Uncategorized  |  September 2017

Addressing Top Five IT Security Challenges of Higher Education

DOWNLOAD         
Universities and colleges face the same IT security challenges as commercial enterprises, but with a force multiplier of difficulty due to a number of challenges unique to higher education. To start, they must lock down information within institutions that are culturally hard-wired to share information for the sake of their mission.

At the same time, IT teams are asked to protect one of the most challenging environments on the Internet-the student dorm network. Meanwhile, within other parts of the university network, employees are dealing with extremely sensitive details about students, professors, staff members and even patients, at those schools with hospitals attached. As a result, organizations are tasked with meeting compliance regulations over that vast and varied trove of information entrusted to the institution. But security and compliance goals are often limited by the resources at hand, as security teams tend to be perennially understaffed and underfunded.

A Culture of Sharing

Universities are built to share knowledge and information, and that often runs counter to IT security principles. In spite of that, security leaders are tasked by trustees and school executives to protect sensitive data not just in administrative systems, but also in those that support classroom learning and cutting-edge research. Students and professors may not like it, but the fact is that the information they hope to share is usually legally owned by the university. What’s more, in some cases of sensitive research conducted in concert with government cooperation, national security issues may even present themselves around the corresponding data. As a result, there will always be boundaries in how research data can be used and disseminated.

Nevertheless, the culture issue always seems to rear its head, putting security folks squarely in the middle between university administrators and the professors and researchers who deal with data day in and day out. No vendor could ever presume to claim that technology can solve such a tough issue in organizational politics. But the kind of tools that security staff members use and how they use them can make a difference between engendering ill will from users or flying under the radar until a security problem presents itself. Ultimately, security’s directive is to help researchers protect their research-no researcher wants his work to be compromised. But the work to do so requires balancing integrity, privacy and security with information-sharing activities necessary at a world-class research facility.

Take vulnerability scanning, for instance. In a higher-education environment, active scanning is essential for many parts of the organization, but for some it may be problematic. For example, often in the research environment there exists a large amount of cutting-edge, first-generation and home-grown code cobbled together. An active scan could serve to knock down these systems, and potentially ruin experiments in the process if the system is connected to any kind of instrumentation. But IT security teams could use passive scanning technology without as many repercussions to users. A passive scanner could watch for systems that should never interact with the Internet. That way, if there’s a centrifuge whose manufacturer shipped with Windows 98 and Internet Explorer 6 without ever providing updates, that system could run-but passive scanning could help IT ensure it never connects online.

Passive scanning could also be used to look for anomalies in traffic, such as unusual spikes in transmitted data. For example: If a well-respected university has a relationship with a government facility that has a department sending 200 MB of data out per week to that facility and it suddenly sends 2 TB of data to a different region, that could raise a red flag. It’s a level of due diligence that doesn’t require a heavy hand but which could give security staff a jump start in potential incident response or forensics.

Additionally, passive scanning could help identify so-called “shadow” IT infrastructure running on a sensitive network. The technology helps to instantly identify hosts connecting to the network without waiting for scheduled scans, making it useful for detecting end-user devices, virtual infrastructure and cloud applications.

Hostile Dorm Environment

In addition to all the intellectual property issues surrounding research and classroom networks, universities with on-campus dorms also contend with one of the most challenging networking environments on the planet: the student housing network. No matter the institution, the immutable fact is that young students will always operate within the most dangerous parts of the Internet. They’re often engaging in illegal downloads from P2P, they frequently visit malware-infected sites, and they tend to download questionable applications.

All of this is done on personally ownedsystems with little to no oversight from the IT department. And yet, these systems are accessing the sketchiest part of the Internet while connected to the institution’s network, which frequently also runs university-owned systems that are put at risk by lapses in student judgment. It’s a tricky proposition for security personnel to protect the school’s network under the circumstances, but protect it they must. They may also need to have enough visibility to block illegal activity on the network and deal with problems that crop up, such as Digital Millennium Copyright Act takedown notices.

Again, this is a situation where passive scanning can help tremendously. A passive scanner can help an infosec department keep tabs on the network to enforce policies, identify potential problems and provide enough information for security experts to blacklist malicious machines on the network.

Broad Compliance Demands

Due to the wide range of activities necessary to keep an active campus humming, higher-education institutions tend to fall under one of the broadest sets of compliance requirements of any industry. Payment card systems processing thousands of transactions per day put these institutions under the purview of Payment Card Industry Data Security Standard. Every school entrusted with medical records must contend with HIPAA requirements, even those without medical facilities but which offer self-funded or managed health plans. And those with hospitals, clinics or medical testing facilities face even more scrutiny under the regulation.

Meanwhile, partnerships with government agencies may require compliance with security frameworks such as the Federal Information Security and Management Act, as well as those developed by the National Institute of Standards and Technology and additional government regulations. Finally, affiliation with private-sector entities could also place additional third-party security demands on systems housing shared information.

One major security capability that’s cut universally across the vast majority of these regulations is visibility. Auditors checking for compliance want to see that organizations are monitoring activity and cross-checking that against regulations. A combination of active and passive scanning, integrated within a unified monitoring dashboard can ensure that a higher-education organization can easily scan against set policies based on a myriad of regulatory requirements. And these policies don’t just have to be set against regulations-they can also be tuned to security frameworks or internal policies set to reduce organizational risk.

Maintaining Visibility Across Segmentation

Segmentation is critical for any enterprise that handles a wide range of traffic and information, but it is doubly true for those in education. The previous three challenges we’ve laid out conspire to make it absolutely essential for any higher-education infosec departments to segment networks to set up different zones of defense and limit the scope of compliance requirements. Hostile dorm networks should be run entirely separately from networks that house Banner, PeopleSoft or other grading or administrative systems. And hospital networks and payment system networks must be partitioned off into their own zones so that institutions don’t break the bank trying to get a too-large section of the network in compliance with PCI or HIPAA.

At the same time, though, such rampant segmentation can pose visibility problems. After all, segmenting the network is essentially imposing silos on the network for the sake of security, and silos always cause management headaches. Unless done right, it can be difficult to scan and condense security reports across all of the different segments of the network. Educational organizations must seek out some sort of unifying platform to help in the process, lest security efforts grow overly burdensome and disjointed.

Lack of Resources

Perhaps the challenge that seems the most insurmountable for higher-education security staff is the issue of limited resources. Universities consistently must operate underfunded and understaffed while facing one of the most difficult security environments anywhere. As such, IT staff must constantly hunt for ways to improve security efficiency wherever they can.

While it may take work to set up on thefront end, automation of scanning, reporting and alerting are critical to getting the most out of security investments. Institutions can do more with less through routine discovery scans that look for machines never before seen on the network and dumping relevant data about them into an assets list. This can make it easier to spot problem systems earlier and to identify noncompliant configuration issues. In particular, organizations should work with tools that allow for a greater degree of customization to find the information that an administrator needs.

Higher-education institutions operate under a unique combination of security and compliance requirements. The independence of their user communities and breadth of their endeavors often make security implementation a tall order. But implement they must. Even beyond complying with PCI, HIPAA and other requirements, educational institutions must act proactively to secure their environments, because being compliant does not mean that you are secure. The moment something goes wrong is too late for putting security in place, and waiting until then can cause irreparable damage and significant unexpected costs.

Provided by Tenable. To learn more, visit www.tenable.com/secure-campus.

DOWNLOAD         
Related Articles in Uncategorized

Green Initiatives: Complement LEED Certified Buildings with these Eco-friendly Practices

The Industrial Revolution, which spans from the 1760s through the early 1900s, brought major technological changes to the planet. The shift from small-scale farming, handmade goods, and travel by horse and foot to mass food production, manufacturing, and locomotives greatly increased accessibility for products and ease of movement around the vast United States and across the globe. However, environmental pollution and disruptions of the landscape are continued nasty side effects. Coal burning factories, steam engines, and internal combustion cars produced dense smog in many early 20th century cities and continue to pollute today. Railways, dirt or cobblestone roads, and city construction have resulted in the loss of forests, prairies, and other natural landscapes. 

A Way Forward: Biophilic Design and Sustainable Flooring in Higher Education Facilities

The Youghiogheny River—or the Yough, as it is commonly called—extends its reach from the west side of the Allegheny Mountains in southwest rural Pennsylvania, down through the southwestern corner of Maryland, until it crosses the border into West Virginia, where its waters are absorbed by the tributaries of the Mississippi. At the northernmost point of the Yough, along a five-mile stretch of water and rocks and steep plateaus called Bear Run, Frank Lloyd Wright designed Fallingwater in 1935. He was hired by the Kaufmanns, a prominent Pittsburgh-based family that desired a remote vacationing spot in Pennsylvania. Upon the building’s completion in 1938, Wright would land the cover of Time, posing with his illustration of Fallingwater. Nearly seventy years later, Smithsonian would include Fallingwater among its “Life’s List Of 28 Places to Visit Before You Die.”

New Construction or Renovation: Which is Greener?

As the climate crisis accelerates, students are expressing their desires for a campus experience that embraces a culture of sustainability. Research shows that a college or university’s sustainability strategy can make a major difference in recruitment. The Princeton Review, for example, found that 74% of its 2022 survey respondents said that a college’s commitment to the environment would contribute to their decision about whether to apply to or attend the school. Higher education institutions are responding in kind.

Bates College The Thrill of the Chase (Hall, That Is)

Bates College’s Chase Hall is beloved, iconic, historic, but user-friendly? Well, probably not, thanks to unwelcoming entrances and a confounding interior layout that involved nine floor levels and multiple additions, all stitched together by a labyrinth of corridors and stairways. A plan is now in motion, however, to address these challenges. In May 2022, Bates closed Chase and began a substantial renovation involving as much as half of the building’s floor space, as well as a systems upgrade and plenty of cosmetic work. This will be the sixth addition or substantial renovation in the building’s 102-year history, according to the project announcement.

Six Ways to Future-Proof a College’s Security Investments

Keeping students and faculty safe on college campuses is a top priority for every education administrator. Investing in security solutions such as access control, video surveillance, and analytics can provide peace of mind and help protect the campus. However, these investments often require substantial costs. This article discusses six tips for ensuring that school security investments remain relevant in the future.

Energy Management for Private Universities

Energy management is a critical issue for private universities as they aim to maintain a balance between energy consumption, cost control, and environmental sustainability. With the increasing cost of energy, the need for effective energy management in these institutions is more pressing than ever. Private universities can benefit significantly from energy management practices by reducing energy consumption, reducing costs, and improving their overall sustainability profile. Implementing an energy management plan can help institutions identify areas of energy waste, reduce energy consumption, improve energy efficiency, and ensure compliance with environmental regulations.
MORE
March 2024 Issue Now Available
Subscribe for Free
Available in Print & Digital Editions