When Bob Kennedy first started working within the IT department at Northeast Iowa Community College, cyberattacks were an ongoing and troubling occurrence.
With three campuses spread out across Iowa -- Calmar, Dubuque and Peosta -- NICC has about 8,000 students, plus 1,200 staff, with Kennedy and his fellow IT and security team members responsible for nearly 3,000 different endpoints, mostly in the form of physical machines, but there's some virtual machines mixed in as well.
Those devices are under direct control. However, with most people bringing one to three devices onto campus, there could be up to 12,000 other endpoints hitting the network, mostly in the form of wireless devices, such as laptops, smartphones and tablets, but Kennedy and his team are also seeing other types of wireless devices hit the network as they grow in popularity.
Additionally, in keeping with its mission of open dialogue and freedom to share ideas among students, staff and colleagues, NICC doesn't block many websites, which complicates the issue even more.
NICC's Dubuque campus
"Schools are targeted often with cyberattacks and we were no exception," Kennedy told Security Now in a telephone interview. "So, it finally came to light that we can't continue this."
It's not only higher education. Endpoint security itself is getting much more complicated with more and more employees, students and people in general using many more devices. In addition, endpoints are no longer only PCs, USB drives and smartphones, but seemingly forgotten hardware, such as point-of-sales machines and increasingly, Internet of Things sensors. The so-called attack surface has grown at NICC as well as students bring different devices onto the network.
As in most cases, those cybercriminals or attackers exploiting endpoints are trying to get their hands on data, whether it's to steal money or identifications, or something deeper, such as gaining access to sensitive intellectual property.
"Colleges are being hit. Not just our college, but colleges nationwide are being hit because of the sensitive information that we carry as far as students' information and the amount of funds that are passed through," said Kennedy, whose title is network technician, but that only begins to describe his other host of duties besides security. "What they are trying to do is, whoever is trying to hack the colleges, they are trying to get into that sensitive information."
In November, the Ponemon Institute released a study based on responses from 665 IT security executives, which found that over half -- 54% -- experienced an endpoint attack, with some of these breaches running close to $5 million to recover from.
Verizon Enterprise Solution's annual Data Breach Investigations Report also found an uptick in data breaches tied to exploited endpoint devices, especially new ones such as PoS and IoT devices. (See Data Breach Increase Shows Endpoints Are Under Attack.)
While not as big as some of the enterprises highlighted in these studies, Kennedy and his team faced many of the same concerns, as well as obstacles. Plus, NICC doesn't have the luxury of an IBM, which could outright ban USB devices to help shore up its own endpoint security. (See IBM's USB Ban Earns Some Praise, Some Skepticism.)
What Kennedy and his team attempted to do first and foremost is education. That's the best front-line defense, especially for students looking to download software that's not approved.
"Most of the time the software they try to install has nothing to do with the college. We stop that... Sometimes the user may be injecting some viruses or some bad stuff into our network, unintentionally, and not knowingly," Kennedy said. "That's the biggest task, is trying to educate students and staff as to how to protect themselves and protect our network. We have to take that extra step to make sure that that doesn't happen."
Even with the additional education, Kennedy and his team would still run into problems, mainly from students wanting to download software.
"What was happening is that students were bringing in flash drives and somehow running executables or they were bringing in software and the USB was not being scanned so there were some viruses embedded in these documents," Kennedy said. "Like Word documents or PDFs or something like that. The antivirus that we were using at the time was not catching it."
To counter that trend, Kennedy invested in new antivirus software, specifically security tools and protection from Bitdefender
, as well as rewriting policies to adjust to the threat landscape.
The Bitdefender software then allowed Kennedy to set policies throughout the campus network, which gave his team greater visibility.
Bob Kennedy of NICC
"I'll give an example. For PCs, we have policies and one is that the USB is scanned. They cannot attempt to run any executable from a USB or any [other] executable," Kennedy said. "Even if there is one on the PC and someone who doesn't have adequate credentials tries to run it, it won't allow it. Number two is that I get notifications of when this happens. So, if a student is like hammering on this PC they are trying to get the stuff, I can remove it and say, 'Look, please stop this.' And hopefully prevent that."
From there, Kennedy is working to expand policies into more end devices, such as smartphones and laptops that students are increasingly bringing onto the campus and into the network. Here, the idea is to use Bitdefender's software to expand antivirus protection throughout the network so even if the device is not secure at least the network is.
Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!
The NICC staff also must prepare for when outside businesses use the campus for training purposes and other corporate events. Here, the IT department sets up a separate VLAN that allows them to bring new devices onto the network, but keep those in isolation from the main campus network.
Again, Kennedy goes back to the theme of education, which starts at orientation for new students and staff and continues through reminder emails sent out from IT and security. However, not everything can be covered.
"As long as we keep educating the users we are going to minimize the risk tremendously, actually," Kennedy said. "The user is the best defense... that's where we fall short. If there's going to be one way that something is going to happen to our network, it is probably going to be mostly likely, I would say 95% of the time, it's going to be because of user error."
— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.