Security Scene: Thoughts on a Cyber Security Exercise
Imagine this: Your campus has come under a sophisticated cyber-attack that has infiltrated your learning management system, installed malware providing users with administrative privileges, corrupted data, commandeered your emergency management system, and is sending fraudulent instructions to your campus communities. Oh, yes, and the attacker has also compromised your buildings’ heating ventilation and air-conditioning and water computer controls, shutting down heating/cooling and water systems and threatening biological laboratories and medical facilities, not to mention severely affecting classrooms and dormitories.
While this nightmare scenario will hopefully never be experienced by any campus, it was the situation presented at a national cyber security tabletop exercise facilitated by the Department of Homeland Security in October. Held at the University of Utah S. J. Quinney College of Law, the exercise occurred over two days and included 417 participants representing 102 higher education institutions. Participants represented emergency management, information technology, security, central administration/leadership, public safety, student life, and communications.
The exercise posed a series of escalating emergencies over a short period of time that targeted different campus infrastructures. The intent of each step was to test the preparedness and scalability of emergency planning and preparedness. The catalyst for the scenario was a fictional campus event featuring a controversial guest speaker, something that is not hard to imagine given the debate regarding free speech on some of our campuses today. Beginning with several small, seemingly unrelated security incidents, what followed was a series of cyber-attacks, each more severe than the last, overwhelming even the most robust of emergency management plans.
To help inform participants of issues related to the exercise scenarios, seminars were presented by community members and outside experts featuring germane topics. Participants attended a session on a topic relevant to the next scenario, and then took part in a facilitated exercise.
While the exercise was limited to on-premises systems, applications, and networks with minimal or no use of the cloud, in today’s “cloud first” environment, the operational landscape for information technology on many campuses has changed considerably. Often mission critical applications such as email and storage are provided by commercial cloud providers like Google or Microsoft. A 2015 EDUCAUSE report on IT service delivery found that “More than four in five institutions have moved at least one service to the cloud. CIOs project that cloud-based services will continue to expand widely over the next 10 years.” In this same report, the following figure appears, showing the adoption rate by size of institution:
Figure 1 – Percentage of institutions that moved at least one service to the cloud
Figure 1 indicates that regardless of the size of the institution, there is strong adoption of cloud services.
Similarly, a 2017 EDUCAUSE report on the top 10 strategic technologies identified the “blended datacenter” as “increasingly important because as institutions move services to the cloud, they usually move into a blended environment where they continue to maintain an on-premises data center while also managing a set of services that may run the gamut from software as a service to infrastructure as a service. While cloud-based solutions offer advantages related to agility, performance, and scalability, the blended environment requires a shift in strategy to one that encompasses both environments.”
Given the increasing reliance on cloud services, internet communications providing access to public cloud providers are critical to campus operations. However, dependencies within internet communication systems are not always well understood and, as past experience demonstrates, can cause disruption to operations when failures occur. For example, threats to internet communication systems may jeopardize needed interactions with vital public cloud providers. It’s becoming increasingly important for campuses to understand the threats to internet infrastructures and develop approaches to increase resiliency in reaching public cloud providers.
One such recent example of a hidden dependency in cloud services is the Dyn DNS DDoS attack that occurred in October 2016. People may have been unfamiliar with the company Dyn providing core internet services to a variety of cloud providers before the attack, but not afterwards. A DDoS attack targeting Dyn interrupted the services provided by a number of popular cloud providers. Figure 2 is a list of some of the companies that were affected:
Figure 2 – Cloud services affected by the DDoS on Dyn
The above cloud service providers had contracted with Dyn to provide DNS services for their companies and thus the delivery of each provider’s service was dependent on Dyn’s operations. When Dyn’s service was interfered with, the dependent cloud provider services were also interrupted. For example, many higher education institutions using Box.net were affected by this attack and could not access files located there.
A DDoS attack is just one potential cause for disruption of cloud provider services. Another is a security failure within the internet service provider’s (ISP) infrastructure, resulting in problems reaching public cloud providers. Most organizations expect reliable transport of their network traffic to its intended destination. But the network infrastructure operated by an ISP is subject to a variety of attacks which, if successful, may threaten transport of network traffic. For much of the higher education community, the ISP is a regional network provider that may serve other non-profit organizations as well such as state government and public libraries. Examples of regional providers include Merit Network serving Michigan, OARnet serving Ohio, Connecticut Education Network (CEN) serving Connecticut, the Corporation for Education Network Initiatives in California (CENIC) serving California, and so on. Internet2 and the Department of Energy’s Energy Sciences Network (ESnet) provide the national research and education backbones used to interconnect regional network providers across the country as well as internationally. Figure 3 depicts a simple example of how research and education networks provide transport to other universities, commercial cloud providers, and the internet in general.
Figure 3 – Example research and education network topology
Below, figure 4 shows the interconnections between the Internet2 Network backbone and regional research and education network providers (“regionals”) across the country.
The Internet2 backbone and regionals form a network ecosystem delivering high-speed and low-latency transport services tailored to the requirements of the research and education community. These networks are also used to access vital public cloud providers. Security risks that jeopardize any of the networks’ infrastructures could prevent access to public cloud providers and other off-premises critical services, resulting in severe consequences for campus operations and safety. As our community’s reliance on cloud services increases, so does the importance of protecting regional and national infrastructures connecting mission critical cloud services to campuses.
Following are several suggestions that address these issues for both campuses and regional research and education networks to consider.
- Campuses should ask public cloud providers to describe their disaster recovery/business continuity plans for all critical supplier-to-customer dependencies.
- Develop a DDoS mitigation plan to follow when (not if) an attack occurs. This usually involves working with your regional network provider.
- Work with your network architects and regional network provider to understand network paths used to access vital cloud services and develop potential alternative paths should it become necessary.
- Conduct multi-organizational cyber security or disaster scenario tabletop exercises that include your regional network provider.
- Consider staging redundant identity and access management (IAM) applications in cloud environments to preserve authentication and authorization services to mission-critical public cloud environments in the event that on-premises IAM applications are unreachable from these cloud providers.
- Consider using the Higher Education Cloud Vendor Assessment Tool to evaluate prospective cloud vendors.
Regional Research and Education Network Considerations
- Conduct a security risk assessment of the regional network infrastructure to identify latent risks and develop risk mitigation plans for items that represent unacceptable risks.
- Form a security operations team that ideally would include one dedicated person. This team would implement security monitoring technologies that identify active attacks and respond when necessary.
- Adopt best common practices for routing security
- Consider implementing the recommendations from US-CERT Alert TA16-250A The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations.
- Consider participating in the Research and Education Network Information Sharing and Analysis Center (REN-ISAC) at Indiana University to collaborate with other higher education security teams.
As the saying goes “practice makes perfect.” Participation in tabletop cyber security exercises such as this Department of Homeland Security example provides excellent opportunities for refining and improving on emergency preparedness plans before a real emergency occurs. It’s clear that the security and resiliency of the national and regional research and education networks and their critical dependencies on public cloud provider access are now in-scope for emergency preparedness planning.
 https://library.educause.edu/~/media/files/ library/2015/5/ers1501a.pdf