Higher Education Turns to Endpoint Security

The Ohio State University’s faculty and staff need more than just anti-virus software to secure the myriad devices and technology used on and off campus.

The volume and diversity of computing devices on campuses today results not only in greater threats to network and infrastructure security, but also greater potential for logistical nightmares for IT leaders who must keep track of and secure it all.

Chief Information Security Officer Helen Patton recently upgraded the university’s existing anti-virus software with Symantec Endpoint Security, a more feature-rich security package that includes anti-virus and anti-malware protection, personal firewall and host-based intrusion detection.

It also includes additional security capabilities, such as application whitelisting (which prevents unauthorized software from being used) and port and device control (which manages the use of removable media). To further improve endpoint security, her office makes encryption technology and data loss prevention (DLP) software available to each college and department within The Ohio State University system.

“The truth about the security field is that there is no one tool that will support all of your needs,” Patton says. “Most security professionals take an in-depth approach, where you have tools that overlap, and in total, give you a relatively solid posture.”

Many universities and colleges say endpoint protection is key to ensuring critical infrastructure and data stay safe, and they’re turning to the latest endpoint security products as Patton has done at Ohio State.

Endpoint security may also include behavioral monitoring, full-disk and file encryption, endpoint DLP and mobile device management (MDM), either through an integrated endpoint security suite or through stand-alone products.

“Endpoint security is critical, and becoming more critical,” says Mike Rothman, president of Securosis, an information security research and advisory firm. “For a long time, you could get away with and compensate for having weak endpoint security because you had strong network security. That’s not the case with all the mobile devices and folks connecting from untrusted networks. You can’t just depend on a strong perimeter in order to protect the devices.”

Tightening Up with Multilayered Security

Texas A&M University-Commerce combines a mix of security tools, security configurations and policies, as well as training to protect university-owned desktop and notebook computers. Among faculty and staff, about 80 percent primarily use desktops, while the remaining 20 percent primarily use notebooks, CIO Tim Murphy says. Some faculty and staff use notebooks as their secondary devices, but they may serve as primary devices when those employees travel or work from home. Everyone must securely log in through a virtual private network to access university applications and data, Murphy says.

As for allowing employees to use their personal mobile devices, the university’s Center for IT Excellence (CITE) staff is now developing a bring-your-own-device (BYOD) policy and deciding whether IT staff should have the ability to remotely wipe a personally owned mobile device, such as a smartphone, Information Security Officer David Maxwell says.

CITE installs Kaspersky Lab’s Endpoint Security anti-virus and anti-malware software and recently removed administrative privileges from each computer, preventing users from installing unsanctioned software. Turning off administrative privileges eliminates a potential point of attack. Jeff Faunce, the university’s director of infrastructure services, recalled that some university employees just a few years ago installed unapproved instant messaging software that was an attack vector for distributing malware.

Disabling administrative privileges can also stop so-called drive-by download attacks, where users unwittingly download malicious software by visiting compromised websites, Faunce says. CITE staff has installed a Palo Alto Networks next-generation firewall to bolster endpoint security on the Texas A&M-Commerce network. The multifunction device checks network traffic for viruses and malware, but also features a web content filter that blocks access to known malware-infested websites.

“There is no magic cure-all, but anti-virus software is one piece, and administrative privileges and the next-generation firewall are additional pieces. And all those pieces together lower your risk,” Faunce says.

Photo: Dan Bryant

Tim Murphy, David Maxwell and Jeff Faunce ensure Texas A&M University-Commerce staff enjoy a more secure BYOD program through endpoint security, anti-virus and anti-malware software.

Deploying Transparent Security Tools

Ohio State’s Office of the CIO focuses on endpoint security for university-owned desktops, notebooks, tablets and smartphones. While the central IT department recommends that students use anti-virus software and provides them with security training and awareness, IT leaders do not require students to use security software because the university doesn’t own their devices.

“We aren’t going to require students to use anti-virus anymore than a bank would require its customers to have certain security software on their laptops when they do online banking. The students are our customers,” Patton says.

Ohio State’s IT security team provides the overall direction of security policies; handles identity management, incidence response and network security; and purchases enterprise security software and services for the entire campus. But as at other institutions, each college and department manages its own technology, including endpoint security.

While faculty and staff must adhere to security policies, they also have some autonomy as far as how they use technology, which may be at odds with security best practices for other industries. For example, faculty may insist on visiting high-risk websites as part of their research. “We are not like private industry and tell people that I will lock down their endpoints, that they can’t go to certain websites and can’t use USB devices,” Patton says. “That doesn’t fly in higher education.”

Without the ability to enforce stringent endpoint security standards, Patton says she does the next best thing by providing the campus community a wide range of security tools — everything that individual colleges and departments and their users need to secure their computers and mobile devices.

To boost adoption, she focuses on easy-to-deploy, easy-to-manage software that’s unobtrusive to users.

“We want something that is easy to use to the point of transparency to the end user, that still provides them a level of protection,” she says.

Last summer, the CIO’s office purchased an enterprise license of Symantec Endpoint Protection that covers every employee. So far, about 60 percent of the campus has deployed the technology. The university’s previous anti-virus software license had expired, so the initial focus is to update users with the new software. Over time, Patton plans to roll out additional security features to improve endpoint security.

Some detractors criticize anti-virus software, arguing that by the time an anti-virus definition is written, virus writers have engineered around it. While that has some truth to it, anti-virus software still provides value, Patton says.

“It may not necessarily provide zero-day kind of protection from viruses, but it can help you with the stuff that’s already out there,” she says.

The university follows industry best practices to protect the network and mitigate threats, including the use of intrusion detection monitoring and scanning email for malware and viruses. To further protect endpoints, the university previously purchased encryption technology for servers, computers, tablets and smartphones, as well as Symantec Data Loss Prevention software for computers and servers.

Patton says everything that must be encrypted is now encrypted, while DLP software adoption, which scans for sensitive data and can block users from sending that information over email, remains a work in progress.

Fighting Phishing Attacks

At Austin, Texas-based St. Edward’s University, the Office of Information Technology struck a deal with a software maker two years ago to not only provide anti-virus software for the university’s 1,800 computers used by faculty and staff, but also its 5,000 students.

The campus community faces a lot of phishing attempts over email, and the central management console for the Windows version of the software blocks known links to phishing websites, says Jason Arellano, the university’s user services manager.

“When users click on the phishing links, our management console tells them that this web address is not authorized,” he says.

Mobile Security

St. Edward’s University also installed AirWatch’s cloud-based MDM software to centrally manage and secure 360 university-owned smartphones and tablets, including 50 tablets used by students in a mobile learning pilot.

Through AirWatch, Arellano allows campus employees to download applications, access email and the web as well as text message their colleagues. All network traffic is encrypted, and if the managed devices get lost or stolen, he can use the software to remotely delete all the data.

Similarly, Ohio State uses MDM software to secure smartphones and tablets as well as keep university applications and data in separate, secure containers — a practical option for BYOD initiatives. Whenever devices are lost or stolen, IT staff can remotely wipe any university data without touching personal data.

Overall, endpoint security software is one of the most important security tools colleges and universities can provide to protect their data, Patton says.

“If all we did was keep information locked away on servers and in data stores, I wouldn’t care about the endpoints. But that’s where humans sit, and humans are the weakest link in the security chain.”