Your institution may have invested in faster connectivity or the latest technologies and systems to enhance teaching and learning, but all of this counts for nothing if you’re caught out by a cyber security attack.
Last week I spoke to people in IT security from further and higher education at our annual CSIRT conference (Computer Security and Incident Response Team). It’s the one time of the year where everyone can come together, drink endless cups of coffee, and talk with others in the same situation.
You usually find that a lot of people are coming across the same issues, so I thought it would be useful to run through a few ‘top tips’ on how to improve your cyber security operation.
Get your house in order
Cyber attacks can have devastating consequences for institutions if they don’t have proper policies and procedures in place. For example, one of the incidents we heard about involved a colleague with an infected machine being given access to it before a full rebuild had been completed. When it eventually came back to the IT department it ended up compromising the whole organisation – something an incident response procedure could have stopped happening in the first place.
IT security policies should absolutely be part of an institution’s wider strategy. These policies need constant revision to ensure content is relevant and covers new technologies and practices. They also need to be communicated and understood by users in order to be effective.
Speed is often of the essence when it comes to cyber security, with what can look like a simple issue on the face of it escalating to something much bigger unless appropriate action is taken. The quicker an institution is alerted to an incident the sooner they’ll be able to tackle it, which means near real-time alerts will give a fighting advantage.
Automated delivery of security incident data notifications are something we’re looking at within CSIRT in order to provide more agile, streamlined service for institutions connected to the Janet network – and free up our staff time to focus on the bigger issues.
Beware of malware
The famous saying goes that “change is the only constant”, and that’s never more true than with malware. Whether there’s been a successful patch to fix a virus, it’s taken down by a botnet or the author has withdrawn it themselves - for every malware incident you resolve, you can guarantee there’ll be another to replace it.
As no malware is the same, investigations need to always be ongoing and draw on a range of tools to help detect issues within your network. My favourite statement on this is:"Why do we need an Intrusion Detection System (IDS) and anti-virus software? Anti-virus is like the CSI analyst telling you that you’ve just been murdered.”
There are some wonderful tools available to help in the defence and detection against malware. One such tool, Domain Name System Response Policy Zone (DNS:RPZ), (available on BIND DNS provided by the Internet Systems Consortium) allows institutions to redirect or block potentially harmful internet domains. By monitoring the connections to the redirected site, the institution can be alerted when a device has attempted to access a dangerous domain through their network.
A caveat, however; these types of technologies are not infallible and will still require human intervention. In the case of DNS:RPZ, institutions will still need to actively remediate their connected devices and investigate the users which hit the DNS:RPZ service.
In the same way that industries, such as finance and healthcare, are required to keep an audit trail, having a log of IT activity is essential for institutions, and should be included as part of the IT policy. Without log information, institutions are unable to investigate any security incidents at all. An activity log means institutions are able to tackle incidents in future and identify whether there’s a bigger problem.
Of course, a little common sense is needed. While I know of one organisation that holds information about the entire internet for the last 10 years, most would be hard pressed to manage such an immense amount of data, let alone have the space to do so. Institutions would be advised to keep as many logs as they can, for as long as possible.