“The first rule of Fight Club is: you do not talk about Fight Club.”
What? Where’s the fight? The fight is happening on every college network. Malware, phishing, denial-of-service attacks, SQL injections, zero-day exploits, DNS tunneling, man-in-the-middle and many other attacks are hitting networks every day. Cybercrime threatens system operability, college assets, college reputation and private information.
It’s been said, “There are two types of companies: those that have been hacked and those who don’t yet know they have been hacked.” For fear of revealing the defenses designed to protect a college’s network, chief information officers are mostly incommunicative about cybersecurity measures.
“The second rule of Fight Club is: you DO NOT talk about Fight Club!”
Even if you haven’t seen the 1997 movie “Fight Club,” know that the rules were meant to be broken. That said, let’s talk about Fight Club. Let’s talk about striking a fierce posture against cyber breaches.
Social engineering
Typically done with phishing and its variations like smishing and vishing, social engineering psychologically manipulates people — faculty, staff or students — into divulging information that should not be revealed, or clicking on an attachment or link that should not be clicked. Even the most sophisticated cyber defense software can be unintentionally circumvented by a clever phishing attack.
This article comes from the current issue of the Community College Journal, published bimonthly by the American Association of Community Colleges.
College networks have thousands upon thousands of authorized users; this risk is widespread and pervasive. Training during new employee onboarding and annual training of all users increases awareness of phishing attacks. Random phishing “drills” keep users alert and on their toes.
Multi-factor authentication (MFA)
According to Microsoft, requiring users to identify themselves by more than a username and password, reduces the likelihood of getting hacked by 99%. Not all MFA methods provide the same level of protection. Visit Cybersecurity & Infrastructure Security Agency at cisa.gov/MFA for sage guidance.
Cybersecurity governance and leadership
A strong commitment to cybersecurity governance can be exemplified through adherence to the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Center for Internet Security (CIS) Control Suite. This robust foundation is further strengthened by a chief information security officer (CISO) on-staff or contracted through a third party CISO-as-a-service arrangement.
Cybersecurity measures and continuous improvement
Don’t wait for it — look for it: perform multiple vulnerability scans and have no less than weekly mitigations of scan findings. In addition to MFA, have end-point protection, yearly assessments and tabletops exercises, robust disaster recovery capability and log correlation. What? This is getting pretty deep, pretty dark.
Yearly assessments are comprehensive evaluations of an organization’s cybersecurity posture, involving a systematic review of network defenses, vulnerabilities, and overall risk profile. Be realistic as this will guide strategic investments.
Tabletop exercises are simulations of cyber incidents. Unlike assessments that focus on the current state, tabletop exercises help prepare the IT team for future events. Again, be realistic about system resources and capabilities.
End-point protection defends devices that connect to a network, such as laptops and smartphones, from attack. Other endpoint vectors include compromised USB devices, unsecured applications, exploits through a web browser, threats from shared drives and social engineering attacks via e-mails with malicious files or links.
Log correlation, a technique of analyzing log data from different sources, can identify a pattern of events across an array of devices or applications on a network. Log correlation can automate attack detection, and detect security flaws.
Disaster recovery is a plan and system to replicate data and computer processing in an off-premises location that will not be affected by a disaster caused by equipment failure, natural disaster or cyberattack. Every college should have one.
By the way: when was the last time your college performed a full-on test of its disaster recovery system?
“The third rule of Fight Club is: If someone says ‘stop’ or goes limp, taps out, the fight is over.”
In this cyber-insecure landscape, the attacks won’t stop. Don’t get knocked out. Improve, learn, evolve and stay vigilant. Finally: carry cyber insurance coverage — just in case.
* * *
Edward DesPlas is executive vice president and Roy Lytle is chief information officer at San Juan College in Farmington, New Mexico.
