‘The attack surface area will rise exponentially’
A Q&A with Leo Howell, University of Oregon’s Chief Information Security Officer
Each month, OETC chooses a topic important to our members to explore in Spotlight, a series of longer-form stories and Q&As. This month’s topic is cybersecurity; you can read our long-form story here. We asked University of Oregon’s CISO, Leo F. Howell, about how school districts without resources can begin a security program, up-and-coming threats, best practices and more.
OETC: What’s a big blind spot you see when it comes to the way people think about cybersecurity in education?
Leo Howell: Backup and recovery is well-overlooked in the education space. This was not a major problem over the past few years, but with the increasing threat of ransomware like WannaCry and NotPetya, backup and recovery should be in the forefront. With multiple recent cities and states – Atlanta, Baltimore, Texas, Louisiana — being hit by ransomware, this trend is expected to continue.
Education is a soft target for these types of attacks, and the only saving grace is to have a solid backup strategy. So we all need to get to it!
OETC: What is something you see on the horizon that CIOs and managers should be aware of?
LH: Easy answer — everything! In the next few years, with millions more devices — IoTs, OTs and all the smart things from trees, microwaves, cameras, to cars, houses, and other things — being added to our network, the attack surface area will rise exponentially.
Coupled with massive shortage of cybersecurity talent across the globe, CIOs should begin to develop a strategy for survival now. The good news is that simple steps can still be taken to avoid catastrophe in the near future:
- Good patch management strategy to keep all the “things” up to date on patches;
- Network access control to prevent unwanted or unregistered devices connecting to the network;
- Good password management strategy to rid the network of “things” with default passwords; and
- Good segmentation strategy to keep important systems secure from the other stuff on the network.
OETC: If a district is just beginning their own security program, what are some good first steps?
LH: Districts looking to start a program are going to realize that they may have to do three to five years worth of effort in one to two years. This can cause confusion and disruption to the way people currently do their work. As such, any effort to start a new program should begin with strong communication upfront and transparency throughout the process.
The community should be informed about what level of disruption to expect, but also informed of the significant risk to the organization, which shows them why certain steps must be taken. Build a groundswell of support before making radical changes.
Once that’s done, steps should be taken to reduce the risk of a crippling attack in a way that gets the biggest bank for the buck. Generally speaking, my top five things to get right at the beginning of the program include:
- User awareness especially on phishing and password management;
- Two-factor authentication that will stop most attackers from successfully compromising a user and being able to access systems;
- Strong patch management, making sure that systems are patched in an expeditious manner;
- Data and system backup to ensure there is a way to recover from a ransomware without having to pay the ransom; and
- Segment sensitive/critical systems with firewalls or access control lists.
OETC:Similarly, if a district has limited resources, what are some smaller things they can do?
LH: With limited resources, focus on things that can be done creatively without too much investment, like awareness training and patch management (e.g., just have folks auto-update their desktops).
There are also low-budget ways to back up data. If there are dollars to spend, two-factor authentication is probably the place to start, especially for high-risk users.
Leo F. Howell joined the University of Oregon in 2017 as their chief information security officer. Previously, he served as a cybersecurity and audit leader at North Carolina State University. Leo is a Certified Information Security Professional (CISSP), Certified Information Systems Auditor (CISA) and former certified almost everything else. He received his B.Sc. in Computer Science and Electronics from the University of the West Indies with honors, and his MBA from NC State University.