Target: Tufts University- A Cyber Risk Threat Model
In developing a cyber threat model for Tufts University, I chose to adopt the “Framework for Improving Critical Infrastructure Cybersecurity” (Version 1.1) as outlined by the National Institute of Standards and Technology (NIST). The Framework focuses on using “business drivers” (i.e. reduction of cost(s)) to guide cybersecurity activities and “considering cybersecurity risks as part of the organization’s risk management processes”).[1] The Framework consists of three parts: The Framework Core (Exhibit 1), the Implementation Tiers, and the Framework Profiles. I will focus specifically on building out the Framework Core in relation to threats from phishing and malware scams. It’s important to note that the Framework is “technology-neutral” and, instead, relies on “global standards, guidelines, and practices that evolve with technology.”[2]
Description of Current Cybersecurity Posture
Tufts University currently has a robust cybersecurity system and associated protocols in place to manage cybersecurity risk. Because Tufts University is a private institution, many of its cybersecurity protocols are not publicly available. However, like many large institutions in the United States, Tufts University must comply with Federal regulations that require Institutes for Higher Learning (IHE) to ensure privacy, security, and confidentiality of Personal Identifiable Information (PII). Such federal regulations include the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPPA), and the Student Aid Internet Gateway (SAIG) Enrollment Agreement.[3]
The Framework Core outlined by NIST provides a set of activities to achieve specific cybersecurity outcomes through five key functions (Exhibit 1):
Identify: Recently, two of the biggest cybersecurity threats that Tufts University has encountered have been phishing scams and malware/spyware installation. This month (September 2020) Tufts University saw a major phishing scam with the headers, “COVID-19 Benefits” (Exhibit 2). The scam secured the PII (social security numbers, license numbers, etc.) of faculty, staff, and students. Additionally, Tufts University has seen an uptick in malware requests (Exhibit 3) since the beginning of the year when the transition to remote learning required students to install additional software to remotely connect to campus and classes. The domains of senders of these scams indicate that the threat actors are from Russia and China (Exhibit 3).
Other possible threat actors: While the domains of phishing scams described above are tied to specific nations, it’s also important for Tufts University to recognize that nation state espionage is on the rise. For example, the Chinese Communist Party (CCP) has been linked to the hacking of China-focused academic programs and research institutions.[4] Other threat actors include disgruntled students, as reported by Tufts Daily last year, in addition to cybercriminals looking to hold data and systems ransom. [5]
Protect: Tufts Technology Services (TTS) has implemented appropriate safeguards to ensure the delivery of critical services (i.e. classes, research data, etc.). Such safeguards include awareness and training (Exhibit 4) and a Service Desk available 24/7 to handle and escalate cybersecurity threats.
Detect: TTS has continuous monitoring and detection processes for anomalies and events imbedded in its IT infrastructure. TTS contracts out some of these monitoring activities to third-party agencies to assist in maintain blocklists (Spamhaus), access controls, and server integrity (a mixture of AWS, Oracle, & other non-disclosed web hosting services).
Respond: TTS, as described, can communicate with staff, faculty, and students to alert of possible attacks. Additionally, many of Tufts University’s mitigation efforts begin in the contract evaluation phase third-party vendors (software providers, server providers, third-party Service Desk staffing, etc.).
Recover: The recent phishing scam described had a timely recovery to normal operations. However, the financial and emotional impact on students, staff, and faculty is yet to be determined. The ongoing risks identified with phishing and malware scams is high at Tufts University. Because the student and faculty body is now spread globally due to COVID-19, threat actors have cause to take advantage of angst associated with the switch to virtual learning.
Description of Target State for Cybersecurity
The Target State for cybersecurity at Tufts University has dramatically changed in the past 6 months given the COVID-19 pandemic. It is now more important than ever that Tufts University’s virtual learning capabilities remain insulated from outside risks (and, it’s possible, from internal risks like “Zoom bombers,” etc.). With the increased exchange of information online (for example, all Teachers Assistants -TAs- at the Fletcher School had to send images of passport or ID to TTS to verify authorization to work in the United States) ongoing cybersecurity training of employees and students will be critical to Tufts University’s ability to withstand larger, more widespread cyberattacks.
Identifying and Prioritizing Opportunities for Improvement
One of the largest identified opportunities for improvement is Tufts University’s continued evaluation and monitoring of third-party software and hardware providers. Because the university has a myriad of vendors it works with across its three major campuses, it’s critical Tufts University conducts on-going risk assessments of such vendors. For example, Tufts University will likely never contract with vendors who require storage of PII data on servers outside of the United States. These contract terms are usually “in the fine print” of contract negotiations and usually require expert technologists to ask server-related questions. The storage of such data is critical not only to the integrity of Tufts University’s data (and keeping within the scope of federally mandated data practices) but to the Tufts University brand. Especially during the COVID-19 pandemic and the switch to virtual learning, the security of classes, research data, and internal communications is critical to Tufts University’s digital brand and will require continued cycles of monitoring.
Assessing Progress Towards the Target State
Tufts University has made great progress towards the target state. This progress is due to the centralized nature of TTS handling school-wide threats while decentralizing individual campus protocols to fit the unique needs of each of Tufts campuses (Medford, Boston, Grafton). For example, TTS recognizes that the need for security related to research data is far greater in the schools where primary research is both costly and proprietary (i.e. medical campus research).
Communicating Among Internal and External Stakeholders About Cybersecurity Risk
The Senior Executive Level focuses on organizational risk and direct risk decisions will be of paramount importance at Tufts University (Exhibit 5). With geographically spaced out campuses and students connecting with personal devices from around the world, cybersecurity risks are no longer confined to a single campus and will require flywheel leadership from senior executives. Additionally, at the Business/Process levels, allocation of budget is critical, especially as Tufts University faces declining revenue from student tuition and increased costs associated with updating internal IT infrastructure and testing protocols in keeping physical campuses safe from the spread of COVID-19.
[1] Page 1, Framework for Improving Critical Infrastructure Cybersecurity” (Version 1.1) NIST (April 2018)
[2] Page 2, Framework for Improving Critical Infrastructure Cybersecurity” (Version 1.1) NIST (April 2018)
[3] https://library.educause.edu/topics/policy-and-law/cybersecurity-policy
[4] https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-education.pdf
[5] https://tuftsdaily.com/news/2019/03/14/cummings-school-student-tiffany-filler-expelled-for-alleged-grade-hacking-argues-innocence/