Does the NSA/DHS Designation as a CAE Provide Unwanted Attention for Colleges/Universities?

Steve Linthicum

Well-known member
  • Jul 31, 2019
    363
    4
    627
    28,771
    Oceanside, CA
    slinthicum.edublogs.org
    In the article I raise the possibility that academic institutions obtaining the NSA/DHS designation as a Center of Academic Excellence (CAE) may be drawing the unwanted attention of ransomware gangs, seeking to demonstrate their skills against alleged hardened targets. Thoughts?
     
    I'm not so sure (yet) there is a correlation between getting a CAE designation and being hacked/compromised. Some time ago, we had a hit on a phone server that we were decommissioning. But because I am generally security paranoid, I had cordoned that server from the rest of the population, since external contractors would work on it. This was the Revil Kasaya breach from June-ish of last year. Contractor left the door open and our server got breached. It could have been a lot worse, but #paranoid. That doesn't mean my measures were anything special - I think we just dodged a bullet. There's probably another one out there right now, just waiting to be fired off and it scares the crap out of me, and that's even after doing a NIST 800-171 sweep checklist of the network some time ago.

    One of my personal security commandments (and some would argue with me), is that security by obscurity is not security at all. I still believe this because of bots and various tireless threat actors in various regions of the world. Like, why would the Russians seek to compromise a small, 1200 student college like us? Because we were another target in a long list of IP addresses out there. We were deluged last year by DDoS attacks (and still get them) because we turned on a fiber circuit, ranging from 2500 - 30000 zombies attacking our internet pipe. Why? Because we're out there.

    You're always a target, regardless if you have a badge of excellence or not.

    In my experience, few organizations really spend the amount of money that they need to spend for a level of cyber protection - instead, transferring the risk by getting cyber insurance. More and more, we see one person covering multiple buildings and campuses. And in higher ed, as we've talked about here on CIN, getting qualified people in to teach and work is a challenge because there's no real money in education (despite what the detractors of proprietary education say). IT has to work from a shoestring budget and hope that countermeasures put in place will alleviate enough risk to make one be able to sleep at night.

    If you take a school like Lincoln or Western Adventist that has less than 1000 students, I can almost guarantee that they may have one or two active IT staff for the school. Not nearly enough to cover everything. And the hackers know this, all too well.

    I suspect a designation like CAE will help when negotiating premiums for cyber insurance, or it may not. But I can also surmise that it can create a false sense of security.

    /r
     
    "Some cybercriminals attack universities ... for the bragging rights about a successful hack on high-profile institutions."
     
    • Like
    Reactions: Saleha Farheen
    "Some cybercriminals attack universities ... for the bragging rights about a successful hack on high-profile institutions."
    Of course, kicking over a ham-and-egger school with less than 1000 students is the crowning achievement to any buddying cyber criminal... *smh*

    But, smaller schools have bigger risk - since they have smaller budgets. That's what makes it scary.

    /r
     
    The College I teach Network+ and Security+ (Adjunct Faculty, Workforce Training) received an NSA/DHS Designation this past year. Interesting article, I will forward the article to the IT group, I have had several of the system admins in my Security+ classes....
     
    I think the following may shed light on this issue. In May 2021, Sierra College (a CAE) where I spent 18 years as a full-time faculty member, was hit by a Ransomware Attack. As noted on the attached temporary website that I downloaded yesterday:

    Last updated 4 pm 8/21/2022
    On Saturday, August 20, Sierra College’s systems were attacked by criminal hackers. This attack has limited access to
    information technology resources throughout the District. After we learned of this incident, we took immediate actions
    to protect our data and enhance the security of our network. A professional third-party forensic firm has been engaged
    to investigate and determine the scope of the incident.


    Am I surprised? Not really.
     

    Attachments

    • Sierra College.pdf
      1.8 MB · Views: 3