Page 8 - Campus Security & Life Safety, March/April 2020
P. 8
Once developed, a cybersecurity strategy will help ensure that devices and systems provide strong protection by providing specific guidance on the three key network protection factors outlined below.
Password Management
Creating strong passwords seems like a fairly simple action to take, yet it’s all too often overlooked in favor of more complex technologies and practices for protecting devices and systems. However, simply creating a strong, unique password is not only an excellent first step in building strong cybersecurity, but it’s also the easiest way to pre- vent unauthorized access to systems.
There are a number of best practices for creating passwords that will decrease the likelihood of unauthorized access. To ensure the most robust protection, passwords should have no fewer than eight characters, which should be a mix of upper and lowercase letters, numbers and symbols and should not include words that can be found in a dictionary. Passphrases, such as a made-up sentence, can help users remember increasingly complex passwords.
At the same time, even the most robust, difficult-to-crack pass- word is only good for a short period of time. Passwords must be changed on a regular basis, especially when several people have access to a particular system. It is human nature to share passwords with others. While it may seem innocuous, this practice can actually have negative consequences for cybersecurity. In an educational set- ting, students come and go every year, making it even more vital that passwords are changed regularly.
This fact leads into a second best practice for password manage- ment: controlling who is given passwords in the first place. For exam- ple, a password that provides admin level access should only be given to a very small group of people, who can then create and issue tem- porary accounts to those who may need to access a system for a spec- ified period of time. When a project is completed or when that time frame has elapsed, those accounts can easily be deleted to prevent ongoing access.
Updating and Patching
Like password management, keeping device firmware and software up-to-date is another simple but often overlooked step in ensuring strong cybersecurity. Updates provide patches against cybersecurity vulnerabilities that may exist, as well as fixes for any bugs that may be present in the software. By updating regularly, institutions will ben- efit from more secure, more reliable and more efficient systems.
Another aspect of patching and updating that is often overlooked is the need to apply updates across all devices across the network, including workstations, IP cameras, switches, servers, routers and others. All of these devices must be regularly updated, but the good news is that it’s not always necessary to perform the task the moment a manufacturer or provider issues a new update. The update may not yet be aligned with devices and systems from other sources that are integrated together into the network ecosystem. In these situations, updating one device or system may cause problems with others, so it’s better to create an updating and patching schedule that your institu- tion can adhere to.
It is highly beneficial to have non-production test systems or labs for testing for patches before deploying them on production systems to reduce the risk of any incompatibilities. Testing and patching isn’t one-size-fits-all, as each system is unique, but by evaluating the risks the patches, IT administrators can make better decisions on what to prioritize for patching and updating endpoints. This might be month- ly, quarterly or twice a year depending on the number and size of systems, as well as the time and resources available to dedicate to this vital task.
A main stumbling block to effective updating and patching can be confusion over who bears the responsibility for performing these functions. Without clearly defined roles, these vital tasks can easily fall through the cracks. This underscores the importance of a cyber-
security strategy that clearly spells out who owns these tasks, which may fall to a specific individual, department or contractor.
Network Segmentation
All devices connected to a network represent potential back doors that hackers could exploit to gain access to a network and the various systems it’s connected to. Therefore, as evidenced by the number of high-profile breaches that seem to be occurring with alarming regu- larity, cybersecurity is a top priority for everyone.
One of the greatest concerns with networked devices is that they could be used as a platform to breach other parts of a system, which could then be used to gather data or take down or hijack a system. In theory, any networked device can be used to attack another network device, and all devices and systems offer the potential to be vulnera- ble, meaning cybersecurity is only as strong as the weakest device connected to a network. Therefore, it is essential that all networked devices provide the level of security necessary to protect the overall system from the potentially catastrophic effects of a breach.
Unfortunately, in the Internet of Things (IoT) and bring-your- own-device (BYOD) world, it’s not always easy to ensure that all devices and systems connected to the network provide the necessary level of cybersecurity to prevent breaches. As a result, the human ele- ment can easily undermine even the best cybersecurity technologies and practices.
As an example, network security provider Infoblox found that 48 percent of IT administrators surveyed feel their greatest security risks come from within the campus, whether from compromised devices or intentional acts. In that same study, 54 percent of respondents said that at least 25 percent of students’ devices come to campus already infected by malware, while one-third of the students surveyed indi- cated they knew fellow classmates had attempted malicious acts on a school’s network.
The free flow of information and ideas is a hallmark of academics, so it simply isn’t realistic to prohibit students, faculty and staff from accessing an institution’s network. At the same time, it’s vital to ensure that personal devices don’t contain vulnerabilities that hackers could exploit to gain access to other devices and systems and the sensitive information they contain.
One way institutions can reduce the likelihood of this is by using network segmentation to isolate certain types of devices from other systems and the sensitive information they contain. For example, stu- dents and staff could be allowed to access one part of the network for research and communication, while academic and financial informa- tion could be stored on a separate system.
It is also important to segment out HVAC, physical security systems, point of sale systems and more. This would prevent a compromised laptop or smartphone from providing bad actors with access to highly sensitive data that could be used for identity theft or other crimes. It would also decrease the likelihood of a tech-savvy student accessing school systems, whether for fun or to engage in malicious activities.
Encryption of data is critical in all aspects of the network system, and while this practice is usually more enforced for IT systems, the same protection needs to be implemented on IoT and other systems on the network.
Given the risks associated with network breaches, and the ease with which unsecured devices can provide entry points for hackers, educational institutions must make cybersecurity a main component of overall security management for their campuses. With a written cybersecurity policy that addresses these and other factors, combined with user education and practices that monitor adherence to estab- lished policies, IT administrators can make tremendous strides toward providing the highest level of protection for students, staff and faculty as well as sensitive information and assets.
Wayne Dorris is the business development manager, Cybersecurity, at Axis Communications Inc.
Cybersecurity
8 campuslifesecurity.com | MARCH/APRIL 2020