The case for logon management in education
Misuse of user credentials is rampant. That’s why the principal of least privilege puts the focus on managing access from all users, not just privileged accounts.
Published December 12, 2017Whether it’s a student trying their hand at hacking or leveraging a stolen teacher’s password, a teacher up to no good, or an external attacker leveraging stolen passwords, how are you supposed to spot inappropriate access?
Help is needed to identify when any kind of threat actor attempts to strike, and do so in a manner that does not inhibit everyday access for faculty, staff and students.
The very concept of your network environment “being secure” is a bit subjective. Secure from what? As the IT industry continues to focus on the security of its environments and data, it’s important to understand security contextually in terms of what attack types your layers of defense are protecting you from.
Today’s list of “usual suspects” include ransomware, phishing, hacking, data breaches, insider threats, and more. Given the compounding list of potential threats, it becomes increasingly more important to understand the specific threats that your industry vertical faces, looking for viable solutions to ensure a robust defense in depth strategy.
And when it comes to an industry under attack, one of the top contenders is the Education sector. While Finance and Retail sectors dominate most every report, the Education sector remains a top viable target for insider and external threats alike.
Education has the highest rate of ransomware of all industries. In fact, Educational organizations experience over three times the number of ransomware attacks than that of Healthcare, and more than ten times the number found in Finance.
Education organizations represent a repository of so many types of valuable data. Personal information on teachers, staff, and students along with payment information and health records can be used as part of a financially-motivated crime. Higher education institutions doing cutting-edge research have data sets and intellectual property that can be the perfect target for either a ransomware or espionage-motivated attack. While many colleges and universities have stepped up their security efforts, attempting to match that of other industries, they remain a target for both ransomware and external attacks.
Primary and secondary schools with younger students are also extremely viable targets, mostly due to the lack of budget assigned to security initiatives, causing antivirus software or spam filters to be the primary defense.
While you may be keenly aware that your education organization may be the target of attacks, it’s important to better understand who is doing the attacking, why, what they’re after and — most importantly — what you can do about it.
The chart below provides some clarity on the nature of attacks in Education, taken from the 2017 Verizon Data Breach Investigations Report:
Threat Actors | Actor Motives | Data Compromised |
---|---|---|
71% External | 45% Financial | 56% Personal |
45% Internal | 43% Espionage | 27% Secrets |
3% Partner | 9% Fun |
External attacks make up the lion’s share, with criminal organizations looking for ways to gain entry to your network in an effort to exfiltrate valuable data or hold it for ransom.
And while the primary source of attack is an external threat actor, the Education sector is also subject to attack from within. Tech-savvy students who know more than their IT department are, generally, self-serving and unconcerned about the security and well-being of the network environment. They will work to find ways to circumvent any safeguards in place to ensure they can visit every part of the web they want, which puts the institution at risk of malware infection.
Students also leverage the applications and systems provided to them to reach their personal objectives — from downloading music, games, and movies to hosting a business website. Students are notorious for finding a way, regardless of whether their actions adhere to security policy or not.
It’s evident IT organizations in the education sector need a strategy that helps to identify when any kind of threat actor attempts to strike, and do so in a manner that does not inhibit the abilities of faculty, staff, and students.
So, what is logon management and how can it help in an education setting?
The concept of logon management centers around four primary functions — all working in concert to maintain a secure environment:
Policy: Establishes who can logon when, from where, for how long, how often, and how frequent. It can also limit specific combinations of logon types (such as console- and RDP-based logons) and users.
Monitoring: Awareness of every single logon as it occurs serves as the basis for the enforcing policy, alerting, reporting, and more.
Alerting: Notifies IT and pertinent users of inappropriate logon activity and failed attempts.
Response: Allows IT to interact with a suspect session, to lock the console, log off the user, or even block them from further logons.
By putting these sets of functionality together, logon management puts a protective layer at the forefront of your network, ensuring use is appropriate.
Now, you might ask yourself, why logon management and not something else, like Next Gen Antivirus or Endpoint Security? It’s a valid question. Unlike most security solutions, which attempt to reside at the point of the malicious actions, Logon Management seeks to seamlessly insert itself into the process, stopping the threat action before it happens.
There are a few reasons why Logon Management is a responsible and effective part of your security strategy.
Common to every type of attack is the need to logon. Whether accomplished using a remote session, via PowerShell, leveraging a mapping of a drive, or by logging on locally at a console, your network requires that a user authenticate themselves before being given any kind of access.
Whether it’s a student trying their hand at hacking or leveraging a stolen teacher’s password, a teacher up to no good, or an external attacker leveraging stolen credentials, they all need to logon in order to be successful.
Unlike security solutions that require an attacker to perform some kind of inappropriate action, such as attempting to access sensitive data, making copies to a USB stick, or attaching files to web-based email, identifying a potential attack with Logon Management occurs before any access of any kind is achieved, let alone leveraged.
This gives IT a leg up on responding before any damaging actions are taken by an attacker.
The dreaded part of any security solution is the potential for a storm of alerts that turn out to be false positives. With so many users logging on — and at just about any time of the day in universities – IT must have solutions in place that are certain about the attack potential.
Using policy-driven controls, Logon Management is configured based on the normal use of the environment, only providing alerts when a logon is out of policy.
For example, if a student gets a hold of a teacher’s credentials and tries to logon on a Saturday at 3 in the morning, you want a notification on it. Likewise, if the student is trying to logon during regular school hours but keeps getting cold feet, resulting in multiple logons within a short time, IT also wants to know.
This is one of the most important aspects of your security strategy. Nearly every security solution on the market says it stops attacks. Be careful here — does the solution just alert IT to a threat potential (which only stops an attack once IT intervenes, or perhaps just minimizes the attacker’s exposure, but didn’t stop the attack), or does it take action and stop the attack?
Unlike solutions that detect malicious actions (such as antivirus detecting the presence of malware, or data loss preventions detecting a user attempting to copy data to a USB drive) once some degree of damage is done, Logon Management takes a far more proactive approach. If a logon falls outside a set of established restrictions, it can automatically block access or if already connected, immediately log a user off forcefully and lock the account, putting a stop to the attack before any malicious actions are taken.
Because Logon Management provides early detection of inappropriate activity well before any data breach happens, it's a no-brainer security layer that helps secure access to critical systems and sensitive data.
But how does login management specifically help education?
Being such a unique networking environment, Education can’t always afford to tailor its security needs to match the capabilities of security solutions designed for traditional business environments. What’s needed is a security solution that can easily adapt to the changing needs of educational institutions at any level.
Logon Management is an ideal fit for the security needs of the Education industry for a number of reasons:
Seamless Integration
The ratio of user-to-IT is so high, any security measures put in place need to facilitate both security and productivity, ensuring the user can quickly get access to online learning resources, but in a way that allows IT policies to fully be in control at a moment’s notice.
Logon Management integrates with the logon process, allowing users to participate in a secure model of scrutiny without sacrificing productivity.Training-less Implementation
Could you imagine if you had to train every single student how to use some new security solution? Such an idea is a complete non-starter. Logon Management should require zero training, making implementation easy in an educational setting.Zero Trust Model
Because the Education environment is uniquely used by a majority of users with high-risk (that is, students), Logon Monitoring policies can be created to specifically put more stringent limits, alerts, and responses on those with higher risk.Cost-Effectiveness
Education organizations have a limited budget and, therefore, need to spend that budget wisely, ensuring they get (in the case of security spend) the most security protection with the least amount of money spent.Proactive Security
Given the tech-savvy nature of your students, your security cannot be reactive, waiting until a malware infection occurs or hacking activity is successful. Logon Management effectively limits the scope of access, stopping the threat actor before they can do any harm.
The education industry is one of the most heavily targeted (and successfully attacked) industry verticals. Its user base can range from the completely innocent to the absolutely sinister, making it necessary to provide protection in a way that is integral to the very way students, teachers, and faculty interact with the network — one that facilitates security as much as it does access.
Only Logon Management provides educational organizations with the ability to seamlessly secure the entire network. It allows the process of educating to continue as normal, but with the scrutiny and control necessary to automatically shut down suspicious activity at the point of entry.