This paper examines the state of several education clients before OccamSec (OSec) engaged with them. The steps taken together after beginning work, and how the organizations have progressed and transformed into their present states.
How were the environments?
All the environments had a different risk profile than a typical corporate network. The environments were far more open, allowing faculty, teachers, and students to spin up systems, deploying software in an ad-hoc way.
Primary concerns of the organizations included:
• Student safety
• Protection of PII/PHI
• Securing research data related to third party support projects.
All of which had to be done with various budgets ranging from well-funded programs to those that had few resources and little management support.
The initial step OSec took when beginning work with our higher education clients was to conduct an assessment of the existing infrastructure and information security (InfoSec) support program. The in-house InfoSec team in several cases were supporting campuses spread across several locations, in others the focus was a single large campus.
Several clients were in the process of developing multi-year strategies (in some cases we were called in to perform assessments to feed into this). In all cases various goals were set, with the overall focus being to support an expanding use of technology in a safe and secure manner.
Across all clients various opportunities for improvement were identified, with a few being consistent across the majority:
• The need to provide up-to-date training to InfoSec team members.
• Maximizing the use of current technology investments. Everyone had tools, but in many cases, they were not being utilized to their full potential.
• Improving the operational efficiency of the InfoSec groups, this included metrics and reporting, group visibility into the organization, and the integration of InfoSec processes.
• Addressing the perception of the InfoSec group as either extra overhead to be avoided, or at loggerheads with the organization’s goals.
• Remediating large numbers of security vulnerabilities and addressing the gaps in the processes that were meant to be dealing with them.
• Dealing with the adoption of new technologies, such as “the cloud”.
Other areas needing improvement included monitoring, vendor management, and information classification. OSec took the results of our initial assessment, worked with the client’s InfoSec team, and developed a plan of action for the organization, prioritizing the high risk, high reward action items first. In some cases, work has been delivered through ongoing projects, in others point tasks have been undertaken which are then followed up on by the organization
What are they like now?
After establishing short-term and long-term goals and objectives, our team got to work implementing policies and changes needed to improve the overall security posture of the organizations. This included several key deliverables that OSec supported:
• The Information Security Offices were formalized and agreed to a data governance plan which is now in place. In some cases, governance is not owned by ISO, however having this helps the ISO ensure their organization is classifying data properly so that data can be properly protected.
• Some organizations worked with a managed security service provider (MSSP) for security monitoring. In others existing systems were augmented to collect data and identify possible issues. An MSSP was a good choice for organizations where budget allowed since building a dedicated monitoring team in-house usually comes with a high cost.
• Vulnerability scanning tools are being used to identify a range of security issues. While these tools typically identify low hanging fruit, this is still invaluable as the majority of potential attacks will likely utilize those. Regular testing also aids with compliance efforts.
• In all cases the ISO teams worked on increasing their presence throughout the organizations in a positive way. Through collaboration with faculty, teachers, and administrative staff security has moved from being a road-block to programs to something that provides a real benefit.
How did we get there?
The OSec team leveraged our array of expertise across multiple security domains and has always been able to answer the call from our clients while delivering solutions and recommendations to any problems that occur. In addition to what is outlined above, project management and project oversight has been integral to the success and health of the programs. Being able to organize, gather, translate, and communicate the statuses and needs from the InfoSec managers to our personnel and then collaborate with the client’s staff to set proper timeline expectations has helped create a steady workflow that makes us fully integrated with our client. There are multiple exercises that we have completed that has helped the clients reach the security posture they have today. Starting with various penetration testing and red teaming projects where we identified critical vulnerabilities and risks within the environment, prioritized those findings for remediation, and then validated each finding once fixed. In addition to these internal and external assessments, we also conducted
• Printer / Scanner Assessments
• WiFi Assessments • Phishing Campaigns
• iOS / Android Mobile Application Pen Tests
• Application Code Reviews • Vendor Management Program Optimization
• Vendor Risk / Security Assessments
• Hardening Guideline Automation
• Security Metrics
• Forensic Investigations
• Ransomware Investigations
• Architecture Audits
• Threat Hunts
• Incident Response Planning / Tabletop Exercises
• Risk and Compliance
• InfoSec Policy Creation and Maintenance
With the services above available to the clients as needed and without the usual delay of finding vendors, requesting bids, and onboarding new contractors, the organization is able to quickly execute new projects and initiatives using the existing relationship it has with not only OSec as a vendor but also the institutional knowledge our team members have.
What have been the benefits?
The biggest benefit has been the implementation and growth of cost-effective information security programs. In each case these programs have been aligned to the objectives of the organizations in their education programs. This was most recently demonstrated with the large shifts to online learning and work during the Covid-19 pandemic – none of the organizations we work with faced any major difficulties doing this.
Some other specific areas to highlight include:
1) Expertise: OSec has reduced the technical security risk at the institution through implementation of the recommended remediations and controls as discussed above. Additionally, OSec has provided subject matter experts to serve as augmented staff. This has allowed our clients to execute multiple projects, testing initiatives, and align with best practices and recommendations as they relate to security.
2) Independent: In addition to the OSec SMEs assigned to the client, our entire team is on hand to provide independent, third-party support and recommendations related to IT decisions. Often, we see our clients getting bogged down in the daily minutia or office politics instead of focusing on strategies, behaviors, and optimization. Our recommendations continue to be based on evidence, best practices, and risk reduction and aim to keep our client navigating towards relevant security objectives and goals.
3) Relationships: Through building relationships of trust and respect for both our technical expertise as well as how we conduct business, we have also been relied upon for several sensitive forensic investigations that have been both critical to the business, but also to the students and stakeholders of the schools. Our ability to integrate with security, technology, education, and administrative teams has illuminated the fact that we deliver the same or better results as bigger shops and we are able to do so more quickly and for less money. We saw this firsthand when a contract required another 3rd party vendor to conduct the same investigation we completed. This took the vendor 3 months to produce the same results that OSec did in 1 month (and at a fraction of the cost).
4) Efficiency: While the work and opportunities for improvement are ever present as technologies and landscapes change, the OSec SME’s and project management model have improved efficiencies and resource optimization over the duration of the program. By automating and optimizing many aspects of projects and programs, we have helped save our clients time and budget dollars that were able to be repurposed to other important projects and priorities. This is most clearly illustrated by the fact that in all cases but one, the security budget has barely increased over several years, despite an increasing use of technology. Working within this constraint all the programs we are involved with have continued to improve and keep the organizations, their people, and their data, safe.
Lessons Learned for the Education Sector
The business model of education always trumps security at the end of the day. Risk is often overlooked or accepted when business decision makers perceive a product, application, or service to provide better value for the organization’s students, professors, or other stakeholders.
As a result, we have seen organizations execute processes in reverse fashion - contracts are signed before security reviews completed. Regardless of the results of the security review, a vendor and or product is incorporated into the environment and delivered to the end users in the organization. As a result, OSec remains agile and quick in developing methods to mitigate risk that can be implemented on the back end, with minimal impact to the organization or end user.
Exceptions in security are often made in trade-off for functionality. Furthermore, trendy functionality or features within applications are often more weighted more heavily in importance than security, leaving organizations with superfluous applications running on their network, increasing the risk profile.
The reliance on cloud services and systems presents a unique challenge as many educators don’t have properly staffed or budgeted security teams. Even with full staffing, the speed at which developments in the cloud industry come about often leaves experienced InfoSec professionals lacking important knowledge on the most recent technologies.
This means that security teams may be missing risks or vulnerabilities and without the proper ownership of processes or procedures. Leaving the institution vulnerable and, ultimately, student, faculty, banking, or research data exposed. This presents unique reputational, developmental, and financial risk to these organizations.
Institutions should strive to have an organizational structure where the CISO has oversight and accountability for IT and Information Security as opposed to a structure in which the CISO has parallel authority with other IT managers who all report to an IT Director (or equivalent).
Much like every other sector we perform in, there is always more to be done. The impacts of cloud computing and the applications that are required to support cloud infrastructure present a challenge for large education institutions, but they also present an opportunity for organizations to reorganize, restructure, and redeploy their systems and networks in a coordinated and planned manner.
The use of technology for education is only going to increase and recent events have only accelerated this. Working with a trusted partner provides organizations with several benefits that translate into long term cost savings, a manageable risk program, and ultimately allows them to focus on teaching, not worrying about technology.