Open campus, security nightmare

It sounds like a security oxymoron: Protect educational institutions that are meant to be, as Fitchburg State University information security officer (ISO) Sherry Horeanopoulos put it, "wide-open and unguarded."

[Related: System vulnerability at US university may have exposed student data]

But Horeanopoulos and several of her colleagues on a panel at the SANS Security Leadership Summit Wednesday in Boston, agreed that it is possible.

"We work in an environment that is designed to be wide open and unguarded," she said. "Professors and students need access to resources that span the globe. So how do you take a top-down approach in a bottom-up environment? Everything can't be completely protected, but we provide an open, flexible place to work in technology by working to keep things reasonably safe and not being dictators."

The panel discussion, titled "CISO 101: Lessons Learned from Higher Education," was moderated by Larry Wilson, CISO at UMass, and also included David Escalante, director of computer policy and security at Boston College; and David Sherry, CISO at Brown University.

Another major challenge, they said, is that a university campus is like a small city, where the security team has to deal with "everything in the city. We provide housing in residence halls, entertainment and sporting events, food, we're associated with hospitals so we're involved in health care, we make loans so we're defined as bank you can't win," said Escalante.

And then there are the multiple constituencies, Sherry said, which include, "faculty, staff, students, donors, boosters, athletic support groups, applicants, parents and alumni it's very wide."

Given that environment, the panelists said they have to set priorities and focus on a limited number of things.

Escalante said one of the things he does is firewall off the data center from the campus network.

But there was general agreement that the goal in dealing with those on campus students especially is to enable what they need. "We try never to deny them a service," Horeanopoulos said.

Sherry agreed. "The key goal is never to say no we don't want to turn them down, just enable them to do it securely," he said. "So I like to call it a persuasion program. We try to convince them to do the right thing."

And that, he said, takes personalizing the security message. "If we put something on at lunch about how to protect their home network, people come because it's about them," he said. "If you make them secure at home, they will be secure at work."

Escalante said the same is true in the dorms. "Don't tell them about something in the New York Times," he said. "Tell them about something bad that happened to a guy down the hall."

It is a constant battle, however, Horeanopoulos said. "You can't keep up with every threat. We have perimeter guards that let us know what's going on, but even that you can't sift through all day long. So you try to automate what you can."

And, of course, not every student's intentions are good. Wilson told of a student who was able to change his own grades, while another hacked into an Oracle database. "We learned from our own mistakes," he said. "There are no more students working in sensitive areas."

Another challenge is cutting through the fog of pitches from vendors. Wilson, who had a background in finance before joining academia, said his approach is to "pick and choose" from security frameworks to what works in an academic environment.

He said at UMass he uses, "ISO for process and management, and SANS for technology. We focus on protecting our assets more than the threat du jour."

And how do they recruit and train people? Sherry said it is difficult to find good people, but he looks at, "graduating seniors in computer science or entrepreneurial fields. This really is a cool place to work it's stressful, but there's a lot going on."

Escalante agreed. "We need people who know how to code," he said. "If you need coding, check out the university, and think about hiring a summer intern. It's a low investment, and maybe they'll work out."

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecurityeducationsoftwareindustry verticalsdata protection

More about ISOOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts