Mark: Alright, hello, my name is Mark Fitzgerald. I’m the Chief Information Security Officer here at Boise State, and I’m also a professor in the business school where I teach in the MBA program and I’m currently teaching in the masters of I.T. security program.
Where I’m teaching metrics, among other things, and also I.T management.
Today they asked me to talk a little bit about the security concerns as it pertains to research at the University and a couple of different things that I came up with… I’m just titling myths of I.T. security.
Now you guys are set up pretty much like the class I teach right now, which means you’re all over the room. So if I’m not staring at you and you got something to say, go ahead and wave me down, and for those online, I’ll either repeat or I’ll bring you a mic depending on the length of your question comment or whatnot, but this session is for you guys.
I’ve got kind of a guideline for my myths. Still, if we turn this completely into a Q&A and a dialogue about security and what is needed to secure data for a research environment, I am okay with that as well because that’s why you guys are here. Is to learn about that within the research environment and collaborate together.
[Went to next slide – Myth #1: I already have been trained]
So with that, I’ll get started with my first myth, and that is I’ve already been trained in I.T. security. Alright, maybe you’ve gone through some sessions maybe you haven’t, maybe it securities new to you, but let’s say for the moment you feel that you have been trained on what to do to make sure that your data is safe.
[Went to next slide – The half-life of cyber security training is estimated at 18 months]
Well, the reality is all of the information we’re seeing is I.T. security is morphing and changing on average every 18 months.
To put it into an academic sphere, our two-year program for masters of information security… means the things that we’re teaching them the first semester are already outdated by the time they graduated. that’s how fast this industry is moving and how fast things are changing with I.T. security.
So why? That’s the question I always want to ask “Why is it changing so fast” because people are trying to steal our data. They’re becoming new and Innovative. They’re trying different things; they are cutting edge because people are trying to stop them from stealing our data, and it is this constant tug-of-war.
Not only is it people that want to steal from it, but it’s also nation states that want to steal from us. It is nation-states that want to cause damage since the beginning of the Ukraine-Russian war. I have got no end stream of information from the federal government warning us, guiding us helping us try to protect against infiltration.
We’re considered a critical infrastructure, and we’re part of the government, and so they have been very open with us that we need to protect from attack from foreign states, and that includes… actually, it not just includes primarily it’s your research that we’re protecting against and since the beginning of that war it has just escalated tenfold the number of attacks that have happened at this University, let alone all universities.
So you are aware we have probes to the tune of millions a day to see where our weaknesses are. That’s how active the internet is in testing to see do we have a strong defense, and it just takes one person to find a weakness, and so we’re constantly defending, constantly looking and searching, but that’s a lot to sift through, and so getting back to the myth if you’ve been trained that’s great I congratulate you if you’re paying attention even better, but the reality is what we’re looking for continues to evolve so we need to continually have a conversation and edit dialogue saying what do we need to be doing today as opposed to what were we doing two years ago three years ago four years ago.
[Went to next slide – Myth #2: Someone else is responsible for information security]
Alright, myth number two, someone else is responsible for information security. I’m glad you think that it’s my job to be watching out for you, and it is my job to be watching out for you. I’ve got a team of four people, and it’s their job to be watching out for you; we’ve got a team of 120 people across the university that are dedicated to information technology, and it’s their job to be watching out for you, but the reality is it’s all of our jobs to be watching out for information security.
[Went to the next slide – Security has to be a team sport!]
Now you know the phrase in the airport, if you see something, say something, and the reality is most people don’t say anything. They know they’ll go, “Well, that seemed out of place,” but they don’t actually speak up. We need you to speak up. We need you to identify things for us to look at.
If it seems odd, at least let’s ask because usually it is odd, but it’s not necessarily something nefarious, it’s something that somebody has set up brand new, and they didn’t quite follow the normal parameters, or it could be as something as simple as HR sends out an email without warning about the training we’re supposed to take and it seems fishy. That happens; we got a lot of calls on it.
Guess what? We’re actually happy to take those calls. Will much rather take those calls to the Help Desk to say, “Is this legitimate” and be able to say yes, it is legitimate than people clicking on illegitimate emails, and by the way, we have a little bit of a running joke right now. If it looks really good, and the grammar is all 100% correct, that’s probably the fish at this point. They’ve gotten very good at being very tricky.
So we’d much rather look through things, whether it’s an email or a website or just something that seems off than rest on our laurels, and there’s a lot of reason for that because it is the little things that allow people to get in it’s the little things that cause damage to the university and when we’re talking damage to the university, there’s lots of things to be concerned about. There’s monetary damage; there’s theft; there’s reputational damage. All these things that can happen to us really come down to if we work together and we, pay attention, and we follow the parameters that are out there collectively, will be a lot more secure.
So one of our sister organizations here in the state suffered what’s called a ransomware attack. They had one person get in, a bad actor, get in, and they were there for quite a while, scoping out all of the University and seeing how it functioned. They had a good map and lay off the land, and when the moment was right, they encrypted everything and sent to Ransom note and said: “if you pay us money, we’ll allow you to get back into all your systems.” They encrypted all but, I think, six computers at the University, everything.
One credential was a professor in their math department. That’s all it took, and then they used a series of mistakes things that were misconfigured to be able to encrypt the entire University. It was a bad day which led to a bad week which led to several months before they fully recovered.
How do you do your research? How do you do your critical research if you were using long-term studies using lasers? What happens when those get locked up for six months? Where are you going to be as a researcher if you’re sitting idle as you’re waiting for us to decrypt things or erase everything and start over?
All possibilities, and it doesn’t have to be you that made the mistake is the point that I’m trying to get at here, so it has to be a team sport.
[Went to next slide – Myth #3: No one wants my information]
Alright, so nobody wants my information. Why do I have to care?
Yes, sir, that’s very good. So the comment was they don’t know that they don’t want your information, so they’re going to be in there saying what information do you have and if it truly is worthless to them, yeah, go ahead and encrypt it anyway. If it truly is worthless, they’re not going to know that for months because they will have copied it out anyway, and that’s called exfiltration where they’re they’re pulling it out of the University they’ll hold it and they can either sell it off, they can blackmail us, or they can just destroy it.
People have different means and different motivations, and, in some cases, if it’s nation-states, they just want the information; they don’t plan on sharing it. They plan on using it, but they don’t know until they have it all and have a chance to go through it.
you know, one of the first things that I went through when I became the Chief Information Security Officer was a little bit of an exercise in which I was having a conversation with a professor saying well, why would this nation-state want geographic and geology information.
I didn’t know enough about what we did in research to answer that question on my own, so I asked. Hopefully, that’s a good thing we have a conversation, so we ask.
I didn’t think about the implications of building dams. I didn’t think about the implications of the military use of geological information. All these things that I didn’t think to think about by having the open conversation together, I was informed, and then we were able to inform and discuss ways of keeping that information safe, even though I felt it was fairly benign.
[Went to the next slide – Even the most trivial data as value!]
But there are plenty of people that want our information, so even the most trivial data has value.
Now if we back up a second and look at the entire University and not just research, we have health information, we’ve got credit card information, we’ve got personal identities, we have all great information. We have this for students in the United States, all 50 states. We’ve got this for students in dozens and dozens of countries, and more importantly, we have it for everybody who has ever attended here or even applied here to the tune of about four hundred and fifty thousand individuals have interacted with the university since we brought PeopleSoft online in 1998, so we have this for a lot of information.
When you get into the research world, of course, you guys are aware of the stuff you’re doing, and we read in the magazines about what we’re doing. We’re doing a lot of groundbreaking research on all sorts of topics, anywhere from DNA to Material Science, two Raptors to geology to all these different things; we got a lot of information that people are willing, wanting, and interested in stealing.
I had the opportunity to sit down with Dr. Trump, and I jokingly said something that she didn’t find very funny, but it is a very serious point of view, and that is when we are successful at football, and we go to things like the Fiesta Bowl we see a wonderful spike in applications to our grad program we see a spike of applications to come here as an undergrad student, and we see a very similar Spike to the number of attacks to the university. When we are successful, and we are in the media, and we are publicized, we see an increase of attention all across the university, and she looked me straight in the eyes and said I’m not going to ask the football team to do poorly so that we can stay safe and I said I’m not asking you to, but you think about that… what’s that? She got the joke, she understood it, and her seriousness actually made it that much more funny.
As you are successful as a researcher and you are published, you’re drawing attention to yourself. Please draw attention to yourself. We want this success as a university but understand it draws the attention of those that may be interested in what you’re doing as well, and those types of people are the ones that can use methods of social influence.
They reach out posing as another institution, as a professor, an interested student, and of course, we want to talk about what we’ve done, and they’re very good, and the question is, “Do you know you’re talking to a student or real Professor or are they talking to somebody that potentially is fishing for information to be able to use that against you.”
I don’t want to make you paranoid, but I do want to make you aware and vigilant, and this can be very challenging.
[Went to next slide – Myth #4: Security slows me down]
Alright, myth number four security slows me down. Alright, this myth may be correct security is going to slow you down. Good security won’t slow you down as much. I don’t think we have the best security on the face of the planet. I think we’ve got a lot of room to improve.
I got to tell you, especially as the first part of the pandemic teaching in our classrooms to get Zoom fired up to get the multi-factor turned on to get signed into Canvas to get everything in; we were timing professors. To see how fast it took them, on average, about eight minutes to get everything set up. I think the best time I had in the semester that I was paying attention took me seven minutes to get everything on the podium lined up and ready to go. That’s a long time. That’s inconvenient;
we’re trying to improve a lot of those things. We need your help in offering ideas and areas in which we need Improvement; we’re open to that because if we don’t know about it, we can’t improve on it. We also have limited resources, so it takes some time for improvement, but I want you to think about this
[Went to next slide – Have a breach, and you have a new full-time job]
from another perspective. If your data is lost, you have a new full-time job, and that is recovering your identity, that is recovering your work, recovering everything, so slowing you down a little bit on the front end to keep you from losing everything on the back end is actually still speeding you up. That might be a little bit of a stretch, but I do want you to think about that. If you’ve ever been the victim of identity theft, especially early on when identity theft was so rampant, you realize that you have a new full-time job to reclaim your life, and in some cases, that never goes away, right? Every time you file with the IRS, you have to fill out extra paperwork and send in the papers rather than doing it online because you were subject to an IRS scam or if you accidentally get put on the no-fly list every time you go to the airport you have to plead your case or whatever it happens to be you can see how being a victim slows you down much more than if you were diligent and had the ability to protect yourself upfront.
Now with that said, a lot of things that we do for security don’t slow you down. Most of our security measures are on our network, and I hope that you’re not aware of them. They’re happening automatically. They’re happening without your knowledge. On occasion, you’ll get caught up in some things, so I want to make you aware of a tool that we use that has a high possibility for what we call a false positive that you could be doing something very good and we shut you down so I’m informing you, and I’m asking for forgiveness before it ever happens. It’s a tool called Varonis; what it’s looking for is if somebody starts encrypting large amounts of files on our network, it would look like a ransomware attack, so it prevents that and notifies us. What it also does is if it’s your workstation or if it’s you on a server, it will lock you out, it will close down the walls of the firewall, and you won’t be able to use your account anywhere. Not on the network, not on your local computer; it should shut you down everywhere. Now since we’ve turned this on, we have not caught a ransomware attack, thank goodness, because there hasn’t been one, but we have shut down at one professor. They were encrypting a large number of files legitimately, and it took it as an attack, so I apologize to that professor, but it’s a pretty big hammer to protect us against a pretty big issue, and so we’ve been working on tuning it. It was very helpful that the professor got locked out. We’ve got him back in, and so I want you to be aware we’ve got tools like that looking and waiting.
We have sensors all across the network that are looking at all of the traffic, sayings are this good traffic or bad traffic, but where we have millions of probes, we’ve got tens of millions of packets of data, hundreds of millions of packets of data crossing the wire every hour, and so it is truly sifting a very large haystack for a very small needle trying to pick this out, but this is what we’re trained to do and what we’re looking at. So on the very edge, we’ve got a firewall in between, we’ve got sensors, we’ve got tools, we’ve got people, and then it comes down to the configurations, so if you’ve ever listened to Max Davis Johnson talk, he’s going to talk about people processing technology. That’s what we’re trying to apply most of this isn’t on your local computer most of this is on the network trying to prevent things from getting to your local computer.
Now if you go out to the Boise state.edu policy and you read through all of the I.T. policies, it’s a thrilling read, and it will really help you sleep at night. I know you all go out there and read all of the policies. What I do want to let you know is those policies have been updated with the stent of cyber security in mind, and it’s been a while. In fact, if you were a firm believer and reader of policy like I know you all are, you would have seen that Netscape is our preferred browser and what you should have been using to surf the web. That was written into policy, and it’s taken that long to update policy. I haven’t used Netscape well since before at least some of my children were born.
Now we’ve gone out and created a series of documents just called minimum security standards, and these are things that I would actually ask you to go take a look at because these things that we want as a minimum base level of security for all of your computers, and as researchers you play with very fun interesting computers, right? Whether it is a specialized computer made to be out in the field, it’s a, you know, a Panasonic talk book, or whether you’ve built your own computers because you’re studying microchips. It doesn’t matter the device that you have. We need you to follow these minimum security standards even if your research is building computers because these are the things that are needed to keep people out, and so we’re only as strong as our weakest link.
[Went to next slide – Myth #5: My data is all the public domain]
Alright, myth number five, my data is all in the public domain now. I’m a part of a committee that reviews all research data, and there is a little form there that says, “Tell us about the data that you’re working with,” and almost always people say “Yeah, this is in the public domain,” and you go back and say so I can download it without paying somebody for it well no you have to go out and sign a form and be able to prove your researcher, and then you can download it from the CDC. Okay, that’s not public domain. I mean, if you have to register for it, if you have to prove you’re part of an organization, there’s a level of protection there. They’re not giving it to just anyone.
Now I know a lot of you do research that’s in the public domain. You’re just scraping websites out there, or it is available for anybody to download without registration free of charge. It exists, but then what are you doing to manipulate it? Are you freely giving your work away? Some people are, some people aren’t, but the reason I want you to think about this is data is valuable to a lot of people. What we create is that information is valuable, your work and time are valuable, and so if you’re tracking boxes, that says it’s all in the public domain since you don’t want to deal with us. It just happened you’re doing yourself a disservice, and you’re doing the university disservice.
We’re really trying hard not to slow you down, but I’m sure everybody in the room could give us stories and examples where the bureaucracy of the institution, no matter what institution you’ve worked for, has slowed you down. Yes, and we’re trying to be much better at that,
[Went to next slide – We underestimate the value and accessibility of data]
we’re trying to work with you on that, but I don’t want you to underestimate the value and the accessibility of data. How am I doing on time? Okay, great.
[Went to next slide Myth #6: If I get the grant, the university can store the data (or at least work it out)]
Alright, myth number six, if I get the grant, the university can store the data, or at least if I get the grant, they’ll be able to work it out. “7 pleases” Talk to us before you submit that Grant because we can help you write the Grant in Research Computing, we can help interpret the requirements of the security, and the reality is at this moment in time, we cannot accept all data, and we’re working very hard so that we can accept more and more of it.
The problem Boise State has in all aspects of Boise State is finite resources. I need your help in pointing me to what we need to be doing, yes? Yes, playing on our website right now, we cannot do HIPAA data. We cannot do ITAR data which is an international trade and something arms and whatever, weapons. It’s not about size per se, although if you’re getting something really big, of course, we’d like to know and make sure we can do the size. It’s the types of data, and if you have something HIPAA in the pipeline, that’s where I’m focused right now, and I could probably give you a thumbs up that anything you want to do HIPAA we should be able to do with some preparation, but until I’ve got people that say we are going to be doing this I don’t know exactly where to finish all of the requirements that we have to be able to do the HIPAA data.
We have the possibility of somebody working with an arms manufacturer, and so they said, “We need to be able to meet these requirements.” Do we meet them today? No, we do not meet them today, but since we’re working beforehand with them, we’ve done a lot of the preparations that if they get this grant, we should be able to use the information and go forward on that.
So please talk to us before the grant is submitted. Give us time to at least consult and tell you where we’re at and what it would take to get there on your particular thing. If we want to get into the details, we are working with the Center for Pervasive Internet Security out of CID, which they are actually going to help us host some of the information in AWS in Amazon in a secure manner that we can actually do that HIPAA data and using that same technology we should be able to replicate that to do other types of secure informational data. You get into the really high-level Federal stuff, we then need people that have top secret clearance on staff things like that that we don’t have today, but if there is
[Went to next slide – We can manage most data but need to be part of the conversation well before you submit the grant]
need for that to point us in the right direction.
[Went to next slide – Take tie to open up conversations and work collaboratively with I.T. make sure we know and can help]
So that takes time to open up conversations and work collaboratively. Now how do you engage I.T? You can come directly to me; I’m in the directory; you can come to send the help desk and email they’ll get it to me, or you can work with OSP because you’re used to working with OSP or the IRB folks, and they know when to send something my way. We talk on a regular basis. You can work with research Computing because you’re handling large data sets, you’re using HPC, or just want to help design how you’re handling data; they know where to involve me. Just start opening up the conversations and saying there is an I.T. security concern here, and that will trigger people to have more conversations. I hope this has been informative. I hope that this will drive some action, and do you have any questions that I can answer right now?
Speaker 1: Researchers are working with modeling AI. Have you had problems with the size of any data so?
Mark: The question is, some research has been working with modelers and AI. Have we had problems with the size of the data? Thus far, I’m not aware of any size concerns, we’ve had some issues where we’ve had large amounts of data in the wrong place, so it took a while to move them, but those that have been working with Research Computing have from my understanding been very successful with both the size and scope of the data that they’ve been working with. Alright, well then, I will get you to the next session here, which I believe Leaf is your turn here, so Dr. Nelson is our director of learning Technology Solutions in OIT
[Went to next slide – BSU Logo: ”Boise State University”]
and is going to be talking about AI and generative platforms.