A flurry of cyber security incident headlines this summer is illustrating a growing threat facing nearly every higher education institution in North America. Notable incidents included news this spring that Penn State University's entire Engineering School had to be taken offline for an extensive investigation and clean-up of its network and systems. That incident was followed in August with similar news from the University of Virginia (UVA) of a targeted cyber attack against two officials whose work was connected with China.
The news this summer that Harvard University suffered a modest hack affecting user credentials in eight schools caused little surprise, nor did news recently that Rutgers University is spending millions this year to strengthen its security in the wake of a series of denial of service (DoS) attacks against its networks and servers.
None of this comes as a surprise. But not because of anything Penn State, UVA, Harvard, Rutgers, or other institutions may have done wrong — odds are pretty solid that their security is no worse (and may even be far better) than most other North American universities and colleges.
No, the news about these incidents isn't a surprise because schools across North America are under a relentless assault from malicious actors of all kinds, from script kiddies looking to grow their skills to large organized cybercriminal syndicates to nation-state entities. According to the New York Times, Penn State alone dealt with more than 20 million hostile attacks on an average day last year.
Having attended the EDUCAUSE 2015 Security Professionals Conference along with security experts from some of the biggest schools in North America, I can say with confidence that the entire higher education sector is battling the same challenges, with mixed success.
Why Are Universities and Colleges a High-Priority Target?
- They are easier to attack and exploit than other entities.
- They retain hundreds of thousands if not millions or tens of millions of personal records with enough personally identifiable information (PII) to create credit files.
- They store valuable research and intellectual property.
- They often have access to third-party research, intelligence, or intellectual property (government, private sector, etc.).
- They provide a route into more secure organizations that are watching their cyber front doors.
- They are an excellent platform to use to attack others (high-speed networks and massive computation capability available).
And on top of being high-priority targets in this massive cyber siege, they're also the most difficult networks and systems to defend.
Universities and colleges are among the most difficult environments because they are the pioneers of the modern Internet and have legacy systems, approaches to security, and most importantly cultures that predate our current hostile Internet environment by decades. They're also the birthplace of BYOD and often operate in highly decentralized IT environments. And universities and colleges aren't the kinds of institutions that adjust to change rapidly.
As well, in the typical fiscal environment for most public universities and colleges in North America today, it can be a tough sell when talking about the kinds of major investments required to improve their defensive posture when they must cut expenditures and negatively impact the classroom due to decreased public funding or enrollment.
The Extent of the Siege
I know what it's like to be on the front lines of cybersecurity at a university. It's what I do every day with team members in the Information Technology Services (ITS) department at the University of New Brunswick (UNB), Canada.
UNB is one of North America's oldest public English-language universities, with roots going back to 1785. We have two main campuses — the founding campus in Fredericton, New Brunswick, and a rapidly growing sibling campus in the port city of Saint John — with 11,000 students and about 2,000 faculty and staff. UNB has been a technology pioneer in IT for decades, helping bring the Internet to our namesake province, and were the first university in Canada to create a faculty of computer science.
Every day our Fredericton campus experiences millions of attempts to breach the network. In a typical week this year we've seen as many as 83 attempts a second to remotely intrude on systems on our network (or about 51 million a week). Our servers are constantly scanned for vulnerabilities, with more than 360,000 such probes in a typical week. The vast majority of these attempts are highly automated attacks that can be dealt with fairly easily, but in some cases the sheer volume of these attacks against a small subset of targets can result in small-scale intrusions, which if not addressed quickly can cause havoc.
We are bombarded with phishing attempts and malware. In a typical year, our automated defensive technologies deal with hundreds of thousands of copies of malware sent to UNB faculty and staff.
Other tools such as our desktop antivirus software are doing a solid job of defeating most garden-variety malware, but it's not perfect. Thanks to advanced security tools such as IBM's Qradar SIEM, Trend Micro's Deep Discovery Inspector advanced threat detection platform, and reporting from our Kaspersky AV system, we know that our malware defenses are 97–98 percent effective.
That still creates a potentially hazardous situation for us.
It leaves the potential for dozens of incidents every day if our automated defenses such as desktop anti-virus fail to detect and prevent threats and malware can take root, opening us up for further exploitation and attack.
We're doing our best with processes to combat this on a daily basis, but it's the modern equivalent of cybersecurity Whack-a-Mole.
Shifting to a Winning Strategy
Thanks to UNB's security protection and intelligence tools, we're more fortunate than many other schools our size in that we have a solid understanding of our daily threat environment.
We're also maturing in our approaches to immediate and long-term security threats. To do that, we're using the data and trends from these tools to help us define a new security strategy that includes policy work, new technology investments, and resource investments (particularly in people), as well as security awareness and culture change efforts.
Our CIO, Terry Nikkel, outlined the scope of these efforts in a September management briefing note.
As part of this comprehensive effort, UNB is approaching future systems and technologies with an eye to a seamless, highly integrated holistic security approach that will see tools transfer threat information to each other in order to take automated action. This approach, which I've been calling a digital immune system model, is likely the only way for us to combat the deluge of threats we face.
We simply don't have the person power (nor would such staffing ever be likely practical or feasible) to combat these threats on a human scale. Take detection of unique or so-called zero-day malware, for example. In a typical month Deep Discovery's virtual analyzer sandbox environment can check as many as 5,000 files; it usually discovers about 10 percent to be malicious. That kind of analysis, if done by a person, would take about 15,000 hours or, for all intents and purposes, would simply be impossible. But to be clear, our evolving strategy will depend just as much on advancing policy and processes, including data governance, as it does on new security investments and on educating our community about threats and making our cybersecurity culture more resilient.
A Delicate Balance
While we're moving as quickly as possible in our environment, we still have to balance our security strategy against the overall IT strategy for the university. As a security professional, one of the key things I've learned in the past year is that the key to success is using intelligence not only for tactical and strategic responses but also for risk management and prioritization.
There's also a delicate balance when it comes to security tool selection. While there are some definite, tangible benefits to using a single vendor's integrated security suite, organizations should carefully weigh those advantages (which in many cases also include cost advantages) against the need to diversify technologies to ensure different approaches to threat detection and increase the odds of successfully defeating threats.
However, too diverse an ecosystem with security tools that don't work together creates manual processes (or no processes) for sharing intelligence, which significantly slows threat response.
The Need (and Hope) for a Stronger National Cybersecurity Strategy in Canada
In Canada, there are hopeful signs that the federal government is interested in working with higher education on cybersecurity, whether at the tactical level through support from the Canadian Cyber Incident Response Centre or in potential longer term investments in security through existing national groups.
I'm encouraged by this, as it will take a national (and eventually international) approach to intelligence sharing, threat detection, and threat response to truly end the cyber siege of our universities and colleges.
There are lessons for Canada to learn from the U.S. experience as we evolve our national cybersecurity strategy. In the U.S., the FBI has established itself as a well-resourced, robust national response organization and is actively aiding several institutions in their investigations and efforts. The FBI is also partnering with the U.S. Secret Service to help improve state and local law enforcement cyber capabilities.
However, in Canada, I've seen first-hand the challenges of jurisdictional overlap between our federal police force, the Royal Canadian Mounted Police, and the local police force responsible for the university. As well, even at the federal level our policing resources are swamped dealing with other heinous cybercrimes, including child sexual exploitation and more. The local police force in turn simply lacks the person power, budget, and skills necessary to aid in complex cybercrime investigations.
However, with increased attention at the federal level to cybersecurity, there's some hope that things will continue to improve in Canada.
David Shipley helps build and execute strategies designed to reduce cost, improve productivity, boost revenue, and protect technology assets and information. As the director of Strategic Initiatives within Information Technology Services at the University of New Brunswick, He is responsible for finding creative solutions to complex organizational technology problems, turning these challenges into sources of competitive advantage. Shipley has a bachelor of Arts in Information and Communications Studies and a master's of Business Administration from UNB. A Canadian Forces veteran, he was also named as one of Atlantic Canada's top 50 entrepreneurial leaders under 40 in 2015.
© 2015 David Shipley. This EDUCAUSE Review article is licensed under the Creative Commons BY-NC-SA 4.0 International license.