University CISOs say zero trust is the best defense against the existential threat of phishing

Stanford has replaced logins and passwords with a digital key to improve endpoint security.

proofpoint-higher-ed-ciso-roundtable.jpg

Proofpoint hosted a roundtable of chief information security officers hosted by Ryan Witt, cybersecurity strategy director, education, Proofpoint (upper left) that included Helen Patton of the Ohio State University, Erik Decker of University of Chicago Medicine, and Michael Duff of Stanford University.

Image: TechRepublic

CISOs at Stanford University, the University of Chicago Medicine, and The Ohio State University list phishing as the top security threat to students, professors, and researchers. The group also agreed zero trust is the best security approach but a hard sell in an academic setting.

Chief information security officers from these schools talked with Ryan Witt, the cybersecurity strategy leader at Proofpoint, during a webinar about how COVID-19 is changing their work and how they are securing university networks and data.

Phishing  is a top concern as well as how to educate students about security best practices on platforms that are new to them.

The security team at Stanford University also runs phishing campaigns among university employees twice a month, Michael Duff, the CISO and chief privacy officer Stanford University, said during the webinar.

"We recognize phishing as the single greatest threat to our privacy and security," he said.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

In early March, scammers sent a coronavirus information email pretending to be from the university's Health Alerts system, one of several pandemic campaigns highlighted in the school's collection of real phishing emails.

In March, Stanford launched Cardinal Key to replace logins and passwords. A user has a digital certificate for each device that connects to the university networks. Computers have to be running BigFix or VLRE and mobile devices must be managed by Mobile Device Management to use the digital certificates. Cardinal Key does not support Linux machines or Android phones.

"This gives us a mechanism to ensure user devices are secure no matter where they are," Duff said.

Duff also said that he relies on automated enforcement of security rules more than user education and awareness efforts.

Helen Patton, the CISO at The Ohio State University, said that the challenge is that college students are sophisticated users of few platforms, not technology overall. 

"They're not secure in the way they handle new technologies at school so we have to teach them how to be secure with the tech that we're offering," she said.

Patton said that her team also phishes students on a regular basis with the goal of building awareness. 

Erik Decker, chief security and privacy officer at University of Chicago Medicine, said everyone's increased online presence on social media platforms and videos makes spearphishing even easier.

"It's very easy for people who want to do a targeted attack to find the right people," he said.

Universities have been a popular target of hackers over the last few years. In May, Blackbaud, the world's largest provider of education administration, fundraising, and financial management software, was held to ransom by hackers and paid an undisclosed ransom to cyber-criminals

During the Q&A part of the webinar, an audience member asked the panel which nation-state they were most worried about defending against. They all declined to answer.

Selling a zero trust approach to security 

In addition to moving to digital certificates for authentication, Stanford's information security team is also testing out a zero trust model of security. Decker of University of Chicago Medicine said that this approach should be the new mindset and mission for security teams, particularly in this time of remote work as the norm.

"Wherever we are going to be working, we assume that the environment is dirty but we still have to work," he said.

Patton said that this "trust no one approach" is antithetical to how universities operate, making it a tough sell to researchers and professors who prioritize openness, sharing, and collaboration.

"COVID made the imperative more clear, but didn't make the pathway to get there any easier," she said.

Patton also discussed how the lifecycle of research itself--brainstorming, focused research, patent applications, peer-reviewed papers, and conference presentations--requires changing levels of security. 

 "I have to align it with academic freedom and the innate need in the research space to share information with people, even if we don't fully know who they are," she said.

For returning students and professors, the CISOs recommended basic security best practices such as automating updates and using unique passwords across multiple platforms. 

Patton suggested that professors slow down and think about what kinds of data they are sharing online, instead of just moving the in-person approach to a digital setting.

Duff said that he has improved endpoint protection and refocusing security strategy to focus on collaboration platforms like video conferencing. 

Decker said he is reviewing his cloud strategy and thinking about how to prepare for a potential surge in COVID-19 in the winter and how to adjust operations accordingly.

Also see

By Veronica Combs

Veronica is an independent journalist and communications strategist. For more than 10 years, she has covered health and healthcare with a focus on innovation and patient engagement. She led AIR Louisville, a three-year digital health project focused ...