5 questions every higher-ed security leader should ask

November 18, 2020 | Tony DeGonia

Patrick Robinson and Mike McLaughlin contributed to this blog.

In the day and age of COVID-19 we have witnessed a transformation of the way we work. If I were asked before March of 2020 how long it would take to make the progress in digital and security transformation that we as a society have made in the last 9 months, I would have guessed at least 5 years. The rate of adoption in the face of the pandemic has been unprecedented.

Nowhere have the changes required to make remote working come on faster than with education. Whether it’s K-12 or high-education remote access adoption and the security measures that accompany have been implemented at a blistering pace.

This article will lay out a few questions and requests that we at AT&T have been asked by education customers to help them build out better, faster and more secure access for their students, faculty and staff to accommodate for the sudden change in the workplace and learning centers all across the U.S..

How quickly can I get larger internet connections and how can we secure those internet connections effectively from a global standpoint?

Speed of increase in bandwidth for most clients depends on several things such as facility availability, turn up time with the carrier and contracting requirements between the customer and the carrier.

As for the best way to protect internet connections with dedicated IP addresses, it’s a multiprong effort. With today’s cyber landscape security decision makers have multiple attack vectors to consider when putting a cyber-posture in place. Traditionally a firewall is a given. Firewalling an internet connection still holds true but there is much more to evaluate.

 Questions to ask yourself:

  • What will you have behind that firewall?
  • Will you deploy a demilitarized zone (DMZ) in the environment to host public facing networks?
  • Are you increasing bandwidth to accommodate remote workers, if so, how many workers will be internal to the network versus external workers who are dialing into the environment?
  • How important is uptime to your business mission?
  • Do you have anything deployed in the cloud that your external users would route to through the internal network (hair-pinning)?
  • Do you want to make users authenticate with network credentials at the gateway or do you want the users to authenticate multiple times (once for VPN and once or more times for network access)?
  • Do you have multiple locations tying into the location with the increased bandwidth through site to site VPN or Software Defined Wide Area Networking?
  • Do you utilize Multi-Protocol Label Switching (MPLS) between sites?
  • Do you have industry compliance requirements to meet?
  • Will you be running Next Generation Firewall Subscription services on your gateway (edge) firewalls?
  • Do your organization’s uptime requirements require that a high-availability configuration is required to attempt to achieve 5x9’s reliability minimum?

As you can see there isn’t just one definitive answer to the question of “what should I use to protect my users, internal network and upgraded bandwidth”? With the number of Distributed Denial of Service (DDoS) attacks that have become so prevalent with higher-ed institutions in the last year, DDoS Mitigation Security services are essential and are usually very affordable to monitor for volumetric attacks. However, of course, the more that the customer monitors for, and the more mitigation time that the customer requires, the more expensive the service can become.

A few of things to think about with DDoS attacks when deciding what you need for your new circuit:

  1. Where might the attacks be coming from? Do a little research on the attack vectors for DDoS attacks occurring against organizations that are comparable with the organization you are trying to protect. In most cases there are common traits around the attacks and may even find that the same criminal group is attacking organizations or a certain size, student population or geographical area. Information like this can help to narrow your risk when doing a risk assessment for your organization.
  2. What is going on behind the scenes during the DDoS attacks that are occurring against other organizations that are similar to yours? As stated in the previous question, most attacks are either patterned and generally work or are copycats of other successful attacks. Cybercriminals, while smart and capable, generally use proven tactics to pull off attacks against organizations that think, act and protect their networks similarly to increase their success rates.
  3. What are the attack vectors used beyond the DDoS attack to infiltrate the victim’s network and gain access to the sought after valuable information (gold)? With most DDoS attacks there is more to the attack than just taking the victims network out and causing downtime, especially in the age of COVID-19. There is almost always a secondary or tertiary attack vector usually exploiting pre-established vulnerabilities within the victim’s network (edge) defenses. Once the attacker gains access, they essentially have the keys to the kingdom for data exfiltration, malware, ransomware - the sky is really the limit.

There are DDoS mitigation services that can monitor for all of the situations listed above and, in most cases, mitigating an attack for one of the attack vectors will clean up or mitigate the attack for all the attack vectors. The hard part is deciding what to watch for and how that will fit into most organizations already stretched thin budgets.

How has cybersecurity changed since the introduction of quarantines and work from home becoming more prevalent with most companies and organizations?

This is always a loaded question. I was having a conversation with one of my co-workers, Patrick Robinson, Application Sales Executive II, with AT&T Public Sector – State of Texas. Pat stated that “many of these CISOs and Security Directors have had the world turned up on their head. On top of that they have to accommodate all of these quarantine issues, new remote workers and total migration of workers to work from home. As well they are having to put together solutions to accommodate all of these changes, on shoestring budgets in timeframes that would not be sufficient for a Proof of Concept.” said Robinson. “Many of these customers are pulling this off with a great deal of effort and a whole lot of luck.” Stated Robinson. “Of course, perfection is far from the goal in most of these cases, functionality and efficiency reign supreme in these situations. Just keeping the students learning and the business side of organization running is the best they hope for.”

“Once that is achieved, many CISO’s have stated that is when they go back, apply policies, audit for compliance and ensure that the overarching security posture is being met,” said Robinson. The general thought is that 2020 has thrown the most epic curveball conceivable to any security or business leader.

The changes are compounded by State and Local mandates for business closures, work from home and learn from home mandates. With all of that, most organizations are doing all of this understaffed and over-budget. In my opinion, cybersecurity has evolved a minimum of 5 years in advancements and adoption over the last nine months of pandemic.

At the beginning of 2020 we were looking at a partial migration to the cloud. We have since placed those migration plans on hold. When do you project that a migration to the cloud might be safer and more effective?

Short answer. It will never be safer or easier to migrate to the cloud than it is right now.

Of course, changes to technology may make some aspects easier but the cybersecurity efforts to totally secure a cloud environment will only become more stringent as new vulnerabilities and hacks come to light. Gone are the days of just setting up an Access Control List (ACL) and calling it a day.

However, never fear, with the advent of Cloud Access Security Brokers (CASB) providers securing your cloud instance has gotten easier and more secure.

If you could recommend one thing to a higher education institution that would improve their overall security posture, what would it be?

The old adage stands true, the smarter the users, the better the security. (I don’t know if that is really an old saying, but it works for this article.)

User security awareness training is always the best bet to protect  an environment where there are large numbers of users. No matter how highly secure the policies and procedures are for end users, if they don’t understand what a social engineering attack looks and feels like, then how can they possibly know what to do when it happens to them?

Train the users - students, faculty and staff. It is an investment in your organization’s security, your faculty and staff and helps jumpstart your student’s knowledge of working in the real world and what will be expected of them when they graduate and get their first jobs working with technology.

Social engineering attacks account for almost 90% of all cyber attacks globally. Whether it is phishing, spam, spear phishing, longlining, or any of the dozens of other forms of social engineering, everyone that interacts with your organizations computer network inhouse or remotely should have user security awareness training as a prerequisite to gain access to the network resources they need to do their jobs or take classes.

Looking at the overall way that the internet and work/learning has changed what do you think is the biggest risk from a cybersecurity standpoint and how has that changed since February 2020?

In an article written on July 27, 2020, DH Kass in MSSPAlert.com:

“The number of ransomware attacks on public sector entities rose slightly late in Q2, 2020, reversing a four-month decline in cyber battering rams pinpointing those targets, a new Emsisoft Malware Labs report said.

In Q1 and Q2, at least 128 federal and state entities, healthcare providers and educational establishments were hijacked by ransomware. Of those, 77 whacks occurred in January and February. For March and April combined, the number of events slid to 22 but rose in May and June to 29 in total.

Emsisoft segmented attacks in the first half of 2020 by sector as follows:

At least 60 government entities were bitten by ransomware during the first two quarters. The prey included cities, transportation agencies, police departments and one federal agency. While attacks slid steadily from 19 in January to five in April, a May bump pumped the figure up to eight and in June to nine.

At least 41 hospitals and other healthcare providers were successfully attacked during Q1 and Q2, an unsurprising data point given how much COVID-19 drained their resources. The number of attacks dropped from January/February’s high of 26 to six in March and April but have since moved upwards in May and June to a total of nine.

More than 30 school districts and other educational establishments were impacted by ransomware, disrupting operations at some 439 schools. In January/February, 22 attacks were recorded, and in March/April four were counted. In May, only one school district was successfully attacked along with three others on universities. No attacks were recorded in June.

As for data theft, to date in 2020 sensitive material has been exfiltrated in ransomware attacks on at least five government entities and three universities, including a public research university actively engaged in COVID-19 research, Emsisoft said.

In 2019, a record 966 government agencies, healthcare facilities and education institutions were barraged by ransomware, with cyber crooks pocketing about $7.5 billion. It appeared that number could only climb higher in 2020. However, starting at the turn of the year the sum of kneed public sector entities decreased month-over-month through April before rising in May and June. A deepening of the COVID-19 crisis when some hacking groups pledged to leave healthcare alone (even though others refused) may have prompted the slide in March and April, Emsisoft said.

Despite the skywards move in ransomware incidents, there’s still time to arrest the Q2 increase in Q3 and Q4, said Fabian Wosar, Emsisoft chief technology officer. “2020 need not be a repeat of 2019. Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive and less costly,” he said.

Emsisoft said its report is based on data from public and non-public sources and likely underestimates the actual number of ransomware incidents during the period studied.”

While this information encompasses breaches across the entire State, Local and Education segment, it is a good assessment of effects of cyber-attacks on higher-education institutions throughout the United States. Though this only really covers the second quarter of 2020, you can safely assume a growth rate across all four quarters that are equal to or higher than the previous quarter. This marks 2020 of one of the busiest single years in recent history for cyber attacks of all types for not only higher-ed but for State and Local Government and Education as a whole.

In conclusion, the cyberthreat landscape is as malicious as it has ever been, and cybercriminals are more technology-astute than ever before. Couple that with the element of surprise and you have the perfect scenario for increasingly dangerous attacks that are netting cybercriminals more of everything they strive for - be it money, information, secrets or worse.

Tony DeGonia

About the Author: Tony DeGonia, AT&T Cybersecurity

Tony DeGonia is an AT&T Cybersecurity Technical Sales Consultant in Public Sector - FirstNet assigned to State, Local and Education in the Eastern half of the U.S. Tony began his career as an engineer in the Signal Corps. in the U.S. Army. He has over 20 years of experience working as a Voice, Network and Security engineer. During that time he gained experience by maintaining, managing, designing and providing advanced voice, network and security solutions to customers in the SMB, Mid-Market, and Enterprise Sectors throughout the U.S., most notably in the SLED and Healthcare space. Tony is also well versed in the security requirements around HIPAA, PCI-DSS and Law Enforcement at the Municipal, State and Federal level. Tony regularly blogs and hosts podcasts through various channels. Tony's interests outside of work include shooting, hunting, following soccer the world over, and hanging out with his wife, 3 kids, 14 dogs, 12 Rabbits, 7 cats, 5 ducks, 19 chickens and pet pig named Penelope.

Read more posts from Tony DeGonia ›

‹ BACK TO ALL BLOGS

Watch a demo ›
Get price Free trial