Universities are a treasure trove of information that goes far beyond just student information. According to David Sherry, CISO of Brown University, the job of a university CISO can be compared to securing a small city. Apart from the need to protect students, faculty and staff, information related to applicants, alumni, parents, donors, summer school students, visiting scholars and sports groups needs to be considered. Then there are ancillary services such as residential and catering, hospital, police, entertainment and athletics to be considered. Each has its own unique area where security comes into play.
As an Ivy League university, brand and reputation are of paramount importance to Brown. As Sherry said, Brown would rather be on the front page of the news for producing the next Nobel Prize winner than for a damaging breach. But this could be at odds with its goals of academic freedom and collaboration, with information sharing highly prized.
A Prime Target for Attackers
According to Sherry, the vast amount of information produced and collected by the university makes it a prime target for attackers. Every day, it is bombarded with 50,000 to 60,000 attacks, with brute-force and distributed denial-of-service (DDoS) attacks, as well as phishing attempts, among the most common. Constant security awareness training is necessary. But Sherry brushes off such strikes as “digital door-rattling” rather than targeted attacks, stating that very few of them are successful.
Security problems are exacerbated by high levels of bring-your-own-device (BYOD) since mobile devices are not supplied to students. It is not uncommon for each student to own 10 or even 15 devices. Sherry says this is something that the higher education sector has been dealing with for an extremely long time — and to a greater degree than enterprises.
As well as completing awareness training, students are expected to abide by Brown’s acceptable use policies. They are also required to register before accessing resources, and authentication and authorization controls are stringent.
Security Measures Are Holistic, Robust and Scalable
Among the reasons for the low level of attack success is that Brown takes rigid security measures to protect students’ information and that of others in the campus community. Sherry states that the security measures Brown implements are holistic, robust and scalable. It deploys a wide range of security controls, including intrusion detection and prevention systems, firewalls, email alerts, file integrity monitoring, data exfiltration systems and dedicated personnel in the security operations center who are constantly monitoring for anomalous traffic and performing risk and compliance assessments.
Compliance assessments are essential since higher education is covered by many regulations. Of these, the one most specific to this sector is the Family Educational Rights and Privacy Act (FERPA), which governs the security and privacy of student information, including education records, enrollment and even billing information. Higher education institutions must also take copyright extremely seriously — something made harder by widespread use of file sharing sites such as Box and Dropbox.
Although there are no restrictions on the use of such sites, Brown’s restricted data policy clearly spells out what can and cannot be shared on different systems and sites, and it harvests the email addresses of Brown community members using such sites. The university is currently investigating the possibility of providing its own collaboration platform to all users, placing a priority on both security and potential risks to its reputation.
Access controls are stringent to ensure that sensitive data is protected, with particular attention paid to privileged user access to satisfy segregation of duty requirements and to ensure no one person has excessive access rights. Recently, the university has been rolling out two-factor authentication, which Sherry believes will help to reduce the number of threats encountered by a large margin. This strong authentication rollout began with faculty and staff members and is now continuing among the student population.
Returning to the analogy of securing a small city, one of the characteristics of universities is that they tend to be decentralized. Because of this, Brown operates a highly segmented network architecture, with internal firewalls, network security zones and demilitarized zones (DMZs) used to segment traffic. The protected areas of the network can only be accessed when on campus, or off campus with a user’s virtual private network (VPN) credentials to determine access rights so they may only access areas of the network for which they have entitlements.
To protect student information outside of classrooms and research labs, the residential network is completely separated via a firewall. In this way, Brown is really taking on the role of an ISP so that it is protected at all hours. That is necessary for students, especially since Sherry states that the amount of traffic between 11 p.m. and 4 a.m. is mind-boggling.
A Culture of Information Sharing Among Peers
Information sharing among peers in the same industry remains a pipe dream for many. Various governments are attempting to promote information sharing, including the EU, which published a Good Practice Guide for Network Security Information Exchanges in 2009, and the U.S. government, which published a Guide to Cyber Threat Information Sharing in October 2014, detailing both the benefits and the challenges of information sharing. The following month, it passed the National Cybersecurity Protection Act, which aims to promote information sharing among federal and private sector entities.
Sherry, who has worked both in government and the financial services sector, states that he has never seen information sharing to the extent that it is practiced in higher education. Among universities, there is a culture of constant information sharing among peers — helped by the fact that, although they may compete for a small population of students, they are not otherwise in direct competition with each other. When an incident occurs at one institution, information is immediately shared with other universities.
Conferences provide a key forum for information sharing, with much more information shared than at regular security conferences, and peers will often discuss potential security vendors amongst themselves, sharing details of how well they perform and how fit for purpose their products and services are. Sherry states that this culture of information sharing is one of the coolest things about higher education, making universities more secure and their security posture more cutting-edge.
The central mission of all universities is to make higher educational successful so that students can reach their full potential. All universities want to ensure that they are as secure as possible and, by sharing information amongst themselves, no institutions will get left behind. This is one of the main reasons that Sherry, as a CISO, is looking forward to spending the remainder of his career in the higher education sector.