This document discusses cybersecurity risks facing universities and research. It provides background on the speaker and their experience in higher education cybersecurity. It then discusses why attackers target universities, including for financial gain, intellectual property theft, and disruptive attacks. The document outlines the types of data targeted at universities and notes that availability and integrity of research data is important beyond just confidentiality. It discusses how cybersecurity expectations are solidifying across presidential administrations and impact areas beyond just research, like student financial aid. The document presents approaches for achieving compliance and notes responsibilities must be shared when using cloud services. It recommends universities take a holistic, campus-wide approach to compliance.

1. Cybersecurity and Research
Industry perspectives for
ASEE ERC annual meeting
13 March 2018
Arlington, VA
Christian Schreiber, CISM, PMP
Global Pursuit Specialist – FireEye

2. Introductions
2

3. ©2018 FireEye | Private & Confidential
Professional background
20 years higher education experience
• CISO positions: The University of Arizona, University
of Wisconsin – Whitewater
• IT leadership: University of Wisconsin – Madison,
Central Michigan University
• Service provider leadership: Ellucian / SunGard
Higher Education
FireEye roles
• Global Pursuit Specialist with focus on higher
education
• Program Executive supporting the University of
California System
3

4. ©2018 FireEye | Private & Confidential
4
To relentlessly protect our customers with innovative technology
and expertise learned on the front lines of cyber attacks.
FIREEYE MISSION

5. ©2018 FireEye | Private & Confidential
FireEye built unique visibility across attack lifecycle
Adversary Intelligence
Deploying global researchers with
local knowledge
• 22 countries
• 30+ languages
• 150+ analysts & researchers
Machine Intelligence
Generating attack telemetry globally
• 15,000 network sensors
• Millions of endpoints and email mailboxes
• 56 countries
• Tens of millions malware analysis / hour
Victim Intelligence
Responding to the most significant
breaches
• 13+ years investigative expertise
• 200+ of the Fortune 500
• 26 countries with consultants
Campaign Intelligence
Witnessing attacks as they unfold
• 7 Security Operations Centers
• 99m+ events ingested
• 21m+ alerts validated by Intel
• 33,700+ incidents dispositioned
24% of R1 institutions
are FireEye
customers
5

6. ©2018 FireEye | Private & Confidential
Experts frequently cited about cybersecurity trends
6

7. Understanding the threat
7

8. ©2018 FireEye | Private & Confidential
Reasons attackers target universities
8
• Financial gain
•Attackers steal information that can be sold (such as personal information or financial information) or extort
victims for money (such as Ransomware)
Organized Crime
• Disruption and political statements
•Attackers spread political messages (such as defacing websites with political messages)Hacktivism
• Theft of intellectual property
•Attackers steal information for economic or political gain (such as research or politically sensitive information)Economic Espionage
• Exploit resources for further attacks
•Attackers use university technology to attack other organizations (such as compromising a server to carry out other
attacks or using email to launch spear phishing attacks)
Pass-through Attacks
• Disrupt operations
•Attackers aim to interrupt normal university business operations (such as launching a denial of service attack)Destructive Attacks

9. ©2018 FireEye | Private & Confidential
Types of university data targeted by attackers
Sensitive Enterprise Data
• Credentials
• Employee data
• Student records
• Financial data
• Recruitment and
marketing data
Research with Potential
Economic Value
• Energy technology
• Biotechnology, medical,
and pharmaceuticals
• Engineering
• New materials, such as
semi-conductors
• Information technology
Politically or Commercially
Sensitive Information
• Climate modelling
• Economic data and
projections
• Live animal research
• Product development
data
• Information used for
expert testimony
9
* Adapted from: Universities UK. “Cyber security and universities: managing the risk.” November 2013.

10. ©2018 FireEye | Private & Confidential
Some of the earliest publicly reported APT attacks leveraged university
computer networks
10
“To run their spying
campaign, the [Chinese]
attackers used a number of
compromised computer
systems registered to
universities in North
Carolina, Arizona, Wisconsin
and New Mexico…”

11. ©2018 FireEye | Private & Confidential
Attackers consistently breach cyber defenses
11
* FireEye. “Maginot Revisited.” 2015.
2015 FireEye study analyzed
more than 1,600 organizations
•96% actively breached during 30-day test
period
•27% had evidence of advanced attacks
Study included more than 100
universities
•100% actively breached during test period
•37% had evidence of advanced attacks

12. Impact on research processes
12

13. ©2018 FireEye | Private & Confidential
Cybersecurity not just about keeping data secret
13
Information
Security
Confidentiality
IntegrityAvailability
Most people associate cybersecurity
with CONFIDENTIALITY
•Prevent attackers from stealing personal
information, intellectual property, etc.
AVAILABILITY and INTEGRITY of
research data are also important
•Prevent attackers from destroying years of
research making it unrecoverable
•Prevent attackers from modifying data to
produce inaccurate research results

14. ©2018 FireEye | Private & Confidential
Cybersecurity expectations beginning to solidify
14
George W Bush
• Designation and Sharing of Controlled Unclassified
Information (CUI) (07 May 2008)
Barack Obama
• Executive Order 13556 – Controlled Unclassified
Information (04 Nov 2010)
• Executive Order 13636 – Improving Critical Infrastructure
Cybersecurity (12 Feb 2013)
•Donald J Trump
• Presidential Executive Order on Strengthening the
Cybersecurity of Federal Networks and Critical
Infrastructure (11 May 2017)
Core concepts for due diligence consistent across three administrations

15. ©2018 FireEye | Private & Confidential
Institutional impact not limited to research
15
“[Reminding] institutions of their legal
obligations to protect student information used
in the administration of the Title IV Federal
student financial aid programs.”
•“We also advise institutions that… NIST SP
800-171 identifies recommended requirements
for ensuring the appropriate long-term security
of certain Federal information in the
possession of institutions.”
US Department of Education notices GEN-15-18 and GEN-16-12

16. Addressing the requirements
16

17. ©2018 FireEye | Private & Confidential
Many approaches for achieving compliance
Delegate to individual
researchers
Shared services at institution
level
Collaborative shared services
across institutions
Commercial hosting &
compliance services
•PRO: Low initial institutional investment
•CON: Duplicated costs across many programs
•CON: Responsibility rests with individuals who are not experts in IT,
cybersecurity, compliance
•CON: Limited institutional visibility into risk exposure
•PRO: Economies of scale for core infrastructure, personnel, and compliance
processes
•PRO: Strengthens institutional visibility into risk exposure
•CON: Individual researchers may lose some flexibility in order to work within
broader infrastructure and processes
•PRO: Additional economies of scale
•CON: Individual researchers and institutions may lose flexibility
•CAVEAT: Understand institution roles and responsibilities for shared
governance, compliance, and cybersecurity processes
•PRO: Allows some risk transference to third party
•PRO/CON: May be higher or lower cost, depending on vendor
•CAVEAT: Understand institution and vendor roles and responsibilities for
compliance and cybersecurity processes
17

18. ©2018 FireEye | Private & Confidential
Responsibilities when adopting cloud services
18
Hosting your research in the cloud does not remove compliance responsibility
"Security and Compliance is a shared
responsibility between AWS and the
customer…
Customers should carefully consider the
services they choose as their
responsibilities vary depending on the
services used, the integration of those
services into their IT environment, and
applicable laws and regulations.”
* Amazon AWS. “Shared Responsibility Model.” Available online at https://aws.amazon.com/compliance/shared-responsibility-model/

19. ©2018 FireEye | Private & Confidential
Institutions should take holistic approach to compliance
19
Don’t delegate to individual teams
•Replicating compliance across every group is not cost effective, so
approach the process more strategically
Research-focused groups should not have to tackle this
issue alone
•DOE letters regarding protection of financial aid data extends scope to
administrative systems
Build a consistent campus-wide program
•Build a program that addresses all potentially regulated data in a
consistent manner
•Include (at a minimum) faculty, Research, CIO, CISO, Privacy, Risk
Management, Audit, Insurance, and Legal

20. Thank you!
20