Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:45 PM
Connect Directly

Higher Education CISOs Share COVID-19 Response Stories

Security leaders from Stanford, Ohio State, and the University of Chicago share challenges and response tactics from the COVID-19 pandemic.

Back-to-school looks a lot different in a pandemic, as college students and faculty are learning as classes resume. Security leaders in higher education face a new level of technical challenges as their institutions implement remote-only or hybrid learning models for the 2020-2021 year. 

As Helen Patton, CISO of Ohio State University, explained in a virtual roundtable of university CISOs, underlying risks haven't changed much. Higher education has a number of remote employees, from on-site researchers to students doing distance learning. What has changed is the quantity of people doing this: Normally, most are on campus and only a small amount are remote.

"Come spring of this year, of course, we flipped that model almost completely and pretty much everybody was not only offsite, but offsite in home environments that we have no visibility into, that we can't control," she said. As a result, the nature of the threat profile changed.

Related Content:

7 Ways to Keep Your Remote Workforce Safe

Attackers Use Unicode & HTML to Bypass Email Security Tools

Most CISOs might approach this in a similar vein to incident response, said Erik Decker, chief security and privacy officer at University of Chicago Medicine. While this is a familiar reaction, they soon found they couldn't run an incident response-type of program in the longer term.

The indefinite nature of this pandemic forced CISOs to sit down with their teams and examine how the threat profile changed, where the attack surface is, and where they should rethink their current strategies. It started with a short-term plan to get over the initial hurdle; now, they're creating new policy changes and planning for following quarters in the "new normal."

"For us and pretty much every single one of my CISO peers I've spoken to, this was a very big event where all of our plans shifted dramatically, and we had to shift with the organization to be able to support what needed to be done," Decker explained.

Among the core threats CISOs are most concerned about are dramatic increases in phishing and vulnerability of user devices given the lack of visibility and control mechanisms. As part of the discussion, they shared tactics for addressing security threats that are top of mind. Common attack vectors include credential theft, phishing, malware droppers, and remote desktop exploits.  

How to Catch a Phish
Stanford, for example, had already implemented a program called Cardinal Key that was intended to eliminate passwords. Students use the Cardinal Key in lieu of their user IDs and passwords for Web-based logins so they don't need a username, password, and multifactor authentication.

"That Cardinal Key mechanism not only allows us simpler logins, which is something we've wanted to do for a long time … but it also gives us the mechanism to ensure all of our user devices are secure no matter where they are in the world," said Stanford CISO Michael Duff, who also noted the university already had endpoint management and protection in place.

Ohio State doubled down on user training, said Patton, who noted students aren't quite as technical as widely believed. Sure, they know about their favorite social media platforms or apps, but they don't know that much about new technologies or how to stay secure when handling them. The university sends phishing emails to all students and staff as a training opportunity, she said. An awareness platform it used prior to COVID-19 was adjusted to focus on new topics: "How do you secure a home network?" and "What kinds of COVID-themed scams might you encounter?" 

"We recognize phishing as the single greatest threat to our privacy and security today, by a long shot," Duff said. Similarly, Stanford does biweekly phishing campaigns for all of its employees. The COVID-19-themed phishing attacks have likely been more successful, he said, but he attributed this to pandemic-related panic rather than the increase of people working from home. While phishing normally declines as students leave for the summer, this year it remained constant. Still, Duff added, awareness training won't solve all problems. Universities have accelerated programs to implement new security technologies and data protection strategies. 

'A' for Acceleration
The University of Chicago's Decker said the pandemic accelerated efforts to increase visibility and response. It decided on a hybrid model with a managed service provider and created a formal program for what the MSP would do and what the university would do internally. The team also expanded capabilities they already had in the works: new log sources, new visibility touchpoints, and automation work around threat intelligence and ingestion of data feeds.

"These are great windows where maybe you have some visibility gaps that you've been wanting to shore up for some time, and you can get the attention to get through that whereas before there might've been some drag or resistance," he said. "Capitalizing on that was useful."

Data-related concerns led CISOs to have conversations with academics and researchers about when and how information would be protected. 

"What's unique in higher education, compared to other industries, is you don't just classify data and protect it according to that classification," said Patton. "What happens in higher ed is it depends on where they are in the life cycle of research."

Different points of this life cycle demand different control requirements, she explained. At the start of the research process, academics don't care much about confidentiality. Those concerns arise when they're creating a thesis or putting a patent on it. When it's time to publish, they want to open their work up to the world. This approach is not scalable, Patton noted, and it takes individual conversations with each researcher.

Looking ahead, CISOs are concerned about what may happen if employees stay remote for the long haul. While there are things students can do to stay safe in the meantime – applying OS updates, not reusing passwords, patching apps – permanent remote work will bring challenges.

"The prospect of being at home permanently, and everything that entails, there's a lot of extra things to consider in that front," said Decker.


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.