“Identify the threats most likely to impact your company, and spend your limited funds defending against those,” one expert says.

Campus networks host tens of thousands of devices each day, and while those devices have access to network resources, campus IT administrators must be vigilant as they strike a balance between openness and vigilance.

Finding that balance can prove difficult if IT administrators attempt to address every single threat, no matter how relevant that threat might be to the campus. Many experts suggest focusing on a university’s mission, and adjusting security measures so they support this mission.

Campus IT security staff should determine exactly that, said Dave Cullinane, retired chief information security officer at eBay and co-founder of the Cloud Security Alliance, during an EDUCAUSE webinar to celebrate October’s Cyber Security Awareness Month.

Higher education has a clear need for intelligence-based security that evaluates the most pressing security threats and addresses them accordingly, Cullinane said. Universities face thousands of vulnerabilities each day, and IT staff can’t possibly keep up with all of those threats.

“Identify the threats most likely to impact your company, and spend your limited funds defending against those,” he said.

For more safety & security news, see:

Civil liberties groups question use of anonymous reporting tool

Campus police outfitted with small video cameras

Four Keys to Protecting Students, Staff, and Campus Property

Unfortunately, many campus technology teams are still novices at managing information risk.

Campus technology leaders should demonstrate that they are focusing their resources and efforts on the things that are most likely to have an impact. There are threats that, were they to occur on a campus network, would be catastrophic, Cullinane said. But IT experts should weigh the likelihood of those events. If chances are very small that such an event would occur, funding would be better spent on more relevant security threats.

For instance, many universities are leveraging an increase in student mobile devices by creating apps for student and faculty use. IT administrators should understand the threats that accompany such mobile environments, how real those threats are, and then decide how much money to allocate to risk mitigation, Cullinane said.

Measuring the effectiveness of security plans is one of the most important things to do, but it’s also one of the hardest, he added. Campus IT leaders should review the ramifications of different security breaches, such as the exposure of student or faculty data, and use models or discussion sessions to gain a better picture of what the impact of such a breach might be. From there, they can decide how to quantify that risk in terms of dollars.

“Universities kind of get a bad rap in the computer security space, because they don’t have the same kind of funding that the Department of Defense or a bank might have,” said Ron Gula, CEO and chief technology officer of Tenable Network Security. In fact, some of the best security CIOs come from academia, Gula said, because they are able to come up with creative and flexible solutions on smaller budgets.

“Universities have to be open—that’s their nature,” Gula said. “But that really makes them more exposed to attacks.”

Mobile computing does present some security problems, but most universities design their networks knowing that access to data services is a necessary part of the university environment.

Many organizations are moving toward continuous monitoring via very frequent vulnerability scanning and vulnerability management, but mobile devices present a challenge when it comes to scanning for security threats.

Another option is what Gula called passive network monitoring.

For more safety & security news, see:

Civil liberties groups question use of anonymous reporting tool

Campus police outfitted with small video cameras

Four Keys to Protecting Students, Staff, and Campus Property

Tenable sells a Passive Vulnerability Scanner, which helps organizations find unexpected security and compliance problems by constantly monitoring all network traffic.

The Passive Vulnerability Scanner continuously looks for new hosts, applications, and vulnerabilities—supplementing a university’s active scanning for potential threats that might fall between scans. It finds client-side vulnerabilities in web browsers, eMail clients, and other software, as well as anomalies that might indicate more serious threats.

In general, he said, universities are becoming more proactive when it comes to monitoring networks and addressing threats.


Add your opinion to the discussion.