The Importance of Visibility

The Importance of Visibility

Preparation to securing your campus environment

Let’s face it - the technology environment of a typical campus brings with it a unique set of situations and challenges that even the most seasoned technology manager may not fully appreciate. Matching that uniqueness is the fact that most educational facilities run on limited budgets with a lean amount of staff, where each wears various hats throughout the department.

What this all means - besides possible sleepless nights - is that in order to be truly secure, one must be focused on getting their security posture just right, being as prepared as possible for every eventuality and putting faith in that preparation if disaster strikes.

The Campus Situation is Unique

As they say, situations may vary, but on a typical campus the application stack chosen by the university is narrower than one would flnd at an enterprise, but the potential scope of applications and resulting traffic includes all manner of software from enterprise to consumer.

There are different types of productivity applications in use by different groups; sometimes different departments use their own preferred type of applications, and it’s impossible to fully account for everything that a student may bring into the environment. There is robust use of cloud tools like Google Suite and Microsoft Office 365 - and despite any school-wide “preferences,” applications in use are never 100% standard.

At most modern educational institutions, a majority of the applications in use today are web-deployed. Traditionally there have been some point-of-sale applications at bookstores, tuition payment applications and locations where personal employee data is stored, all which need to be protected from breaches or attacks. There has been a dramatic rise in the amount of these applications over the past five years, however, as the rapid adoption of cashless transaction systems has enabled the student to accrue expenses for everything from food, to laundry, to supplies and even tuition.

Depending upon the amount of academic research being done by a college or university (and who is funding it), there may be entire departments with their own servers, protocols and compliance needs. Some will be tightly managed, others less so. These days, much of this work has moved from an on-premises setup to hybrid data centers, or even to a full cloud setup.

In addition to what’s used by professors and staff of the school, there’s the student body, which brings in everything from gaming consoles, to connected devices, to the entire spectrum of patched and unpatched Macs and PCs to the network. That doesn’t even begin to mention the amount of mobile devices that each student, employee and professor has connected to the school’s systems. Estimates put each person at connecting at least two devices to the network, with the total number of devices being 2X that of workstations and personal computers. These devices come in all shapes and sizes, represent several different generations of hardware and software, all with their own levels of security.

In an enterprise environment, the technology managers can dictate what is brought in and allowed to connect, and what isn’t. In the college environment, this simply isn’t possible. Recognizing and preparing for this fact is the first step in protecting your campus network, applications and systems.

Technology (and Security) Knowledge Varies Wildly

Another important thing to remember is that all of a college’s constituents - students, visitors, researchers, professors and employees – bring with them incredibly varied levels of technology understanding and experience. Some may have a high-level of knowledge and will be very secure in everything they do, and others, less so.

Sometimes an action by an ignorant insider can represent a more significant threat than a sophisticated attacker. Someone who downloads an application, a movie or music that they think is “free” in fact ends up infecting the device and exposing the rest of the environment to an attack. Or, the threat could originate from the person that doesn’t ever update their device or PC, or the professor that opens every email they receive regardless of the sender.

It is often said that university campus networks make for the best security soak sites. A college campus is a microcosm of the real world, and just like the real world, understanding of technology usage and effective security measures vary widely.

Defending the Campus Attack Surface

Once the expansive potential attack surface is understood, it’s time to take the correct steps to protect it. There are several key strategies to have in place in order to best use time and resources, and provide the maximum protection possible.

There is never a way to protect against everything, or to predict every problem, but by focusing on understanding the environment and being prepared if there is an issue, one can ensure they are in the best possible position to succeed.

Planning. The most important aspect of operating a successful security organization at a college or university is to actively plan for as many potential situations and threats as feasible. An administrator needs to model regular activity, and crisis activity, down to the minute of each team member’s actions. That way, when there is a crisis, they are ready.

At the same time, this planning is not just for crisis situations. It is also to ensure a team sticks to decided-upon protocols and actions for everyday security management. What is the workflow for making software upgrades? For software updates? How does the team add new users and give them access to specific applications and information?

Plan out what normal activity looks like, as well as what abnormal activity looks like. That way it’s clear when something is abnormal and malicious. Reviewing plans on a regular basis is just as important. One needs to ensure everything is up-to-date, make any needed adjustments and update the process plans and workflows to make sure they’re current. This is money and time well spent, as it helps when an incident happens to get out of reactive mode into proactively solving the issue.

Planning out the workflow and playbook for each action for the entire organization, and then relying upon those detailed plans is the only way to ensure the campus is operating at peak eThciency (important with a small amount of staff) and that it’s ready for any eventuality.

Policies. A part of this requires strong, consistent definitions for security incidents at the core of planning and preparation activities.

It is up to the security team to decide upon the proper alert work- flow, and when an incident or anomaly needs to be flagged to the team. Deciding exactly what’s dangerous, what’s interesting and what’s not is critical to success (and the sanity of the team).

An organization can’t set its tolerance too high, or they’ll end up letting all sorts of malware, malicious code and ransomware into their system; and if the tolerance is too low the team will constantly be chasing down false positives and ghosts. The problem is never getting too many or too few alerts – it’s most often the lack of planning and discussion at the start, or a lack of consistency in approach and defi- nition of what is normal and what is not.

All new elements introduced to the environment need proper action plans around what is expected and what would be an abnormal behavior. Be sure to test all new software out beforehand, in order to make sure it will roll out and go live as expected, as no one likes surprises. It’s hard to think of a single example where a security surprise ended in a promotion.

Having already had the right conversations and made the right plans to effectively react when an incident happens is crucial. This is even more critical to get right with leaner teams that are wearing many hats.

Preparation. Without a strong workflow and the right preparation in place, all the automation or advanced tools in the world won’t help. Teams and people need to work together. Events affect everyone in the organization. To operate correctly, a team needs to be prepared well, and know how to instinctively play their roles. With plans and policies in place, teams need to rehearse critical events and see where there might be issues to correct in their workflows and planned responses. Was something missed? Better to find it now, before it’s too late.

Being prepared also means that having the proper security controls and tools in place to enable everyone in the team to do their jobs effectively each day. This means having full visibility, being able to inspect items of interest, and knowing when (and how) to act on what one finds.

Visibility. It is critically important to operations - especially in the campus situation where there are likely fewer resources and overworked staff to ensure active visibility into the network and applications. It’s only possible to protect what can be seen.

With pervasive network visibility in place, it’s possible to see the entire environment and manage all its assets. It is important to have the ability to monitor normal, legitimate network traThc and activity, allowing a view of the network when it is performing the way it is intended to. That also enables setting the stage for what is considered abnormal, or at least out of the ordinary, making it easier to identify and address potential issues before they become full-on emergencies.

Controls. Every security organization needs to build some basic controls that will allow them to control the blast radius, i.e., to handle the extent of the damage if the campus network and/or applications face a cyberattack.

There are different types of controls - some are simply brute forcetype controls, shutting down everything for a moment of time while it is determined what the problem is and how to stop it. Alternatively, there are controls that combine network visibility with specifics to surgically control an application or a machine (or more) to isolate and shut down just the problem areas. Both are effective (and often needed) options to have available.

This also serves as a reminder to make sure that the proper controls are in place to manage day-to-day security operations, not just when there is a crisis. Is it possible to see across applications, identify and act upon anomalies? Is the system set up so that only those that should have access do, and are the only ones allowed to make changes?

Make sure that controls behave the same across the entire environment. There should be a consistent operational security and control set, regardless of whether operations are on-premise, hybrid or fully in the cloud. Be sure that settings have been checked and rechecked to prevent a missed checkbox from unintentionally causing problems.

Lastly, remember to not have only a single administrator account active. Credential management is an issue, sure, but it is more important to be protected in case there’s an issue and it’s not possible to access the main account anymore. Credential management program suites can be a friend. Employ unique credentials and use the programs to help.

Compliance and certification. Be sure to have a solid certificate management program running that can help make sure the organization knows where applications are from - and that they are who they say they are (signed, and from trusted publishers). Without that, at the very least make sure there is a technical signature trail, and know what each does, who has authority to publish, who has permissions, where they are running. That will be critical information if there is an issue.

Compliance is also important to factor into the security makeup. Many campuses contain research facilities - and many have a deep set of data and security compliance requirements in order to receive funding from a government or private sector investment, while others demand a certain level of data and information protection. In many cases, colleges and universities with these requirements find themselves using this high-level of security as the starting point for determining what needs to be invested in and rolled-out campus wide. Remember not to make this be the final consideration when reviewing your security needs.

Future-proofing Your Security

Technologies and an institution’s need to provide and support them change rapidly, such as in 2020 with the rapid, immediate need to provide online learning. One constant that remains, however, is the need for strong security to protect the network, its information and applications.

While it’s impossible to know exactly what’s around the proverbial corner technology-wise, there are things one can do to be ready. The most important when it comes to security is, once again, having the proper plans and processes in place to evolve as security and technology needs evolve.

Establishing operational simplicity, with consistent policies and controls will enable an organization to be ready, and allow them to easily adapt for the next big thing. If one knows what to look for and maintains the consistency of how to define an attack or security issue that needs attention, then they will be prepared.

The Importance of Peer Networks

Time and time again the truth rings true that there is simply no substitute to planning. By choosing great technology and solutions, investing the time and effort needed for planning and working with great partners, one can quickly mitigate the risk of any attack being successful or having lasting effects on their school.

That said, very rarely has something been done that wasn't done before. In the case of campus security, there have been others who have likely recognized a pattern that just popped up or have recently dealt with a similar issue. It is important to establish a peer network in the campus security world. Network with peers in other colleges and universities that have similar roles; that way, when instances occur, individuals can bounce things off one another. This is especially important when running a small organization where folks have multiple responsibilities.

A good peer network enables someone to get responses from others that have seen it all before. It’s also a great opportunity to become involved and share expertise with others.

There are Resources to Help

In addition, there are several freely available resources out there that can help in one’s role. The National Institute of Standards and Technology is a great place to start, as they offer several reference materials and frameworks that can be helpful to build up and enhance an organization’s protection.

Vendors and partners should also be trusted to lend a hand in these situations and offer advice on how to correctly set up systems and respond to incidents.

It Is Not Possible to Do Everything

It is critically important to spend one’s cycles wisely. It’s impossible to do everything - and that’s OK. Work to be prescriptive and descriptive in the actions taken.

Of course, there is always more one can do, but by having great tools, the right processes and comprehensive visibility in place, it’s possible to establish a counter-force to having a lean staff and few resources, which should help everyone to be able to sleep at night once again.

This article originally appeared in the July / August 2021 issue of Campus Security & Life Safety.

Digital Edition