With an enrollment of approximately 31,000 young people – all raised on new technologies and clearly digital natives – you would think that a large university like the University of Oklahoma (OU) would have no problem keeping its networks and data secure. Unfortunately, as Aaron Baillio, the school’s Chief Information Security Officer, is quick to point out, that’s not necessarily the case:
“…most cyberattacks are criminally-driven and financially-motivated. We see the same thing at our campus. We have a very large, very young and sometimes naïve constituency that is susceptible to both social attacks and logical attacks.”
Unfortunately, facing that threat landscape with students around the globe, faculty and students working 24/7 and constantly changing conditions makes securing the network at a college or university like OU quite difficult.
Aaron is one of many exciting public sector and private industry speakers that will be addressing attendees at the upcoming Fal.Con for Public Sector virtual event, where the threats facing public sector entities – from state and local governments, to federal agencies, to educational institutions and healthcare providers – will be analyzed and explored.
We recently had an opportunity to sit down with Aaron to talk all about the threats OU faces, the best practices that he learned in the military that he’s applying to his work at the university and what attendees can expect to learn at the upcoming conference. Here is what he had to say:
GovCybersecurityHub (GCH): What unique cyber challenges face large research universities like OU?
Aaron Baillio: Where does one begin describing the challenges facing a large research organization? First of all, things are constantly changing. Research grants come and go, students turn over and opportunities change based on so many different factors. Because of this, it’s impossible to model normal behavior. And so many faculty and staff go out of their way to help students, day and night, so there are no regular hours.
Also, our OU family members are all over the globe – or need to reach resources all over the globe. Therefore, we permit traffic to and from all over the world. We’re in the business of sharing information and facilitating collaboration.
All of that to say that – in a typical corporate environment – all of those factors would be regulated and monitored heavily in order to ensure compliance to corporate policy. We don’t have those luxuries and so we develop technologies, processes and procedures that work around those constraints.
GCH: Are there unique payoffs or motives that cyber criminals can get out of attacking a big university compared to say, large private sector organizations?
Aaron Baillio: We see – year after year – from breach reports, like those produced by Verizon and the Ponemon Institute, that most cyberattacks are criminally-driven and financially-motivated. We see the same thing at our campus. We have a very large, very young and sometimes naïve constituency that is susceptible to both social attacks and logical attacks.
Phishing is probably our number one attack vector and may see success rates of as high as 20 percent depending on the sophistication of the attack. Credential reuse is probably the second most prevalent attack vector, followed closely by malware attacks. What we see on our campus is usually opportunistic. We rarely see organized campaigns targeting specific research or departments.
I think a major difference between an education environment and a private sector firm is our ability to remediate student devices. While we have acceptable use agreements on using OU’s networking assets, that doesn’t always extend to their personal device. We don’t have the ability to mandate that a student installs something on their device. We therefore rely on network level protections in order to protect them from harm or to protect the larger internet community from compromised student devices.
GCH: Colleges and universities the size of OU obviously have a lot of critical infrastructure. As the devices that make up this critical infrastructure become increasingly connected, what concerns are getting raised from a cybersecurity perspective? Are these potential targets?
Aaron Baillio: It’s interesting. We used to see a shift from perimeter protected equipment to edge computing and cloud computing. This made us try to focus more on the endpoint and extending protections to where the device is. Now, we see that we have to maintain a significant infrastructure to support on-premise activities and access to the edge and the cloud. So we see a focus back to a traditional “block and tackle” perimeter security – as well as protections in the cloud.
From a business perspective, everything is now examined heavily on the pros and cons of on-premise hosting, cloud hosting and Software-as-a-Service. Now that cloud technologies have been around there is enough evidence to adequately show advantages and disadvantages of cloud usage. Because of that, we see that not all investments are better in the cloud. These necessitate efficiencies in on-premise hosting and security. These include centralizing IT groups so there isn’t duplication of effort and expenditures, automation technologies and right-sizing support staff.
All that being said, it creates a significant target. With all the records we have collected over time, we have millions of records stored in our infrastructure.
A potential breach would be very impactful to the university in both resources and reputation. Therefore, we have to be very intentional with every technology. We have to be intentional about how we share data and with whom. And we have to be intentional about securing the person, the endpoint and the data along those paths.
GCH: You’ve spent a good deal of your career with the Department of Defense (DoD). How do the best practices that you learned there transfer to your work in higher education? Are there any new measures that you’ve picked up at OU that would be useful to your government colleagues?
Aaron Baillio: The nice thing about the DoD is that they are very focused on documentation. It’s certainly a lesson I’ve tried to take when coming over to higher education. Looking at Gartner reviews and other research organizations, we see that – on a maturity scale – higher education institutions fall on the lower end of the maturity scale. My experience would confirm that assessment.
A lot of it is because we don’t do a great job of documenting processes and keeping those up to date. So that’s what I’m trying to bring to the table in order to gradually mature the organization. Now, I’m the first to admit that documentation is onerous and tedious and tends to create inefficiencies – especially when documentation creates inflexibility. So the ideal state would be to have the documentation – and follow what is documented – but be flexible enough to allow organic efficiencies developed over time to enter back into the documentation.
The other thing I really liked with my time at the DoD is a very methodic systems engineering process when acquiring or developing new software, tools or capabilities. At OU, due to various factors – decentralization being a major one – purchases don’t follow any kind of methodology. It’s flavor of the day – with many factors influencing purchases.
I’m used to a more methodical approach that includes requirements development and review, functional review, component review and a final acceptance. I’ve tried to adapt this methodology in our security acquisitions so that we have something to point to when justifying purchases. It has helped us focus our efforts when looking at new technologies and moving up the maturity model.
There is a concept in the DoD called Operations Security that encourages military personnel to not discuss restricted, confidential or secret information in the open since a bystander might be able to put together or infer sensitive information through the use, collection and analysis of freely available information. OPSEC is preached religiously through commercials, email campaigns and posters. It’s everywhere.
This is a concept that could be leveraged to teach about cyber security as well – everything from phishing to new vulnerabilities and threat campaigns. You might get an eye roll about OPSEC, but it works. We need that level of commitment to cybersecurity training and awareness.
The one thing about the DoD is that most technologies and architectures are developed at a very high level- hierarchically – and pushed down to the lowest level. I understand that from a cost-efficiency perspective that makes a lot of sense and creates a homogenous environment for personnel to be able to move location to location and not have to retrain on new hardware. But that also creates a very stiff technology platform that is slow to change as technologies and attack methodologies change over time.
Along with process maturity, we’re constantly looking at new technologies and new ways of doing things, which teaches our staff how to be flexible and keeps them interested in their jobs. Being able to handle new technologies and learn is a wonderful motivator. It also gives the sense to our staff that they are involved in the decision-making process and have a say in what we do.
Aaron Baillio: It’s certainly made an impact, but I think we’re still determining if it’s a net bad or good situation. Our biggest regret has been the timing of our purchase and deployment of the Crowdstrike prevention and detection agent. We had just finalized the purchase right before we sent everyone away.
Working on architecting and deploying that product remotely has been difficult and our position would have been a lot stronger had it been in place.
That being said, that project alone has prompted a lot of movement toward centralized endpoint management – leveraging tools like system center configuration manager (SCCM) and Jamf and then layering in security tools and practices has been a big win and we’ve made a lot of headway because of the COVID situation. Additionally, we’ve centralized on remote access solutions, been able to implement multifactor authentication (MFA) on the VPN and other remote technologies and put more controls in place on our cloud access security broker (CASB).
Through technologies like MFA, SSO and CASB, we’ve been able to gather a lot of data on cloud usage which has allowed us to protect our remote users and their use of the cloud. This has helped tremendously as we no longer rely on our firewalls and border devices to provide the insight and protections we are used to.
GCH: What are you planning to discuss during your session at the upcoming Fal.Con for Public Sector virtual event? What can attendees expect from their time in your session?
Aaron Baillio: Our session will be very focused on the COVID situation – what we experienced, lessons learned and recommendations for education institutions moving forward. I’ll be joined by Tina Thorstenson, who has a keen acumen for security and manages a tremendous program at Arizona State University. With 80,000 people, they had a tremendous task ahead of them to move to remote learning.
We’re about half as large, but have multiple campuses. Managing a remote learning environment across significant geographical boundaries was challenging for us. I think people will be able to identify with those challenges and learn from the solutions we identified. I’m hoping they’ll take away some new and interesting thoughts on being prepared for additional health and safety requirements in the future and finding and retaining good people who are willing to support the team during emergencies.
GCH: Who do you think would benefit from attending Fal.Con this year? Why is now an important time to hold this event and why is it important to bring this community together – even virtually?
Aaron Baillio: This will be my first event as well and I always assumed that it was a “customers only” type of event. But truthfully, we are talking about security principles that transcend particular technology vendors. That being the case, I think any business or institution will find insight regardless of their maturity level.
I think it’s important to host these kinds of events because people are looking for ideas. These are unique times that present unique challenges. While most security principles still apply, how we apply those principles can make a big difference.
I think we have to be more intentional about how and where we apply technology because resources are more scarce than ever. Seeing how other people are handling their situation should help generate thoughts and conversations on these complex topics. I know I’m craving it and now I have the time to participate, as well.