Welcome Back: Security in the New School Year
It’s official: The freshmen are all moved into their dorm rooms, the instructors are setting up their electronic Learning Management System environments, the band is rehearsing, and the football team have been in practice for months (of course they have been — this is Ohio State). It’s time for a new school year (at least, in North America).
For those of us who are Higher Education staff, and particularly those in Security and IT, summer is the time to do all the things that can’t be done when school is fully in session — which is any major upgrade, renovation or new build — so summer is in many ways the busiest time of the year (It’s also the easiest time to drive on Campus, as there are fewer student jay walkers to accidentally hit). Regardless, we are part of the higher education community, so the rhythm of the year moves from Convocation to Graduation like everyone else.
So, this is the time of year when Higher Ed Security Professionals set their (multi) yearly goals, re-define their priorities, and generally give intentional thought to what needs to be done, and why. In no particular order, here are some of my goals for the year to come.
Avoid the (Big) Breach
I’m not so naive to think my organization will be immune to something happening. I’m sure it’s happening right now. But we Security Pros know that all Breaches are not created equal. So really, this should be “Don’t Get Massively Breached” — because small-to-medium breaches are just a cost of doing business these days, and we handle these as operational things. This is like an instructor dealing with one student looking over the shoulder of another during an exam, compared to the whole class colluding to ace the exam.
“Operationalize Breaches” is not a slogan that plays well with the Board and Senior Management (or Regulators, for that matter). Not yet, anyway. When they start to really pay attention to the world of Cyber Security, they will start to realize that this is the most pragmatic way to think of and manage this risk. But for now, they take the position of having a zero tolerance for Cyber risk. (Interestingly, they don’t assume zero tolerance for any other kind of risk. Financially, they allow for “shrinkage”, or “human error”. Legally, they have an army of lawyers to litigate on their behalf, instead of ensuring they won’t be sued in the first place. Why is Cyber so different?)
Big breaches, particularly those we know as Advanced Persistent Threats (APTs) which hang around for a long time without our knowledge, bumping into restricted data intentionally or by accident, are the CISO-killing kind of events that keep most people (well, me anyway) up at night. In many ways they are hardest of all the breach/incident activities to identify and manage. The impact on the organization can be enormous.
I would also lump Ransomware into the “Big Breach” category too. Not the kind of Ransomware that takes out one single researcher’s data, instead the kind of Ransomware that crawls file shares, or electronic medical record systems, or learning management systems, or ERP systems, and takes out entire business processes (or the cure for cancer) on the way.
So these are the kinds of threats I want to focus on, and the kind of Breaches I want to avoid. Which brings me to my next goal for the FY17–18 school year:
If we are to have a hope of achieving the first goal, we absolutely need to achieve this one. We need to be able to see all people, all networks, all computers, all data flows. We need this visibility so we can determine what is normal, and therefore what is abnormal. We need to be able to detect a disturbance in the Matrix, then go investigate. This is like an instructor having a full understanding of the background of each student in their class. If they know how student thinks and behaves, teachers can more effectively target their teaching to ensure the correct learning outcomes. Without that knowledge, they are flying blind, and much more likely to be slow to identify a student who is struggling, or find out too late that the student has dropped out.
This concept causes some interesting discussions in Higher Education. Unlike some private industries, there is a definite academic cultural resistance to any kind of on-going activity for baselining and monitoring. There is an expectation of privacy and autonomy from leadership on down (not just privacy of their personal stuff, but also privacy of their professional work. Until they want to publish). The concern about how monitoring relates to privacy, and to academic freedom, has been brewing for some time, and has not yet been solved. So, part of this year’s goals (and for many years in the future) is to work across the Academy to introduce the kind of monitoring we need, respectful of the concerns. (Note to Vendors: When dealing with Higher Ed, it doesn’t help to brag about how much your next-gen/AI/ML tool can see everything… you need to find a different elevator pitch please). It may be that we cannot reconcile these viewpoints, in which case our leaders and board members will need to take a very public stand for one side or the other. As a CISO, I’m actually comfortable with either option, as long as leadership fully understands the impact of their decisions. Which brings me to my third goal:
Educate Decision Makers
So this Wall Street Journal article came out recently: https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118. It’s a great article about how the guy who set password standards upon which we all now base our password rules got it Wrong. Since the article was published, I’ve had no less than 3 professors asking when we can do away with password reset rules (I have to ignore the fact that it takes them longer to research and write the email than it does to just change their password), including one very senior leader. Frankly, I would expect more from a researcher than relying on a couple of online sources as the basis of their thesis on passwords — but hey, we all make mistakes.
Here’s what they miss: Standards are non-binding, but are used as the basis for binding regulations. Before I can change our rules, the regulators need to change theirs. Also, we’ve engineered a ton of technology to support the old standards — there needs to be a lot of re-engineering done to make changes to fix one guy’s “error”. Lastly, the entire new Standards deal with much more than just password strength. They require Multi-factor in a ton of places, they require in-person identity validation, and other things most of us don’t have in place. But of course, those requirements were not included in the article.
Now, I don’t expect my Leaders to know all this — that’s why I have a job. But when they read this article, all they read was “Password Expiration Bad”. So, part of my goals for this year is to help them understand the backstory — on this and all the other headlines that they read. Not only the backstory on the theory, but how that plays out in practice at our institution. Because, these are the same people who set and enforce policy. Without full understanding of the ramifications of their policies, we will all certainly fail. Which brings me to my last goal:
Be Graceful Under Fire
With a bit of skill, and a bigger bit of luck, I will achieve all my goals this year. Even if I do, I will be like all other Security Pros who have to continually walk the line between supporting business goals while teaching people not to run with scissors. Between justifying a Security budget request while others in the organization make decisions which raise the cost of Security without consultation with me. Between supporting people who have just caused self-inflicted damage on the organization and saying “I told you so”. In many ways, this is similar to college professors who must teach an incoming freshman class. At no time is it OK for a professor to question the intelligence and educational background of those students — even though there are plenty of times when it would feel great to do just that.
So, welcome back to school, faculty, staff and students. I’m glad you’re here, and I look forward to working with you.