing this: Normally, most are on campus and only a small amount are remote.

"Come spring of this year, of course, we flipped that model almost completely and pretty much everybody was not only offsite, but offsite in home environments that we have no visibility into, that we can't control," she said. As a result, the nature of the threat profile changed.

Related Content:

7 Ways to Keep Your Remote Workforce Safe

Attackers Use Unicode & HTML to Bypass Email Security Tools

Most CISOs might approach this in a similar vein to incident response, said Erik Decker, chief security and privacy officer at University of Chicago Medicine. While this is a familiar reaction, they soon found they couldn't run an incident response-type of program in the longer term.

The indefinite nature of this pandemic forced CISOs to sit down with their teams and examine how the threat profile changed, where the attack surface is, and where they should rethink their current strategies. It started with a short-term plan to get over the initial hurdle; now, they're creating new policy changes and planning for following quarters in the "new normal."

"For us and pretty much every single one of my CISO peers I've spoken to, this was a very big event where all of our plans shifted dramatically, and we had to shift with the organization to be able to support what needed to be done," Decker explained.

Among the core threats CISOs are most concerned about are dramatic increases in phishing and vulnerability of user devices given the lack of visibility and control mechanisms. As part of the discussion, they shared tactics for addressing security threats that are top of mind. Common attack vectors include credential theft, phishing, malware droppers, and remote desktop exploits.  

How to Catch a Phish
Stanford, for example, had already implemented a program called Cardinal Key that was intended to eliminate passwords. Students use the Cardinal Key in lieu of their user IDs and passwords for Web-based logins so they don't need a username, password, and multifactor authentication.

"That Cardinal Key mechanism not only allows us simpler logins, which is something we've wanted to do for a long time … but it also gives us the mechanism to ensure all of our user devices are secure no matter where they are in the world," said Stanford CISO Michael Duff, who also noted the university already had endpoint management and protection in place.

Ohio State doubled down on user training, said Patton, who noted students aren't quite as technical as widely believed. Sure, they know about their favorite social media platforms or apps, but they don't know that much about new technologies or how to stay secure when handling them. The university sends phishing emails to all students and staff as a training opportunity, she said. An awareness platform it used prior to COVID-19 was adjusted to focus on new topics: "How do you secure a home network?" and "What kinds of COVID-themed scams might you encounter?" 

"We recognize phishing as the single greatest threat to our privacy and security today, by a long shot," Duff said. Similarly, Stanford does biweekly phishing campaigns for all of its employees. The COVID-19-themed phishing attacks have likely been more successful, he said, but he attributed this to pandemic-related panic rather than the increase of people working from home. While phishing normally declines as students leave for the summer, this year it remained constant. Still, Duff added, awareness training won't solve all problems. Universities have accelerated programs to implement new security technologies and data protection strategies. 

'A' for Acceleration
The University of Chicago's Decker said the pandemic accelerated efforts to increase visibility and response. It decided on a hybrid model with a managed service provider and created a formal program for what the MSP would do and what the university would do internally. The team also expanded capabilities they already had in the works: new log sources, new visibility touchpoints, and automation work around threat intelligence and ingestion of data feeds.

"These are great windows where maybe you have some visibility gaps that you've been wanting to shore up for some time, and you can get the attention to get through that whereas before there might've been some drag or resistance," he said. "Capitalizing on that was useful."

Data-related concerns led CISOs to have conversations with academics and researchers about when and how information would be protected. 

"What's unique in higher education, compared to other industries, is you don't just classify data and protect it according to that classification," said Patton. "What happens in higher ed is it depends on where they are in the life cycle of research."

Different points of this life cycle demand different control requirements, she explained. At the start of the research process, academics don't care much about confidentiality. Those concerns arise when they're creating a thesis or putting a patent on it. When it's time to publish, they want to open their work up to the world. This approach is not scalable, Patton noted, and it takes individual conversations with each researcher.

Looking ahead, CISOs are concerned about what may happen if employees stay remote for the long haul. While there are things students can do to stay safe in the meantime – applying OS updates, not reusing passwords, patching apps – permanent remote work will bring challenges.

"The prospect of being at home permanently, and everything that entails, there's a lot of extra things to consider in that front," said Decker.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.