Building Resilience: Threat Response Strategies in Higher Education

Authors:: Jacob Picart
Published:: Monday, November 4, 2024
Columns:: Industry Insights

min read

Higher education institutions are especially vulnerable to cyberattacks. When in doubt, assume there has been a breach.

Data is a higher education institution's crown jewel, and attackers are constantly looking for ways to hack into institutional systems and gain access to it.

While bad actors are a threat in all industries, higher education is particularly vulnerable due to a lack of resources and expertise, deferred maintenance, and the sheer number of users accessing an institution's network for diverse purposes. In this dynamic digital landscape, higher education IT departments must know how to enhance their institution's security posture to avoid becoming the latest headline victim of a cybersecurity attack.

In this article, we'll walk through how educational institutions can create effective threat response strategies—and why having one in place is so important.

Key Components of a Successful Higher Education IT Threat Response Strategy

The threat response strategy in higher education was fairly straightforward a decade ago. Implementing firewall protection and antivirus software with rudimentary backup and disaster recovery plans was usually enough.

Although some organizations still use this outdated strategy, the overall tone has shifted. Rather than relying on a reactive approach, higher education institutions must pivot to adopting a proactive, holistic threat-response strategy.^Footnote1

Preventative Security Assessments

When it comes to threat response, prevention is nearly impossible (more on this later), but institutions can detect, respond (contain the blast radius), and recover (create immutable backups). Rather than waiting for an attack, higher education IT teams can get ahead of it by protecting institutional data and users.

Start at the edge and work inward by fortifying the institution's firewall and VPN appliances, keeping them patched to the latest versions and auditing configurations.^Footnote2 Keep any publicly exposed applications patched and implement a web applications firewall to protect against Layer 7 attacks. Implement robust data protection measures by retiring legacy encryption protocols and enabling TLS 1.2+ to protect sensitive information such as student records, research data, and faculty credentials. Data at rest should also be encrypted to protect against breach and data exfiltration. Having these protections in place ensures compliance with the Gramm-Leach-Bliley Act (GLBA), which verifies that safeguards are in place for sensitive data.

After the institution's network core and data, end users are the next target. If adversaries can't get through the firewall or web applications firewall and they can't breach the application, they will try to breach users using various tactics, such as social engineering.

Zero Trust Principles

To combat threats against users' identities, higher education institutions should employ Zero Trust principles for all end users—from applicants to professors to the university president—as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-207A. NIST SP 800-207A is based on the premise that trust is never assumed. Regardless of where the access request originates, this paradigm must be adopted: Assume there has been a breach.

Many institutions are wary of implementing a Zero Trust framework—not because they don't believe in its effectiveness—but because of its substantial costs, complexity, and resource-intensive setup. However, the time and expense associated with setting up Zero Trust more than pay for themselves in the long run—especially if it results in avoiding a costly ransomware attack.

Here are some tactics to consider:

Multifactor authentication. Institutions should prioritize putting multifactor authentication (MFA) in place for identity verification. It's as easy as having users verify their identity with a code sent to their phone, and it can save colleges and universities thousands of dollars and countless headaches. Without MFA, institutions are more vulnerable to data breaches, which can result in substantial legal fees, regulatory fines, and data recovery expenses. Additionally, user accounts can be more easily compromised through phishing and spam attacks if the proper authentication isn't in place. Recovering compromised accounts and investigating security incidents can be time-consuming and resource-intensive for already burnt-out IT teams.
Role-based access control. Users should only be able to see the information they need when they need it. Faculty members, for example, should only have access to student grades and records relevant to their courses. These permissions should be set up accordingly when a new user registers in the system and should follow the principle of least privilege.
Backups. Consider immutable backups of institutional data as a last line of defense against ransomware attacks. Keeping a siloed cloud backup of the institution's data ensures that critical data can't be altered or deleted, even if the primary systems are compromised. Even in the event of a ransomware attack, IT teams would then have the peace of mind of knowing that institutional data is secure and can be restored, so they can focus on proactive security measures and strategic planning rather than cleaning up after cyberthreats.

Recovery and Monitoring

No matter how prepared IT teams are, incidents will happen—and the recovery can be brutal. Adversaries are in a network for an average of 207 days before they deploy an attack, and it takes about seventy days to purge a threat from the environment. That's 277 days to identify and contain a breach.^Footnote3

So, how can an institution minimize disruption from a cyberattack?

As with preventative measures, Zero Trust principles are a good place to start. Even when there isn't an identified threat, assume the institution has been breached. This assumption aligns with the evolving cybersecurity landscape, where proactive measures and continuous monitoring are essential for early threat detection and response. Essentially, this posture helps institutions identify and contain threats before they become a major issue.

Here are some additional measures institutions can take.

Implement endpoint detection and response. In this case, endpoint detection and response (EDR) and extended detection and response (XDR) can help by constantly monitoring and verifying everything in the institution's environment from end to end. EDR and XDR tools are used for real-time threat detection. They use telemetry, user and entity behavior analytics, and artificial intelligence to identify previously unnoticed threats.
Seek expert assistance. For resource-strapped institutions, leveraging external expertise for improved response capabilities can be a game-changer. Services like Boldyn Networks Virtual Chief Information Security Officer (vCISO) provide fractional CISO support that helps guide and implement cybersecurity strategies and threat-response plans efficiently—without needing to hire a full-time cybersecurity expert.
Retrieve from a backup. If all else fails, the abovementioned data backups will save the institution in the event of a cyberattack. Make sure data backups are in place.

Ongoing Monitoring

After implementing robust protection measures and response plans, continuous monitoring and threat intelligence become critical components of maintaining a strong cybersecurity posture. Continuous monitoring involves actively observing and analyzing network traffic, user activity, and system logs to detect any suspicious or malicious behavior in real time. This proactive approach allows institutions to identify potential threats early and take immediate action to mitigate risks.

Instituting 24/7 monitoring also demonstrates a commitment to ongoing improvement and readiness in addressing evolving cybersecurity challenges for everyone on campus.

Staying Current with Security Threats

While network breaches happen every day, the good news is that lessons can be learned from them.

The MITRE ATT&CK Framework is a comprehensive knowledge base for categorizing and describing cyber adversaries and understanding their behaviors and tactics. In short, it's a public playbook that identifies attackers and teaches IT teams how to best defend their institutions against them.

Staying informed about recent attacks and application vulnerabilities is another great way to know about potential threats before they impact the institutions. The Krebs on Security blog is a good place to start.^Footnote4

Learning about the sheer number of threats in cyberspace is overwhelming, let alone responding to them before it's too late. Partnering with an industry expert like Boldyn Networks provides invaluable support and guidance, helping institutions proactively address challenges and stay ahead of potential cybersecurity risks.

Collaborating with Academic Departments

Don't overlook the interpersonal aspect of a strong threat response strategy. Though IT teams need technology to defend their networks, building solid partnerships and communicating with various academic departments in the institution are important too.

These collaborations give IT teams a more comprehensive understanding of potential threats specific to educational activities, research projects, or administrative functions. They also facilitate a smooth, coordinated response to future security incidents and accelerate security training across the institution.

Common Threat Response Pitfalls to Avoid

Developing a threat response strategy can be daunting for CIOs, especially when they have so much on their plate. CIOs are likely grappling with budget constraints, staff shortages, and complex IT environments—complicating the implementation of a robust cybersecurity strategy.

This article has already covered some cybersecurity best practices, but it's equally important to highlight what not to do.

Overlooking a Data Backup Strategy

It can't be overstated: Having a backup of the institution's data is paramount. If all else fails, a backup ensures the institution won't have to pay an attacker's ransom and can recover its data as needed. If colleges and universities don't have proper backups in place—and test them frequently—they not only risk losing critical information in a cyber incident, but they also may face regulatory, financial, and legal consequences.

Inadequate Security Measures

Institutions without in-house security expertise or limited resources to allocate to security posture are vulnerable to cyberattacks. Inconsistent patching and systems and software updates, limited data encryption at rest or in transit, poor endpoint management, and little to no security awareness and training are just a few examples of practices (or lack of them) that enhance the risk of a security breach.

Insufficient User Awareness and Training

Neglecting to educate faculty, staff, and students about cybersecurity best practices can have severe consequences. Helping students understand why they're asked to add an authenticator app to their phones creates a more security-conscious culture. Training everyone on campus about the importance of data protection and how to identify bad actors can reduce the risk of human error and lessen the likelihood of successful cyberattacks.

Embracing Proactive Threat Response for a Resilient Higher Education Landscape

Higher education institutions must move beyond mere compliance and reactive measures. Zero Trust principles are the gold standard for safeguarding sensitive data. Implementing a Zero Trust framework can help to preserve the institution's reputation and maintain smooth operations amid evolving cyberthreats.

People, processes, and technology create the framework for safeguarding the institution's IT environment. Training and empowering people—staff, students, and other campus stakeholders—to recognize and react to security threats are essential. Building on that training and awareness with processes that guide actions and decision-making is equally important. Finally, leveraging technology—the tools and systems used to protect data and infrastructure—ensures a comprehensive approach to security posture.

For institutions that lack the resources to do so, utilizing external expertise through managed services is a viable option. MDR and other next-generation security technologies are complex, time-consuming, and costly to set up, especially if it's the IT team's first time doing so.

Boldyn Networks security services help close gaps in security expertise and offer IT organizations cost-effective strategies for protecting sensitive data on their campuses.

Learn more about how Boldyn Networks helps higher education institutions fortify their campus IT security posture today.

Notes

Purandar Das, "Beyond Compliance: Why A Proactive Security Approach Is Imperative," Forbes, July 6, 2023. Jump back to footnote 1 in the text.
Cybersecurity & Infrastructure Security Agency, Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways, cybersecurity advisory (Arlington, VA: February 29, 2024); Ibid., Cisco Releases Security Updates Addressing ArcaneDoor, Vulnerabilities in Cisco Firewall Platforms, alert (April 24, 2024). Jump back to footnote 2 in the text.
"Data Breach Action Guide," IBM (website), accessed April 1, 2024. Jump back to footnote 3 in the text.
See, for example, "Patch Tuesday, October 2024 Edition," Krebs on Security (blog), October 8, 2024. Jump back to footnote 4 in the text.

Jacob Picart is Vice President, Security Services, Boldyn Networks.

ParentTopics:: Incident Management and Response Intrusion Detection and Prevention Security Risk Management Vulnerability Assessment and Management Zero Trust