Be true to your school
Colleges and universities are generally considered settings for learning, openness, and ideas. Students and professors alike are encouraged to explore new thinking and push boundaries. The best academic universities on the planet have entire departments focused on researching subjects unconsidered universally. All of this individuality and exploration is a boon for those on the education end. Those on the information security end, on the other hand, face a set of challenges unfamiliar to enterprise security practitioners and leaders, whose employees and partners are all contractually bound in some way, shape, or form to the organization.
As businesses’ boundaries and perimeters continue to expand—or evaporate—in new and sometimes surprising ways, enterprise security teams can extract lessons learned from university colleagues.
Jon Allen, now Assistant Vice President and CISO at Baylor University in Waco, TX, has worked in the security department at Baylor since 2003. He recently shared some of his experiences running a small but highly motivated team at the university, providing tidbits of information applicable to any enterprise security organization.
Universities/colleges have a particular set of challenges when it comes to managing and securing information. Given the diverse groups on and networked into campus, each of which requires its own access, how do you handle this security quagmire?
The key, as we are now seeing in industry, is to not use a monolithic, one-size-fits-all approach to security. I tend to view the university as a city. If you follow out the metaphor, any city includes low security areas such as public parks and roads, medium security areas such as homes or retail shops, and high security areas such as banks and jails. For each of these categories the security team completes a risk assessment to make sure the controls put in place align with the given risk.
The analogy is directly applicable when we talk about information security at a university campus. We have baseline laws that govern all areas, and then for areas of medium or high risk, additional controls are put in place to minimize the residual risk.
Aside from the obvious—faculty, staff, and students—what areas are you talking about?
Alumni, donors, media, federal agencies, granting organizations, research collaborators. It’s much more diverse than a lot of people realize. It seems that every month I hear about a new type of group needing some access to information resources. Enterprise security teams surely are seeing a similar situation in today’s landscape. With cloud technology driving so much of the business, there are definitely parallels.
Is one group of end users within the university environment more prone to pose risk than others?
I think, in general, staff pose the highest risk only because they have the most access to data that would be considered inherently private—student and faculty PII and data about class schedules and whereabouts, financials, and campus-related events.
How do you go about mitigating those risks?
There is no silver bullet that mitigates risks. The recent trend of security professionals talking about isolating but not stopping breaches is concerning. For me, the key to better risk management and security in general is a multi-pronged approach. It includes all of the technical controls you would expect, combined with threat intelligence from the higher education community, as well as a strong user awareness program. Any one of these components will help but in combination they give us the best chance to try to prevent, and in worse case, limit a breach.
You’ve been at Baylor for a long time; how have you seen information security change over time? Even though there are more risks, are end users more security-minded now?
I think users are more aware that scams, phishing, and other attacks occur. I think they feel even more helpless as the attacks are getting sophisticated enough that it is becoming hard for even technical staff to detect some of them.
What are some of the threat vectors specific to the education sector?
The biggest unique threat in education over the last year seems to be direct deposit fraud. I have not heard of these scams taking place in the private sector but sadly they are occurring at a rapid rate in higher education. [Editor’s note: Direct deposit fraud occurs when a criminal is able to pilfer an account holder’s banking information—account number and routing number—and uses it to reroute incoming direct deposit checks. The most likely way to obtain this information from the intended victim is through phishing.]
Educational institutions aren’t known for having the largest staff or the biggest budgets. What is your advice for other resource-limited organizations?
When I talk to small teams or new security staff, the main thing I tell them to focus on is the basics. Take care of the “blocking and tackling,” to use a sports analogy. As we have seen in the past year, many of the reported breaches could have been prevented or significantly limited with good patching, password policies, and timely account deprovisioning. These are all controls we take for granted. And we clearly should not.