According to a number of cybersecurity experts, no platform or industry is immune from data breaches, especially as targeted “hacktivism” is on the rise, says John Wethington, cybersecurity executive at Ground Labs. But if the cloud is “only as safe as the administrative credentials of a single person,” how can colleges and universities focus on identifying all of the data they have and reducing their digital footprint?
In 2015, Ken Westin, senior security analyst at Tripwire, as well as FBI experts working the case, said Penn State’s attack by Chinese cyber terrorists was part of a larger campaign [1] targeting similar departments and groups in higher education in a search for intellectual property. Now, in 2016, during an interview with Wethington on cloud security issues in higher education, it seems this type of what he calls “hacktivism” is on the rise. [Read: “Is your institution under Chinese cyberattack? [1]”]
“Malicious actors often choose specific industries or segments for attack because they need a clearly defined ‘target’ or simply because of political or social reasons,” said Wethington. “Nation state hacking is also on the rise and the stakes have never been higher. The race to innovate is greater than it ever has been before in human history. Any edge on a corporate competitor or rival nation can be a game changer. Institutions should focus on protecting the sensitive data including intellectual property within their organizations as a daily practice. Worry has never gotten anyone anywhere in security, but proactive measures can win the day.
And when it comes to proactive measures, Ground Labs recommends 10 specific steps as part of a comprehensive action plan to address sensitive data in college and university environments:
1. Identify all sensitive data in your environment. This can be done using automated solutions like Enterprise Recon 2.0 [2].
2. Map all data “creation” processes. In other words, understand how and why the data is generated in the first place.
3. Institute “least privilege” policies to reduce the number of credentialed users who have access to the data.
4. Securely delete or anonymize data that is no longer needed. If you can’t tie it directly to the operation of the institution within the last 36 months and it is not regulated data that requires retention it should be deleted.
5. Encrypt any remaining data and ensure that it remains encrypted while in transit and at rest. Make sure the keys are locked up in a safe place otherwise the encryption is useless.
6. Continuously scan and monitor the sensitive data posture in your environment. New data is created every day and it must be protected on every endpoint.
“Data loss should be priority number one,” said Wethington, when asked which of the Cloud Security Alliance’s (CSA) “Treacherous 12 [3]” cloud security threats was most important. “Many of the other issues listed are symptoms of the same threat. Hackers don’t create malware or break API’s for fun, they do them so they can get into the systems that contain the data. Protecting the data is why we put in firewalls, anti-virus, and anti-malware. It is why we have passwords. By focusing on data security within the institution we can quickly begin to identify the gaps in securing the data. These gaps can then be filled by solutions that meet the organization’s needs.
(Next page: Cloud security recommendations 7-10)
7. Deploy multi-factor authentication mechanisms and SIEM solutions to manage access and monitor systems that contain sensitive data.
According to the CSA cloud security “compromised credentials and broken authentication” is a major cloud security issue. Jennifer Nowell, national director for State, Local Government & Education at Symantec told eCampus News that [4] “It’s not to say that passwords shouldn’t be used, but think of passwords as level one, with today’s campus needing two or three levels of security protection that can clearly identify when an attack happens via system behavior and where it happens—all without compromising ease of use or access.” [Read: “The IT issues that will dominate 2016. [4]”]
Curtis Hillegas, associate CIO of Research Computing at Princeton University noted that security has to enable research, not hinder it and one way to do this is to stop relying solely on passwords and working within new data security models that provide a secure network infrastructure.
“Authentication is based on a pretty simple set of principles,” explained Wethington. (A) something you know like a password/passphrase; (B) something you “are” like Biometrics; and (C) something you have like MultiFactor authentication with a phone number/email address.
“Unfortunately, these systems are all easily bypassed by someone who has access to even a small amount of information about you,” he continued. “Credentials should be changed regularly, at least every 90 days if not less. Multi-Factor authentication is a must have today. If institutions are not requiring at least 2 or more levels of authentication then the identity of the user cannot be trusted.
Wethington said there are a variety of layers that can be instituted beyond this for systems that are more sensitive, and would include IP-based “White-Lists,” Network Access Controls, Limited Remote Access, and behavior based security analytics.
“While the solutions are interesting, the vast majority of breaches today are due to a failure in the fundamentals of security practice,” he said. “Focus on getting the basics of Identity correct by instituting regular password changes, larger entropy, complex passwords, multi-factor authentication, and encrypting traffic between endpoints, especially during credential exchanges.”
8. Educate students, faculty, staff and contractors/vendors on the proper storage, management, and deletion of sensitive data.
According to J.R. Santos, executive VP of Research for the CSA, “instead of being an IT issue, cloud security is now a boardroom issue. The reasons may lie with the maturation of cloud, but more importantly, higher strategic decisions are being made by executives when it comes to cloud adoption.”
It’s a sentiment strongly mirrored by Wethington, who explained that security, in general, is a boardroom issue, with cloud security as just another component of a larger problem boardrooms are facing.
“Shareholders are holding the board responsible for their failure to protect their fiduciary interests when a breach occurs,” he said. “These breaches cost organizations billions of dollars a year in fines, lost revenue, lost good will and more. What [board members] don’t know or don’t want to know may be knocking on the boardroom door sooner rather than later, and when it does ‘ignorance will be no excuse for the shareholders, customers or the regulators.’ Boards should look at the data they have within their organization as the most precious asset they possess. The monetization of that data on the black market is very real and so are the threats to its security.”
9. Institute policies and procedures for breach notification and incident response. Then practice them once a month.
10. Monitor OSINT (Open Source Intelligence) streams for potential data leaks that may affect your institution. The sooner you detect the breach the sooner you can plug the hole.