Learn by Doing: Improving Today’s Security in Education to Train Tomorrow’s Infosec Pros

Learn by Doing: Improving Today’s Security in Education to Train Tomorrow’s Infosec Pros

security educationToday, digital threats are more numerous and are evolving at a faster rate than ever before. Organizations can protect themselves with the help of trained information security personnel. But these professionals are increasingly hard to come by. For instance, Cybersecurity Ventures found that there will be an estimated 3.5 million unfilled digital security jobs worldwide by 2021. Similarly, CyberEdge observed that 80 percent of organizations can’t find qualified staff to fill information security positions. A smaller number of trained applicants and a growing amount of open security positions spell trouble for organizations’ defensive strategies.

One possible solution is for educational institutions to expand their digital security curriculum. The rationale is that a greater number of young people and college students will pursue information security as a career if they have a chance to explore the field. That sounds like a good idea. But do acting security professionals think education can help?

In Support of Digital Security Education … of Some Kind

To find out, Lastline interviewed 235 security personnel in attendance at Black Hat USA 2018 in Las Vegas, Nevada. Their responses revealed that security professionals overwhelmingly support greater education in the field. A majority of those surveyed (85.5 percent) said they believe that U.S. schools should offer more formal information security classes.

But when asked what institution should take responsibility for educating today’s youth about digital security, those surveyed offered a wider range of opinions. K-12 teachers received the greatest amount of support at 30.3 percent of respondents. Parents and higher education organizations followed close behind at 28.1 percent and 21.6 percent, respectively, with friends as the source of cybersecurity education coming in at 7.4 percent.

Even so, those in attendance at Black Hat USA 2018 clarified that online education programs—even in information security—aren’t without some unintended consequences. Close to half (46.6 percent) of digital security professionals said that a higher rate of students online poses a threat to education systems. Without proper safeguards, digital attackers can exploit web vulnerabilities in schools’ online education portals to steal students’ and staff members’ sensitive information.

Education Organizations Under Attack

These security professionals’ concerns aren’t unfounded. Even as they work to instruct the next generation of infosec experts, education organizations are under attack from bad actors. Verizon Enterprise’s 2018 Data Breach Investigations Report (DBIR) illustrated that this is so.

Over the course of the reporting period, Verizon received reports of 292 security incidents affecting the education sector. Close to half of those events resulted in confirmed data disclosure. In terms of dominant breach patterns, “everything else” was the most prevalent at 36 percent, as many events didn’t provide Verizon’s researchers with enough detail to properly categorize them. This was followed by social attacks. Of these, W-2 scams were the most persistent social threat at 22 instances throughout the reporting period. Overall, external threat actors were responsible for 81 percent of security incidents in education, with financial motives leading bad actors to compromise personal information more than secrets and medical data.

Online criminals didn’t limit their social attacks to just W-2 scams. They also leveraged email to conduct phishing campaigns against education organizations. Here are four notable phishing attacks that all occurred in August 2018:

  • University of Missouri: Bad actors sent out a phishing scam in which they posed as members of the Democratic Party seeking interns. Attack emails arrived in the inboxes of most faculty, staff and students at the Columbia campus of the University of Missouri.
  • University of Oregon: Digital attackers crafted a phishing email that appeared as a message sent by other University of Oregon students. The attack email told recipients that they couldn’t display a message unless they clicked on an image. The purpose of the campaign was to compromise other University of Oregon accounts.
  • Rollins College: Malefactors sent out emails disguised as official correspondence from banks like Wells Fargo, Bank of America and Chase Bank. The messages were all crafted to collect Rollins College persons’ Outlook login information. Some of the links included in the messages also attempted to download malware.
  • University of Arkansas: Criminals sent out a phishing scam instructing email account holders at the University of Arkansas to open documents related to a salary increase.

Unfortunately, education organizations are ill-prepared to confront attacks like the phishing campaigns identified above. In its 2018 Global DNS Threat Report, EfficientIP labeled education as one of the worst business sectors in terms of its ability to address digital threats. It did so after finding that nearly three-quarters (73 percent) of participants took three days or more to apply a fix after receiving notification of an attack. EfficientIP also determined that education institutions like universities often simply shut down services when they suffer a distributed denial-of-service (DDoS) attack in order to protect the network.

Dennis Borin, senior solutions architect at Efficient IP, said this response in part reflects the diversity of computing products hosted on campus networks.

“University campuses are hosting everything from laptops to smartphones and an array of web-enabled devices, which make it a challenge for the university’s IT department to assume those devices are secure. In the case of a network attack, multiple devices will make it difficult to respond instantly and with the right countermeasures,” said Borin, as quoted in a press release. “Being able to quickly recognize and investigate the threat, plus tying all the access controls to a centralized authority management system, is critical to a campus network.”

How Education Organizations Can Defend Against Digital Attacks

Universities must contend with a host of digital threats. Fortunately, their research nature puts them in a prime position to bolster their defenses and block online criminals. Universities have access to a rich and talented pool of talent – their students. As part of improving their own security, they can apply a popular educational motto, Learn by Doing, by involving students in the process of defining the challenge, researching options, and implementing solutions.

But it needs to start earlier – in US high schools, as supported by the survey conducted at Black Hat summarized earlier. These schools have a tremendous opportunity to expose teens to the security field, educate students about personal security best practices, and start interested students on a path towards a career in cybersecurity.

Back to universities. Verizon’s 2018 DBIR reported that security best practices that universities could consider include conducting regular security awareness training with their staff, updating software on a regular basis, and reviewing their denial-of-service (DoS) protection provider agreements. Andy Norton, director of threat intelligence at Lastline, recommends that organizations also take steps to protect users’ login credentials:

“A breach of usernames and passwords would expose further personal details if someone logged into the internal systems using them. In addition to making sure passwords and other login credentials are changed immediately, students, faculty and staff members should consider implementing two-factor authentication to improve resilience.”

Second, schools can consider adding services to strengthen their security. EfficientIP explains that they can do this by partnering with threat intelligence and domain reputation services to obtain global traffic analytics. They can also use a network security solution to help detect unusual activity.

In summary, educational institutions are perfectly placed to encourage and train the next generation of cybersecurity professionals, helping to fill a widening skills gap. Here at Northeastern, we’re doing our part with innovative BSc curriculum as well as MSc and Ph.D. programs. We have educational degrees in Cyber Operations and Cybersecurity that aim to prepare students for the cyber-battlefield and cyber-challenges of the future.

However, to do so, institutions first need to get their own house in order, improving their own security against the steady stream of attacks targeting education. And these two elements can work well together, involving students in the process of improving cybersecurity.

Lastline Network Security for Education

Lastline offers two such solutions. The first, Lastline Network Defender, which uses AI to provide the highest fidelity alerts possible of suspicious network activity. Lastline Email Defender, the second solution, blocks advanced threats that make their way to employees’ and students’ email inboxes.

Learn more about how these and other Lastline products can defend your network.

Engin Kirda

Engin Kirda

In addition to being co-founder and Chief Architect at Lastline, Dr. Engin Kirda is a Professor of Computer and Information Science at Northeastern University in Boston, and the director of the Northeastern Information Assurance Institute. Before Northeastern, Dr. Kirda held faculty positions at Institute Eurecom in the French Riviera and the Technical University of Vienna where he co-founded the Secure Systems Lab that is now distributed over five institutions in Europe and US. Engin has authored or co-authored more than 110 peer-reviewed scholarly publications and served on program committees of numerous well-known international conferences and workshops.
Engin Kirda