The Importance of Visibility
Preparation to securing your campus environment
- By Mike Spanbauer
- August 01, 2021
Let’s face it - the technology environment of a typical campus
brings with it a unique set of situations and challenges that
even the most seasoned technology manager may not fully
appreciate. Matching that uniqueness is the fact that most
educational facilities run on limited budgets with a lean
amount of staff, where each wears various hats throughout the
department.
What this all means - besides possible sleepless nights - is that in
order to be truly secure, one must be focused on getting their security
posture just right, being as prepared as possible for every eventuality
and putting faith in that preparation if disaster strikes.
The Campus Situation is Unique
As they say, situations may vary, but on a typical campus the application
stack chosen by the university is narrower than one would flnd
at an enterprise, but the potential scope of applications and resulting
traffic includes all manner of software from enterprise to consumer.
There are different types of productivity applications in use by different
groups; sometimes different departments use their own preferred
type of applications, and it’s impossible to fully account for everything
that a student may bring into the environment. There is robust use of
cloud tools like Google Suite and Microsoft Office 365 - and despite any
school-wide “preferences,” applications in use are never 100% standard.
At most modern educational institutions, a majority of the applications
in use today are web-deployed. Traditionally there have been
some point-of-sale applications at bookstores, tuition payment applications
and locations where personal employee data is stored, all
which need to be protected from breaches or attacks. There has been a dramatic rise in the amount of these applications over the past five
years, however, as the rapid adoption of cashless transaction systems
has enabled the student to accrue expenses for everything from food,
to laundry, to supplies and even tuition.
Depending upon the amount of academic research being done by
a college or university (and who is funding it), there may be entire
departments with their own servers, protocols and compliance needs.
Some will be tightly managed, others less so. These days, much of this
work has moved from an on-premises setup to hybrid data centers, or
even to a full cloud setup.
In addition to what’s used by professors and staff of the school,
there’s the student body, which brings in everything from gaming
consoles, to connected devices, to the entire spectrum of patched and
unpatched Macs and PCs to the network. That doesn’t even begin to
mention the amount of mobile devices that each student, employee
and professor has connected to the school’s systems. Estimates put
each person at connecting at least two devices to the network, with
the total number of devices being 2X that of workstations and personal
computers. These devices come in all shapes and sizes, represent several different generations of hardware and software, all with
their own levels of security.
In an enterprise environment, the technology managers can dictate
what is brought in and allowed to connect, and what isn’t. In the college
environment, this simply isn’t possible. Recognizing and preparing
for this fact is the first step in protecting your campus network,
applications and systems.
Technology (and Security) Knowledge Varies Wildly
Another important thing to remember is that all of a college’s constituents
- students, visitors, researchers, professors and employees –
bring with them incredibly varied levels of technology understanding
and experience. Some may have a high-level of knowledge and will be
very secure in everything they do, and others, less so.
Sometimes an action by an ignorant insider can represent a more
significant threat than a sophisticated attacker. Someone who downloads
an application, a movie or music that they think is “free” in fact
ends up infecting the device and exposing the rest of the environment
to an attack. Or, the threat could originate from the person that
doesn’t ever update their device or PC, or the professor that opens
every email they receive regardless of the sender.
It is often said that university campus networks make for the best
security soak sites. A college campus is a microcosm of the real world,
and just like the real world, understanding of technology usage and
effective security measures vary widely.
Defending the Campus Attack Surface
Once the expansive potential attack surface is understood, it’s time to
take the correct steps to protect it. There are several key strategies to
have in place in order to best use time and resources, and provide the
maximum protection possible.
There is never a way to protect against everything, or to predict
every problem, but by focusing on understanding the environment
and being prepared if there is an issue, one can ensure they are in the
best possible position to succeed.
Planning. The most important aspect of operating a successful
security organization at a college or university is to actively plan for
as many potential situations and threats as feasible. An administrator
needs to model regular activity, and crisis activity, down to the minute of each team member’s actions. That way, when there is a crisis,
they are ready.
At the same time, this planning is not just for crisis situations. It is
also to ensure a team sticks to decided-upon protocols and actions for
everyday security management. What is the workflow for making software upgrades? For software updates? How does the team add new
users and give them access to specific applications and information?
Plan out what normal activity looks like, as well as what abnormal
activity looks like. That way it’s clear when something is abnormal
and malicious. Reviewing plans on a regular basis is just as important.
One needs to ensure everything is up-to-date, make any needed
adjustments and update the process plans and workflows to make
sure they’re current. This is money and time well spent, as it helps
when an incident happens to get out of reactive mode into proactively
solving the issue.
Planning out the workflow and playbook for each action for the
entire organization, and then relying upon those detailed plans is the
only way to ensure the campus is operating at peak eThciency (important
with a small amount of staff) and that it’s ready for any eventuality.
Policies. A part of this requires strong, consistent definitions for
security incidents at the core of planning and preparation activities.
It is up to the security team to decide upon the proper alert work-
flow, and when an incident or anomaly needs to be flagged to the
team. Deciding exactly what’s dangerous, what’s interesting and
what’s not is critical to success (and the sanity of the team).
An organization can’t set its tolerance too high, or they’ll end up
letting all sorts of malware, malicious code and ransomware into their
system; and if the tolerance is too low the team will constantly be
chasing down false positives and ghosts. The problem is never getting
too many or too few alerts – it’s most often the lack of planning and
discussion at the start, or a lack of consistency in approach and defi-
nition of what is normal and what is not.
All new elements introduced to the environment need proper
action plans around what is expected and what would be an abnormal
behavior. Be sure to test all new software out beforehand, in order to
make sure it will roll out and go live as expected, as no one likes surprises.
It’s hard to think of a single example where a security surprise
ended in a promotion.
Having already had the right conversations and made the right
plans to effectively react when an incident happens is crucial. This is
even more critical to get right with leaner teams that are wearing
many hats.
Preparation. Without a strong workflow and the right preparation
in place, all the automation or advanced tools in the world won’t help.
Teams and people need to work together. Events affect everyone in
the organization. To operate correctly, a team needs to be prepared
well, and know how to instinctively play their roles.
With plans and policies in place, teams need to rehearse critical
events and see where there might be issues to correct in their workflows and planned responses. Was something missed? Better to find it
now, before it’s too late.
Being prepared also means that having the proper security controls
and tools in place to enable everyone in the team to do their jobs effectively
each day. This means having full visibility, being able to inspect
items of interest, and knowing when (and how) to act on what one finds.
Visibility. It is critically important to operations - especially in the
campus situation where there are likely fewer resources and overworked
staff to ensure active visibility into the network and applications.
It’s only possible to protect what can be seen.
With pervasive network visibility in place, it’s possible to see the
entire environment and manage all its assets. It is important to have
the ability to monitor normal, legitimate network traThc and activity,
allowing a view of the network when it is performing the way it is
intended to. That also enables setting the stage for what is considered
abnormal, or at least out of the ordinary, making it easier to identify
and address potential issues before they become full-on emergencies.
Controls. Every security organization needs to build some basic
controls that will allow them to control the blast radius, i.e., to handle
the extent of the damage if the campus network and/or applications
face a cyberattack.
There are different types of controls - some are simply brute forcetype
controls, shutting down everything for a moment of time while
it is determined what the problem is and how to stop it. Alternatively,
there are controls that combine network visibility with specifics to
surgically control an application or a machine (or more) to isolate
and shut down just the problem areas. Both are effective (and often
needed) options to have available.
This also serves as a reminder to make sure that the proper controls
are in place to manage day-to-day security operations, not just when
there is a crisis. Is it possible to see across applications, identify and act
upon anomalies? Is the system set up so that only those that should
have access do, and are the only ones allowed to make changes?
Make sure that controls behave the same across the entire environment.
There should be a consistent operational security and control
set, regardless of whether operations are on-premise, hybrid or fully
in the cloud. Be sure that settings have been checked and rechecked
to prevent a missed checkbox from unintentionally causing problems.
Lastly, remember to not have only a single administrator account
active. Credential management is an issue, sure, but it is more important
to be protected in case there’s an issue and it’s not possible to
access the main account anymore. Credential management program
suites can be a friend. Employ unique credentials and use the programs
to help.
Compliance and certification. Be sure to have a solid certificate
management program running that can help make sure the organization
knows where applications are from - and that they are who they
say they are (signed, and from trusted publishers). Without that, at the
very least make sure there is a technical signature trail, and know what
each does, who has authority to publish, who has permissions, where
they are running. That will be critical information if there is an issue.
Compliance is also important to factor into the security makeup.
Many campuses contain research facilities - and many have a deep set
of data and security compliance requirements in order to receive
funding from a government or private sector investment, while others
demand a certain level of data and information protection. In
many cases, colleges and universities with these requirements find
themselves using this high-level of security as the starting point for
determining what needs to be invested in and rolled-out campus
wide. Remember not to make this be the final consideration when
reviewing your security needs.
Future-proofing Your Security
Technologies and an institution’s need to provide and support them
change rapidly, such as in 2020 with the rapid, immediate need to provide online learning. One constant that remains, however, is the
need for strong security to protect the network, its information and
applications.
While it’s impossible to know exactly what’s around the proverbial
corner technology-wise, there are things one can do to be ready. The
most important when it comes to security is, once again, having the
proper plans and processes in place to evolve as security and technology
needs evolve.
Establishing operational simplicity, with consistent policies and
controls will enable an organization to be ready, and allow them to
easily adapt for the next big thing. If one knows what to look for and
maintains the consistency of how to define an attack or security issue
that needs attention, then they will be prepared.
The Importance of Peer Networks
Time and time again the truth rings true that there is simply no substitute
to planning. By choosing great technology and solutions,
investing the time and effort needed for planning and working with
great partners, one can quickly mitigate the risk of any attack being
successful or having lasting effects on their school.
That said, very rarely has something been done that wasn't done
before. In the case of campus security, there have been others who
have likely recognized a pattern that just popped up or have recently
dealt with a similar issue. It is important to establish a peer network
in the campus security world. Network with peers in other colleges
and universities that have similar roles; that way, when instances
occur, individuals can bounce things off one another. This is especially
important when running a small organization where folks have
multiple responsibilities.
A good peer network enables someone to get responses from others
that have seen it all before. It’s also a great opportunity to become
involved and share expertise with others.
There are Resources to Help
In addition, there are several freely available resources out there that
can help in one’s role. The National Institute of Standards and Technology
is a great place to start, as they offer several reference materials
and frameworks that can be helpful to build up and enhance an
organization’s protection.
Vendors and partners should also be trusted to lend a hand in
these situations and offer advice on how to correctly set up systems
and respond to incidents.
It Is Not Possible to Do Everything
It is critically important to spend one’s cycles wisely. It’s impossible to
do everything - and that’s OK. Work to be prescriptive and descriptive
in the actions taken.
Of course, there is always more one can do, but by having great
tools, the right processes and comprehensive visibility in place, it’s
possible to establish a counter-force to having a lean staff and few
resources, which should help everyone to be able to sleep at night
once again.
This article originally appeared in the July / August 2021 issue of Campus Security Today.