Building the Perfect Cybersecurity Program for Higher Education
Budget constraints are often the biggest hurdle to creating the perfect cybersecurity program in academia. However, if budget wasn’t a factor, what could your college or university cybersecurity program look like? We put together this list of the ideal cybersecurity system for higher education.
1. Vulnerability scanning and endpoint security
Vulnerability scanning should be done across all assets. We would suggest having two types of endpoint security. This would include two different EDR’s from separate manufacturers. This would allow you to have two different algorithms processing your endpoints to detect threats and keep them clean. For higher education, we often recommend colleges or universities have three different types of email filtering solutions when possible.
2. High quality SIEM
We recommend having a SIEM (security information event management) to ingest logs from literally everything on the network. We recommend this so there are no gaps in logs and everything gets recorded. This would include all SaaS products and ERP systems. Reviewing, processing, and storing logs is paramount to maintaining visibility on a network. SIEM tools also allow you to keep the logs for extended periods of time, where end points and firewalls only maintain limited log storing capacity. This is critical for compliance, reporting, and investigation purposes.
3. Network Access Control
We would have a NAC, which stands for network access control. The NAC would prevent an unauthorized user from taking an endpoint and plugging it into a network cable and automatically gaining access to the network. In higher education, we see this gap often and some universities don’t have a NAC in place to control this.
4. Full institution Role Based Access Control
You should also be doing role based access control across the entire institution. Role based access controls makes sure the identity of a user (the job that they fulfill) only allows them access to the software and systems that they need. This would also restrict access to specific software they need. This is referred in the cybersecurity industry as “least privileged account” methodology. Least privileged account is an extremely good methodology to implement if you can get buy-in across the team. Colleges and universities should only be allowing the privileges on the accounts that are absolutely necessary, and not over privileging users.
5. Pen Tests and Red Team/Purple Team
It’s important that you should be doing pen tests at a minimum. However, if budget was not a limitation, we would also be doing red teaming. You should try to attack yourself on a regular basis. Purple teaming (both offensive and defensive testing) is starting to gain popularity in larger organizations. Today it’s a necessity to attempt to hack your own systems to identify your vulnerable points.
6. Multi Factor Authentication
Multi Factor Authentication (MFA) would be implemented institution wide on every aspect of the network and software systems. It’s a relatively easy thing to make sure you have a second point of validation in place.
7. Data Loss Prevention
The next thing that you should implement would be data loss prevention or DLP. We want to ensure the people interacting with data are doing what we expect or intend for them to do. This also helps us determine if data is inappropriately leaving the institution. This helps us ensure proper use and PII (personally identifiable information) is not leaving through a compromised account.
8. Meet and Exceed Compliance Standards
We would also make sure we’re meeting and exceeding the necessary compliance guidelines for higher education. The compliance requirements like GLBA, Title IV, or NIST are necessary for meeting mandatory auditing and receiving federal funding. Having an understanding of the MITRE ATT&CK framework across the organization helps us meet the standards, but actually exceeding them. Besides just meeting compliance, these standard help protect the organization from inevitable attacks.
9. An Outsourced Security Operations Center
There should be an emphasis towards an outside Security Operations Center or SOC. There is a point at which an internal SOC team hits their maximum effectiveness or rate of return. In the higher education space we usually see that at a level of effectiveness around 30 to 40 percent. Employees inside of the organization often get pulled in multiple directions, pulling their much needed focus and attention away from security. Hiring the right outside SOC allows your organization to obtain a a dedicated team 100% focused on your cybersecurity needs.