Why colleges should start expecting the unexpected
At the Internet of Things Village of the DEF CON security conference in 2016, hacking contests revealed nearly 50 vulnerabilities in 23 devices from 21 manufacturers.
Security flaws were exposed in smart door locks, padlocks, thermostats, refrigerators, wheelchairs and even solar panel arrays—all items that can be found connected to an institution’s computer network.
Improperly protected printers and camera systems tend to be main targets for higher ed cyberattacks, as those devices are often set up with easily hackable factory default passwords. However, other lesser-known risks continue to be a concern.
“It’s that nontraditional stuff connected to networks that most of us are not used to thinking about,” says Michael Corn, chief information security officer at the University of California, San Diego. “No one shows up and registers their insulin pump on the network.”
Having so many connected devices makes it challenging for campus IT personnel to know when one is being attacked or exploited, adds Corn, who is also co-chair of Educause’s Higher Education Information Security Council. Knowing what devices and other vulnerabilities pose security threats, and how to protect against them, is an ongoing effort.
“The first time we have an attack based on the Internet of Things,” Corn says, “it’ll probably be a part of campus that we weren’t even aware was on the network.”
Although most campus IT departments continually scan for network vulnerabilities, some larger institutions may have as many as 200,000 IP addresses active at one time—creating thousands of opportunities for hackers to gain access through unprotected devices.
“One time we were trying to diagnose an attack and the answer was a projector,” says Curt Carver, vice president and CIO at The University of Alabama at Birmingham. “It was actually running on an older version of Linux that had not been updated, and the projector would not work if you updated it, so no one had done it.”
In that vein, Carver warns IT staff to be on the watch for “zombie” machines, such as small web servers, that typically have been running for years and forgotten. Any environmental system, such as for heating or lighting, that has internet access is also a security target.
“You can imagine a stadium during a large event, and having the lighting or sound system come under attack,” Carver says. “That sounds very juvenile—‘Okay, so they’re going to make the lights go down at a stadium’—but if it’s a night game, and suddenly the lights disappear, you can have an issue if people start panicking.”
Security officers also need to be aware of devices in residence halls, where there are often unsecured game consoles and digital assistants such as Amazon’s Alexa, says Wyman Miles, chief information security officer at Cornell University in New York.
In academic and research settings, risk can also come from a scientific instrument—a mass spectrometer with an old Windows NT machine inside, for example—that is no longer receiving software updates or was manufactured by a now-defunct company.
“Replacing such a piece of equipment can be a huge expense,” says Miles. “We have to help departments figure out how to secure the instrument while still continuing to reap value from it.”
Performing regular penetration tests, also known as simulated attacks, can help institutions find vulnerabilities. Once detected, security updates and patches can be applied, or at-risk devices can be removed from a network or replaced.
Often, institutional networks have been created over years in a “Frankenstein” manner. In the process, universities build “technical debt” by implementing quick answers at the expense of more involved yet ultimately more effective solutions. The result is an ever-increasing number of access points.
“What I’ve seen in some production services is that the code was written in the 1980s, was modified in the 90s to provide a web interface, and then remote controls and other things were added to create business value, but the underlying code hasn’t been revisited,” says Carver. “You’ve had lipstick applied to the pig, but the pig is still there.”
Uncovering and updating legacy code and software is a daunting challenge for many short-handed IT teams. In addition to performing penetration tests and reviewing as much code as possible, IT administrators should also ensure that IoT vendors are applying regular security updates to the internal code of devices.
Increasing campuswide awareness of potential vulnerabilities is essential to improving cybersecurity, says Carver. For example, facilities personnel need to recognize that any off-the-shelf environmental system has a security footprint, and they should be in the habit of checking with IT security colleagues for proper setup.
Business office administrators should ask themselves if there are potentially vulnerable devices on campus that need to be brought to the attention of IT for help in securing.
To reduce risk, many institutions have moved IoT devices onto local area networks that are separate from academic, administrative and research traffic.
Developing a two-pronged approach
Funding commercial solutions and fully allocating staff to exclusively monitor network vulnerabilities may not be possible for some institutions. When it comes to approaching cybersecurity, campus IT teams should be both proactive and reactive in regard to unexpected attacks.
Proactive efforts will involve engineering a dynamic infrastructure that protects the campus network against—and systematically addresses—vulnerabilities, threats and risks, explains Carver. For example, a computer emergency response team should meet regularly to determine procedure—before an event happens.
Institutions should reach out to and establish relationships with local and federal law enforcement to determine procedures, also before anything happens. “There’s the old quip, ‘If the first time you’re meeting the FBI is in the middle of an incident, you’re eight months too late,’” says Carver.
In terms of being reactive, institutions need to allow for enough staff capacity to deal with the number of security incidents that occur on a regular basis. When it comes to assessing IoT risk, institutions need to first consider how and which various technologies should be connected to their networks.
“Determining where information resides within higher education institutions can be an extremely difficult task,” says Charly Shugg, partner and chief operating officer at Sylint, an international cybersecurity firm.
Once information and devices are segregated onto separate networks, Shugg suggests controlling user access and instituting processes such as multifactor authentication to improve security. Liberal access can lead to the unauthorized release of sensitive information.
Cybersecurity needs to be dynamic and focused to keep up with evolving threats, says Shugg. He advises properly protecting new information while retiring or destroying old information to reduce the potential risk.
New unexpected IT security threats continue to surface. The recent discovery of the Spectre and Meltdown security flaws, which affect nearly every computer chip made in the past 20 years, demonstrate that no device, processor or network is absolutely safe.
“If you want to talk about a surprise vulnerability, that’s it,” says Miles. “It makes you wonder, what else haven’t we learned? Or, worse, what else do the bad guys know that the good guys don’t?”
Ray Bendici is deputy editor of UB.