Cybersecurity has become the most critical IT effort of the decade. There are frequent news reports of cyber espionage, hacking and breaches, and casual hackers as well as state-sponsored efforts attacking industries and universities, large and small. According to the FBI, universities are “soft targets” because of our open access policies, our sharing nature and our focus on research and publications. At the same time, new laws and security compliance requirements are overwhelming everyone.
We are leading efforts to develop the underlying policies, rules and governance that are required to implement stronger security. We have been focused on PCI security as the first phase, with research security following closely behind. The good news is that many security standards like PCI DSS, FISMA, ISO 27002, NIST 800-53, and 800-171 have 90 percent of the same security requirements, so we can leverage them to build a robust security effort. The bad news is that any one of these standards requires more than 250 items in its compliance checklist. We are, however, building out our tools, scanning, automated protections, and more to meet these demands.
― Marc I. Hoit, Vice Chancellor for Information Technology and Chief Information Officer
What does it mean to be empowered within a cyber community as large and far-reaching as NC State’s? It means you have secure and reliable access to university data, technologies and resources to learn, work and innovate effectively and collaboratively.
The Office of Information Technology (OIT) strives to empower the campus community by promoting both a secure environment and ensuring compliance with various laws and regulations to protect campus users, data and systems.
Last year OIT, in cooperation with campus IT partners and stakeholders, continued its quest with the development of a five-year Cybersecurity Strategic Plan and is currently working on the Cybersecurity Roadmap to implement the plan’s goals.
Cybersecurity Strategic Plan
The Cybersecurity Strategic Plan details NC State’s initiatives to combat security threats that are a chilling reality of the globally-interconnected computing environment of today, as well as to bolster protection of physical assets, including facilities that house sensitive data and systems. It comprises four strategic goals:
Develop a comprehensive cybersecurity awareness program that will help campus and university partners understand today’s security threats, how to be vigilant, and what actions to take to ensure their data and privacy are shielded from cyber attacks and compromise.
Implement measures to thwart malicious cyber attacks against university assets, thus avoiding disruptions and preventing data breaches.
Implement proactive and strategic measures to prevent data breaches and to reduce the financial burden of hastily implementing protective systems in the wake of a breach.
Dashboards, Monitoring and Reporting Tools
Develop dashboards, monitoring and reporting tools to enable security staff and other stakeholders to see patterns, trends, and emerging threats across the university in order to prioritize cybersecurity efforts and resources.
Through increased awareness and vigilance, advanced risk-based protection of campus assets, and comprehensive monitoring and reporting, OIT Security and Compliance (S&C) indicates there will be significant reduction in the risk of major disruptions and data breaches.
S&C’s philosophy is that these efforts will facilitate the creativity and productivity of university students, faculty and staff, which in turn will lead to new contracts, grants and other research funding opportunities. By effectively securing and protecting the data of our university and partners, collaborative, innovative and beneficial partnerships are formed.
In support of the Strategic Cybersecurity plan, OIT is currently designing a Roadmap, a mapping process used to identify and prioritize programs that will be implemented over the next five years.
The effort will detail the tactical implementation steps for the strategic plan and provide a visual representation of where the university is heading from a security standpoint. The Roadmap will lay out the best paths to take as efforts continually gauge security conditions and adapt to new landscapes along the way. Recommendations from the campus-wide IT risk assessment performed in March 2016 will be incorporated in the roadmap.
The mapping process will identify key programs and resources needed to support the four strategic goals of the Cybersecurity Strategic plan. Several program initiatives will be part of a university-wide effort that will engage colleges and departments in implementing security measures. The effort will be especially needed in areas where the university is required to comply with federal and state laws, such as HIPAA and the North Carolina Identity Protection Act, or to meet requirements for contractual agreements, including NIST 800-171, ISO 27002 and the Payment Card Industry Data Security Standard (PCI DSS).
Cybersecurity awareness campaigns and programs aimed at actively engaging the campus population about security issues are being planned, as community involvement is an important aspect of the implementation strategy. S&C hopes to foster a culture of security that will be incorporated into daily practices. Some campus security initiatives that are currently underway include the rollout of Google 2-Step Verification, ongoing vulnerability scanning, and automated sensitive information identification.
OIT is also expanding security measures related to research data and compliance standards to facilitate the work of the campus research community and business partners.
Mandatory security awareness training is also on the horizon, and over time, campus users will probably use more managed devices to ensure their devices remain patched and secure.
S&C’s goal is for the Roadmap to guide the university in empowering its cyber community through effective programs and processes, technology, training and support, while promoting security to be an integral part of routine tasks.
As part of ongoing efforts to defend the university network from actors with malicious intent, in March 2016, OIT issued a new rule that defines the security standards required to protect sensitive university data and systems. The new rule seeks to arm data stewards, data custodians and IT administrators with the information necessary to secure their systems and data in a manner consistent with well-known industry standards. The rule will also help the stakeholders comply with university policies and state and federal security requirements, including:
- International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) 27002
- National Institute of Standards and Technology (NIST) 800-53
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
RUL 08.00.16 – NC State University Security Standards for Sensitive Data and Systems applies to all computer systems and associated infrastructure devices, facilities and people who support the storage, processing or transmission of sensitive data.
The rule outlines security standards for:
- Identification and authentication to access systems and data
- Acceptable technology use
- Physical security
- Configuration management
- Software development lifecycle
- Media protection
- Audit and accountability
- Contingency planning
- External service providers
- Wireless usage
System administrators and data stewards, data custodians or their delegates are encouraged to begin implementing controls immediately to ensure compliance with this standard where possible. However, multiple operational changes, processes and tools need to be identified and implemented to support overall university compliance. As such, OIT Security and Compliance (S&C) will develop an implementation timeline for this standard by Dec. 31, 2016 and communicate to appropriate stakeholders. All credit-card related systems have been made compliant with the standard.
Following the development of the implementation plan, the necessary processes and tools to support university-wide compliance will be identified and implemented accordingly.
Because the standards may be applied to different environments in different ways, an exceptions process has been included in the rule to address these situations. For additional information, see RUL 08.00.16 – NC State University Security Standards for Sensitive Data and Systems.
Phishing attacks are one of the primary cyber security threats to the NC State campus. Organized by foreign governments, crime rings, or other nefarious actors, these around-the-clock attacks target intellectual property, research, sensitive data, and personal information for financial gain.
Universities like NC State are seen as prime targets because of their perceived open network access that allows exchange of research and ideas with other institutions of higher education and various partners and industries.
While NC State has employed technology and procedures to combat these never-ending attacks, its campus community remains its greatest line of defense.
During National Cyber Security Awareness Month (CSAM) in October, OIT, along with the NC State Department of Computer Science, ePartners Program, and NC State Engineering Foundation, co-sponsored Protect the Pack: Secure NC State!, a month-long event to inform campus IT users about cyber security measures, including five mobile device security checkpoints in various campus locations, six presentations with various subjects, a panel discussion on data security for researchers, and a feature presentation by the FBI on the security landscape and threats facing universities.
A new series, Tool Talks, was launched, with the first one introducing Identity Finder, a scanning tool used to locate social security numbers, bank account information, credit card information, and other sensitive data on devices connected to NC State’s network. Flyers and cards with Google 2-Step Verification instructions and mobile device security tips were distributed to thousands of students and employees.
October 2015 marked the 12th annual event sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance “to increase the awareness and prevention of online security problems.”
- Payment Card Industry – Compliance efforts with PCI-DSS v3.1 continued to generate a significant workload. Attestation for 2015 was against v3.0, and for 2016 is against v3.1. Together with the Controller’s Office, OIT attested compliant for two of four merchant types in 2015 and attested compliant for three of the four merchant types in 2016. Ninety-four percent of the remaining merchant types are compliant, which demonstrates significant progress. Full compliance for all merchant types will be obtained in 2017. Other efforts include:
- Merchant transactions – Generated over one million credit card transactions with the University Dining merchant chain. Hopefully, only University Dining will move to a Level 2 merchant requiring a Report on Compliance (ROC) in the 2017 attestation, while the remainder of the university will remains as a Level 3 merchant.
- PCI-DSS training – Conducted mandatory PCI-DSS training classes and online learning modules for merchants and IT system administrators. The online training was migrated to the REPORTER training tracking system.
- PCI DSS cardholder environment and connected systems – Developed and implemented several security services.
- InCommon certificates – Increased from 98 to 993. Maintained public website keys that require secure transfer, as well as programs and applications that require secure communications to operate correctly for a total of 1,732 active certificates.
- Detection and response systems – Assisted over 1,170 people within the last year from further compromise by phishing attacks.
- Software – Exceeded 15,000 software downloads for the more popular applications. Resolved a minimum of 1,261 software licensing support tickets. Increased the amount of managed software licensing and maintenance by $956,445, resulting in a total of $8,775,490, including a $1 million SAS grant. Managed licensing partnerships with colleges and departments totaled $1,760,225.
- New software licensing agreements – Includes Amazon Web Services, LastPass Enterprise, Red Hat Infrastructure Site License, and VMWare.
- Clickwrap agreements – Reviewed 114 additional clickwrap agreements for risks last year. A total of 631 have been reviewed on campus since the program’s inception in 2014.
- Public record, litigation hold and eDiscovery requests – Decreased from 14 to four. Litigation hold releases decreased from 18 to 7.
- Security tools – Implemented several to improve overall protection of university information systems and data (PCI focus), including vulnerability scanning (Nexpose), file integrity monitoring (Tripwire), sensitive information discovery (Identity Finder), logging/monitoring (Splunk), Security Information & Event Management (Splunk Enterprise Security), network intrusion detection/protection system (Palo Alto), PCI change management application for merchants (ServiceNow) and connected systems (Quickbase), and 2-Factor Authentication for Shibboleth (Duo).
- Security standards/procedures – Developed new rules on the PRR site, including Network Printer Security Standard, System and Software Security Patching Standard, Security Standards for Sensitive Data and Systems, all required for compliance with standards such as PCI-DSS (credit card), ISO 27002 (UNC security standard), & NIST 800-53/171 (research).
- IBM’s Enterprise Security Maturity Workshop – Conducted a campus-wide IT risk assessment. The results and/or recommendations will be incorporated into the Cybersecurity Strategic Plan/Roadmap.
- IT risk management strategy – Began the development of the strategy using ISO 27005.
- Cybersecurity tabletop exercise – Conducted, in collaboration with Environmental Health & Public Safety (EH & PS) Business Continuity & Disaster Recovery (BCDR), the first cybersecurity tabletop exercise with the Emergency Operations Committee to increase the awareness of the impact of a cybersecurity incident.
- CloudLock – Implemented to simplify Google Apps administration and increase additional protection to stored sensitive information.
- Credit card data – Identified and cleaned up over 2,500 instances of credit card data located on local user systems via the data discovery program.
- ServiceNow tickets – Processed in excess of 1,100 tickets in support of Security Services, including scanning, Tripwire and Splunk.
- 1,170 campus users were assisted after their accounts were compromised.
- 650 accounts were disabled in past three months due to suspicious activity.
- 4 security incidents in the past five years required official notification to affected individuals.
- 2,464 Google Apps accounts have 2-Step Verification enabled.
- 993 InCommon SSL certificates were issued.