Insider threats, especially employees that work in the University or College, pose the greatest challenge to students, faculty and staff at these institutions of higher learning. In my home State of South Carolina, these threats have been communicated to both lawmakers and the Commission on Higher Education. This year alone, two professors and two students perished at the University of South Carolina due to inadequate security and protection against the “Insider Threat”.
Comprehensive, but simple, Security Plans are needed to protect Universities against physical and “cyber” dangers. “Triggers” that notify network monitors about physical or cyber threats should alert Campus Law Enforcement immediately when a breach or penetration occurs the in cyber or physical domain. Three complete, but easily implemented steps are needed to be a part of the Security Plans for all Institutions:
a. Role-based access controls (RBAC): Concept is people only have access to classrooms (physical or virtual) or any other part of the Institution, based on their role with the Institution.
b. Segregation of duties: Closely aligned and complementary with RBAC, segregation of duties means that each member of the University has only one role (duty). The purpose behind this portion of the Security Plan is to prevent tempting people with too many “keys to the kitchen”. There are many cases where people used their multiple-roles to pursue malicious objectives.
c. Defense-in-depth: Layered security in the physical (access cards to buildings, then rooms, turn styles with x-ray machines) and cyber (passwords, biometric recognition, anti-virus, identity protection systems.
“There are countless examples, unfortunately, from Virginia Tech to South Carolina, west to Colorado ad Oregon that show these 3 practices would have saved lives and prevented perpetrators from committing physical and cyber-crimes.”
Universities and Colleges need to understand the implications of these security measures, or lack of them, if they do business with the Federal Government and tuition assistance. If hackers gain access to a University’s network, through a ‘back door” or other vulnerability, there is potentially harmful effects to National Security. Sound far-fetched?
Many of students are military or former military going to school online via Learning Management Systems (LMS) installed by system administrators at the Universities. If a perpetrator gains access to online classrooms, then they can identify where the students are physically located and this could divulge an operating location overseas. The risk Universities and Colleges take doing business with the Federal Government, and particularly the Department of Defense via tuition assistance, is their lack of a security plan and procedures that can lead to interruptions and disclosure of personally identifiable information….as witnessed by the Office of Personnel Management earlier this year. The “Inside Threat” with this case happened to be a foreign government that gained access; the “Inside Threat” at Universities and Colleges are typically system administrators with too many roles and access, both physically and in the cyber domain, to PII.
Insider threats are, in the opinion of many professionals, the most difficult to guard against since insiders are already ‘inside’ the outer defenses of an organization and possess a great deal of information, passwords, and security clearances that permit them to move about freely and conduct their nefarious deeds if they so choose. While guarding against them can be troublesome, if organizations follow due diligence and best practices, much of the damage they have the potential to do can be limited.
Dr James Bryant