Back to school: Lessons in endpoint security
It’s back to school season, and students, teachers and administrators are returning to campuses and classrooms. All of those students and staffers are working on desktops and laptops that are attached to the school’s network, and those endpoints are prime targets for cybercriminals.
Consider that earlier this year, the U.S. government charged nine Iranian hackers with stealing 31 terabytes of information worth more than $3 billion from over 300 American and foreign universities. The hackers used spear-phishing attacks to hack 8,000 accounts, including 3,768 at U.S. schools.
Fortunately, there are some simple, but effective steps you can provide to your school’s employees and students to help them be more secure.
First, emphasize the importance of password strength, since weak passwords remain a primary threat vector. It’s a best practice to use passwords of eight or more characters that combine upper and lower case letters, numbers and symbols, and enforce 2-factor authentication wherever possible (ideally not via SMS). Just as importantly, do not recycle one password across multiple websites or applications. It’s a pain to remember and store a collection of complex passwords, and fortunately you don’t have to. Instead, use a reputable password vault application.
Keep software up-to-date
Next, make sure that all staff and students update the operating systems on their desktops/laptops and smartphones to the latest versions. Do the same for local applications like Microsoft Office, web browsers, etc.
Even though we’re increasingly uploading files to cloud-based storage platforms, we still create and store a majority of those files, including intellectual property or personally identifiable information (PII), on our endpoint devices. If you are not patched, you leave your doors wide open for attackers to walk right in. Robust patch management process is the foundation of strong security.
Finally, make it clear that the safest Wi-Fi connection on campus and in school buildings is the school’s password-protected network, and to avoid connecting to any hotspots with innocent-sounding names like “FREE WIFI”.
Defense in depth
Now that you’ve educated employees and students on how to protect themselves, turn your attention to strengthening your school’s security posture by focusing on the need for a defense in depth approach.
No security solution can offer 100% protection from the infinite number of attacks that are bombarding your network. That does not mean you have to rip-and-replace your existing security solutions. However, pay attention to the security models those products are based upon. It is critical to understand why what I call the “enumeration of badness approach” is no longer effective.
You need to strike a balance between the traditional Negative Security approach and Positive Security. Instead of only worrying about the “badness”, you should also direct your attention to the good – all legitimate OS behavior. There are just a handful of operating systems out there, and they change infrequently, especially in the way they operate with the file system and networking.
That’s the approach that Muli Tzafrir, Head of Computing & Information Systems Division at Haifa University in Israel decided to take after realizing that attacks like WannaCry and the Spectre and Meltdown vulnerabilities prove that the amount of “badness” is practically infinite, and that it’s unrealistic to detect all future “badness” based on the past.
“As the person in charge of thousands of systems and developers, I can estimate where new attacks will come from and how they’ll look, but that’s yesterday’s challenge”, said Tzafrir. “The challenge of today and tomorrow is the greatest of all: how to protect an organization from a completely new attack prior to having explicit knowledge about it.”