New York-based university chief information security officers (CISOs) broke down a range of cyberattack threats that their schools are facing at the New York State Chief Information Officers (NYSCIO) 2021 Conference on July 14, including how to prepare for attacks from different quarters, and respond to them.
Speaking on the same panel were Christine Whalley, director of information security at Barnard College, Michael Behun, CISO at Binghamton University, and Aldwin Maloto, CISO at the Rochester Institute of Technology (RIT).
As the session program indicated, it’s no secret that higher education has become an appealing target for cyberattacks. This is due to not only security funding challenges, but also because colleges maintain significant and sensitive personal data, financial information on students, faculty, and alumnae, as well as critical research and other confidential information.
According to a recent article in Insider Higher Ed, “A group of cybercriminals is increasingly targeting colleges, schools, and seminaries and attempting to extort them, the FBI’s Cyber Division has warned.” Incidents of ransomware, data breaches, spoofing, and phishing are becoming more sophisticated and prevalent every day, bringing significant disruption to college campuses.
Colleges are all dealing with threats, with varying levels of tools, skills, and playbooks at their disposal, Whalley said, adding, “There is a nagging question that looms in the back of your mind. Do I have what I need to respond to this scenario?”
Whalley admitted that few in her community of university security leaders have all the answers, or have been able to fully implement all security incident response plans necessary for their institutions. “Unfortunately, there’s no single relevant road for us to follow, but there is a common framework that we all need to address to improve our odds against the various actors in fraudulent activities that increasingly attack our institutions,” she said.
Whalley led the panel’s discussion along lines of the National Institution of Standards and Technology’s (NIST) NIST 861 incident response capability framework because it is organized into four relatively easy-to-understand buckets: preparation, detection, and analysis, containment eradication and recovery, and post-incident activity.
Behun covered the first stage – preparation and explained that this is the stage that everyone wants to do, but often doesn’t have time to devote to the task. Along with that, preparation isn’t a one-time event, but something that must be continuous. “One of the big things is prioritization, and how do you convince institutional leaders to make cybersecurity a priority by granting IT professionals and departments the resources to proactively protect the campus,” he said.
One method Behun recommended to make institutional leaders understand the cost of working proactively is to explain how it costs much less to address something earlier than it is to clean up from an incident later.
In addition to leadership commitment, Behun recommended running through basic scenarios or realistic exercises, starting simple, and putting in controls and procedures.
“Look for any current campus disaster or emergency operation plans that you can dovetail in your incident response preparation,” he said. Then, officials should develop a pre-planned call tree establishing who should be notified based on criteria such as incident severity, impacted systems, and time elapsed.
Behun could not emphasize enough the importance of scenario training to practice these drills. “If the FBI is on you your call list as it should be, when you call for real, it should not be the first time you ever called them. Reach out before to ascertain protocols, you’ll be glad you did,” he said.
RIT CISO Maloto picked up the thread on detection and analysis.
“Our email system receives the highest volume of attacks, and I would imagine that for many of the folks here, you’re in a similar situation,” he explained. His college receives about 500 million emails a year, and he said 78 percent of those pose a threat to the university in one way, shape or form. “Just in the past, quick math, in the past 10 minutes that we’ve been speaking, there have been about 7,500 of those malicious emails that we received. So the volume is quite significant.”
Therefore, having a very robust email filtering capability is essential in managing those types of numbers, he said. However, when you’re talking about these volumes, there are some threats that will ultimately make it through. “So it’s really important that detection and analysis capabilities have multiple layers of defense and have different analysis capabilities,” Maloto said. “Along the way, in each layer of defense, I find that it’s really best to have a three-pronged approach including the technology, the process, and most importantly the people element as part of your defensive approach.”
Binghamton’s Behun talked about the third stage – containment eradication and recovery.
“You’ve detected something and you’re going to take some sort of action,” he posited, adding that of course will depend on the severity of the incident. It can be as simple as an indication of a compromised account requiring an individual to reset an account, or it can be much more serious and it will be necessary to sever the internet link and bring all systems down. At this point it will be necessary to build a new network and reimage every machine, placing them on a new network.
“So in containment eradication and recovery, you’re going to take that measured action and go and fix whatever needs to be fixed and keep your campus or your business running,” he said. “So, reporting and communication is paramount when you’re recovering from an incident or during an incident itself.”
Rochester’s Maloto addressed the final component – post-incident activity, which is critical in high severity incidents. “It’s the step where we can reflect and document what happened, what worked well, and what didn’t work well,” he said.
“It’s also where we can identify improvements for the incident handling process and procedures,” he continued. “We’re fortunate enough at RIT that we have a project problem management team that helps us conduct the lessons learned sessions for our high severity incidents,” he said.
During these sessions various stakeholders involved in the incident are invited to participate in an all-day lessons learned session. In preparation, Maloto’s team takes their standard incident review questions and extends them to address issues beyond service disruption and restoration, into areas like confidentiality issues, risk management, plus identification containment and eradication processes.
“And lastly, another example is the question, is there something we can do differently? And if we could, what would it be,” Maloto asked.
“We use the responses to refine our processes moving forward. I think it’s also important to recognize that with these different steps that we’re talking about, it’s a continuous improvement process, and the lessons learned really should feed back into the preparation materials of the overall life cycle,” he said.