Improving Security and Compliance in Higher Education

Why is it that 35% of all reported breaches in 2014 were in higher education?

There are multiple reasons, based on the complex environments in higher education institutions:

• BYOD and unmanaged devices: While asset criticality is the most important factor in risk assessment, detecting and identifying all assets is challenging in an environment where students and staff use personal, unmanaged devices for schoolwork and personal browsing.
• Diverse operating environment: What other organizations deal with hostile dorm networks, systems hosting academic records, protected healthcare data, financial records, credit card transactions and high-value intellectual property?
• Limited budgets and staff: In a recent SANS survey, 73% blamed budget limitations for not being able to maintain or increase IT staffing. A limited staff can only do so much in a day.

Security requirements

To be effective, security and compliance programs must be designed to answer the following key questions:

• What’s connecting to the network? It is essential to identify your assets (including laptops, tablets, and smartphones) before determining what’s at the highest risk. Wouldn’t it be useful if your security implementations could identify student and faculty-owned devices as they connect? Transient devices could then be evaluated for vulnerabilities and malware, and prioritized for patching.
• Is critical data exposed? According to the SANS survey, only 48% encrypt personally identifiable information (PII) data at rest and 54% encrypt data in transit. Effective solutions should help ensure that PII data is not sent unencrypted or students are not accessing critical administrative servers. Wouldn’t it be great if you knew whether the PII data was being transmitted from a vulnerable machine that’s sending data to a botnet site?
• Where can I make the biggest impact? You have plenty of security and monitoring products that can generate all types of alerts. But how many take the next steps to identify which actions you should take to reduce the most risk?
• How effective am I? Even when these questions are addressed, frequent network and system modifications can quickly change your overall risk profile and response. In such deployments, a continuous security and compliance view is essential to understand the effectiveness of security controls and policies.

Tenable’s innovative approach

To answer these questions, Tenable offers Nessus® and SecurityCenter Continuous View™ (CV), bringing the benefits of next-generation vulnerability management together with on-going risk analysis to capture unknown and unmanaged devices, users, applications and threats. SecurityCenter CV™, our continuous monitoring solution, also measures and grades security exposure and mitigation processes to clearly present program effectiveness to key stakeholders.

• Devices: Tenable solutions detect all types of devices, including MDM (mobile device management) managed devices, by querying management servers and locating unmanaged portable devices through traffic analysis, to identify which student and faculty systems are vulnerable or incorrectly configured.
• Data: Nessus identifies where PII data resides by scanning university administrative systems, and SecurityCenter CV™ monitors traffic for any unencrypted faculty and administrator PII data in transit. IT staff can ensure that students are not accessing unauthorized faculty systems and that administrative systems are not running malware.
• Response: Nessus identifies vulnerabilities and malware on exploitable systems. SecurityCenter CV further identifies actions that can reduce the most risk. This ensures that your limited staff prioritizes remediation or implements patches that provide the most reduction in risk.
• Assurance: SecurityCenter CV offers pre-configured and customizable Assurance Report Cards (ARCs) that grade your security configuration and compliance posture. It also measures whether your patching cycles are up to date in mitigating critical risk and keeping your systems in compliance.

Resources

To learn more about Tenable solutions for higher education, consult these resources:

• Visit our Higher Education webpage for more information on Tenable solutions and resources.
• Evaluate SecurityCenter CV and Nessus.
• Learn more about the SANS survey results for higher education.

For a limited time, Tenable is offering higher education promotions. Contact Tenable Sales to take advantage of this promotion, available until September 30, 2015.