A Higher Education Overview of Cybersecurity as it is Relevant to You: Introduction
Published by: WCET | 6/28/2022
Recently, a friend texted me to complain about the cybersecurity training she had to do for work, and then asked, jokingly, how I can bear to follow and study the subject matter. I completely understand her complaint.
Cybersecurity can be extremely interesting, in my opinion, but unfortunately that is never quite conveyed in workplace cybersecurity trainings and resources. I suspect that some of the issues crop up because cybersecurity is a very technical topic that is rarely explained meaningfully in plain speech, meanwhile, much of the cybersecurity information that reaches employees comes from HR trainings (much like the one my friend was doing) which give over simplified direct instructions to employees regarding their expected behaviors to meet insurance requirements. Neither the technical explanation nor the HR explanation succeeds very often in conveying the specifics, complexities, strangeness, or even excitement of cybersecurity.
Although I would hardly consider myself a subject matter expert in cybersecurity (the topic is so massive that it no body is really an expert in the whole thing), I can provide some introduction. Coming from a background in non-technical higher education, the introduction I can provide is relevant to our non-technical higher ed audience.
To begin with, let’s talk about language. While “cybersecurity” is a frequently used word that can refer to a wide range of important security topics, this word is often beyond the scope of what higher education institutions need to concentrate on. In higher education, we’re not trying to secure all of cyberspace. Most often, we’re securing data and information. Therefore, language such as “information security” or “privacy and data protection” are more apt descriptions of the same topic.
As “cybersecurity” remains the most frequently used and established word for this subject, WCET still uses this word sometimes but it’s also useful to understand what we really mean.
Cybersecurity is summed up by three primary concepts: confidentiality, integrity, and availability (known as the CIA Triad). Each of these concepts is broad, and often overlaps with one or both other concepts, and all cybersecurity threats fall somewhere within the CIA Triad. While each of these topics can be breached by an outside actor with ill intentions, they can also be caused by internal errors and accidents that have no actual perpetrator but are still problematic, regardless of how they occur.
Confidentiality is perhaps the most frequently thought of element of the triad when most people think of cybersecurity. Confidentiality is, as one might have guessed from the word, about keeping data and information confidential. The contents of my bank account are, for example, kept confidential from you. Student academic records may be recorded within a student portal and select people may have limited access to seeing those records when appropriate, but overall, those student academic records are kept confidential from most other people at the institution.
Often when confidentiality is lost it is because someone intentionally breached the protective measures of a website or server such as through phishing or other types of hacking. However, if while getting cash at the ATM I accidentally leave the receipt in the machine when I leave, the next person to walk up might be able to take the receipt and see how much money I have remaining in my account. Without any perpetrator or ill-will, my current bank balance has been displayed to a random stranger and loses some level of confidentiality. Confidentiality is ultimately about only certain people having access to data.
The integrity of information refers to the legitimacy and authenticity of information. Data and information that lack integrity are data and information that have been tampered with or recorded incorrectly. If I log on to my Facebook account on a computer in the library and leave before logging off and someone else shares a goofy post as me on my Facebook page, that is a breach of integrity. Other people may see the post on my Facebook page thinking that I posted it, but in fact, it was not me. While this example doesn’t present a very big threat, there are other versions of the same threat that are more concerning: in 2013 for example, a Syrian hacker group hacked into the Twitter account for the Associated Press and posted a fake tweet claiming that there had been explosions at the White House. In the short time that the tweet was believed to be accurate, it was re-tweeted thousands of times and caused a short term drop in the stock market. The accuracy of information is immensely important, especially when it comes to information from trusted sources. Information integrity is also of great importance when it comes to the accuracy of an individual’s information.
Similar to confidentiality issues, issues of integrity can crop up without any perpetrator. If a grade or a research data point is entered into the computer incorrectly, it would reflect inaccurate results. Regardless of the involvement of a perpetrator or not, the incorrect data point can cause confusion to those viewing the data who may recognize that the information seems incorrect, or if nobody is looking very closely, it may not be second guessed at all.
The last element of the triad is availability, which centers around information or data being available (you probably guessed that from the word!). If WCET stopped paying to have our website hosted on external servers, our website would eventually go down, and would become unavailable to our users. Additionally, if a hacking group flooded the servers of a university website with fake traffic in what is known as a denial-of-service attack, the website at hand could become temporarily unavailable as well. There are, of course, actions that universities can take to prevent such events, but it is a real risk, especially for smaller institutions with fewer technological resources.
You can easily begin to see how these topics could overlap. If I write down my banking password on a piece of paper that I keep in my wallet and my wallet gets stolen, then someone might be able to log into my account (breach of confidentiality) and then make a bank deposit from my account to theirs (breach of availability). Similarly, I could fall for a phishing attempt on my work computer, which could give administrative access to the WCET website to a hacker (breach of confidentiality), and the hacker could make significant alterations to the contents of the WCET website that mislead users about who we are (breach of integrity).
As you can see, cybersecurity plays an important role in our own personal lives as well as in the whole of the higher education industry today. While it is true that any business regardless of industry can be vulnerable to cyberattacks, causing each of them to need to put time and money into securing themselves from outside threats, higher education does experience several unique vulnerabilities.
One central way that institutions of higher education can be extra vulnerable to attack is that they are “open” by design. A private company might have many internal management systems that can only be accessed on site or when connected through a VPN. Access is limited to certain users, which minimizes some potential points of entry and points of attack. Even without limited access, a regular workplace that doesn’t have many security procedures in place will only give logins (for email clients, for company software, for websites, etc.) to employees. However, a higher education institution functions differently by design. Certain systems such as learning management systems and student portals must be available to all students, in addition to many faculty and staff. Faculty and staff meanwhile have administrator logins to some of these accounts as well. Everyone connected to an institution likely has access to institutional email. Each department might have their own login to the institution’s website so that each department has real-time control over their content and doesn’t need to go through a centralized web department. The list goes on. There are a lot of platforms in use and a lot of people who have access to them. Each unique account will likely have its own unique login credentials, which can be more or less secure based on how they are set up. All of these logins and all of these people with varying degrees of access to institutional software and systems creates a very large attack surface.
There are several more security vulnerabilities in higher education that make institutions especially at risk. For example, institutions have a lot of data, which is vulnerable to being viewed (confidentiality), changed (integrity), or deleted (availability). Such data includes:
The list goes on. With all this data at risk, plus all these attack vectors into institutional systems, it is no surprise that higher education institutions are such a frequent target of cyberattacks and with such dire consequences.
It is often said that all employees, not just the IT department, must play a role in security. To better understand how to do this, all employees need better information on what role they play in security. Although security policies will be different from one institution to the next, I hope to continue to provide a few more posts about information security, which explains this topic in an approachable way that is meaningful to the higher education industry.