NCATS’ RVA toolkit includes vulnerability scanning, both internal and external, and social engineering, an exercise to assess how vulnerable your users are to phishing attacks. “We can test what happens if an end user clicks and downloads a malicious file,” McAfee said. During 2015, the RVA’s phishing emails resulted in an average click rate of 25%. Due to more awareness and training, the average click rate fell to 10% in 2017. If your institution doesn’t require the additional phishing testing, NCATS has you covered; the assessment is very flexible, allowing clients to tailor it to fit their institution’s specific needs.
While the RVA gives an overall assessment of your institution’s cybersecurity, the CH program is meant to provide “an adversarial view of what holes can be found on your perimeter.” The remote scan showcases any vulnerabilities or trends in your IP perimeter from week to week and provides thorough reports on those vulnerabilities. It can even summarize the progress that your institution is making towards fixing any previously identified issues.
More details about both programs
As free services, both programs offered by the NCATS team follow a formal process for applications. When asked how long it would take to set up their programs, McAfee reassured us that once an agreement is signed and the proper technical information is provided, the CH program can be up and running in as little as 48 hours. As for the RVA, it could potentially be up to eight to 12 months from the time of signing before the logistics and resources are in place. The NCATS team has a finite set of assessments that they can do each fiscal year, so if you are interested in their services, the sooner you reach out to them the better.
After researching the NCATS’ cybersecurity offerings online, we came across a lot of comments expressing potential clients’ concerns with the programs. For example, many commenters were worried about “big brother” finding back doors into clients’ networks and not notifying them. When asked about some of these concerns, McAfee explained that although the NCATS team works with other government agencies, like the Department of Defense and National Security Agency, maintaining a trusting relationship with clients is of utmost importance. “Relationship building and establishing trust with the communities out there is a driver for what we do every day.”
The relationships that NCATS has with other agencies are beneficial for clients, McAfee said. “It’s about taking information that is sensitive and being able to create a product for the communities that don’t have classified access, and getting that information to our stakeholders to best utilize in their environment at any point in time.”
McAfee reassured us that the NCATS team considers client privacy paramount to their operation. “We’re guided by a very strong legal team and our general counsel, as well as our formal agreements with those groups.” When it comes to trust, it’s hard to deny that the NCATS team has a good track record. As of our interview, their Cyber Hygiene program had 415 stakeholders after two years of operation. “We get a lot of return customers,” McAfee said.
A client’s perspective
Along with our interview with members of the NCATS team, we also had the opportunity to interview one of their clients, David Marion from Bridgewater State University. When asked about the concerns we had about the NCATS programs, Marion responded by saying that he sees the NCATS team as coworkers, not big brother. “We’re all on the same team,” he said. “No one is pointing their fingers at anyone else.”
How to save thousands with these free #cybersecurity programs
His experience working with the NCATS team was a win-win for everyone involved, he explained. The IT department at BSU wasn’t sure whether their network was 100-percent secure, so they reached out to the NCATS team for help. “We were able to send an email to the Department of Homeland Security and they were able to provide us some additional steps to see whether we were vulnerable or not.”
Marion mentioned that even if you’re not worried about your institution’s cybersecurity, the NCATS Cyber Hygiene program is “a quick, easy way to take the temperature of your infrastructure each week. It’s about demonstrating to leadership that security can do things for free.” Once your institution’s leadership see what is possible with free services, they may be more inclined to invest more in paid cybersecurity programs.
Although there may be better overall cybersecurity analysis services out there, it would be very difficult to get the level of expertise and support provided by the NCATS team for a better price. With additional services, such as a phishing campaign assessment, in development as of the time of our interview, the NCATS suite of programs can give you the reassurance you need about the strength of your university’s cybersecurity and potentially save your institution tens of thousands of dollars.
To learn more about the NCCIC and NCATS programs, visit their website.
[Editor’s note: This article was originally published on the Optimal Partners blog, Your Higher Ed IT Hub.]