Published May 1, 2019
The way we keep our people and technology secure at the University at Buffalo is changing. But what are we really trying to accomplish?
In my previous blog post, I discussed what it means to me to put information security into practice. It isn’t just about responding to threats—it’s about enabling and incentivizing the right kind of knowledge and information sharing, what we do every day at UB.
Sharing can be risky, especially when our primary way of doing it is online, among a global community of billions. It can be easy to downplay or forget about this risk—that is, until we get an email from our “boss” asking us to buy iTunes gift cards, or an account warning from an off-brand UBIT Help Center, or an unsolicited job offer that seems too good to be true.
The simple act of being online exposes you to threats, and those threats are evolving. But so are we. And as we do, we need to talk openly and honestly about what that looks like.
In my conversations with the campus community, I focus on four major points that, without all the acronyms and jargon, seek to answer the question: “what are we really trying to accomplish?”
This is what most people think about when they think about information security: preventing those with obviously malicious intent from compromising us and our work. Because these threats have the potential to affect past, present and future UB community members, we as an institution are taking an active approach in this area.
In the past year, we’ve collaborated with the community to develop security standards for the devices we use at work, promoting common sense measures we can all take to keep one another safe. We’re also protecting the entire campus with a new, unified firewall that addresses the broader threat, and can be adapted as needed to meet that threat as it evolves.
It’s critical for us to engage in this area—because what makes one of us vulnerable online has the potential to make all of us vulnerable.
The bad actors are, in many ways, the easiest threat to spot and defend against. It’s when a bad actor gets through—and starts to manipulate the system from the inside—that our most challenging work begins.
How does this happen? It happens when a convincing phishing attempt tricks you into giving up your UBITName and password, or when someone sends you a fraudulent email pretending to be a coworker. It happens when someone logs into your computer remotely using your password (guessed or stolen) and infects it with ransomware. These attacks are devastatingly common.
On the technological side, we’re enabling two-factor authentication on some of the most sensitive UBIT services beginning the Fall 2019 semester. By combining something you know—your UBITName password—with something you have, like a smartphone, we can more reliably trust that the person logging into your UBITName account is you.
Many of us think about information security in the negative—what is the threat, and what compromises must we make to address that threat? But we can also think about information security as a way to empower our community to do its best work, in an intentional way.
Acting with intentionality is what we do when we engage in scientific research, carefully controlling the conditions of the experiment so we can trust the observations it produces. And it is precisely when we fail to act intentionally—whether enabling the wrong setting or clicking the wrong link, that the outcomes become uncertain at best, and dangerous at worst.
Taking on some risk is necessary in order to make an impact. Everything we do is designed with the goal of helping the campus community take necessary risks in an informed, intentional way.
This is the mission of information security, and it is emphatically people-centered. Security is a spectrum—there’s so much diversity among the people and the work that make up the University at Buffalo, and a one-size-fits-all approach will simply not work.
We can build firewalls, propose standards and suggest best practices, but for an institution to truly put information security into practice, its people need to see the inherent value in it, and take up the cause themselves. Our goal is to provide the resources, and the environment, for the people at UB to do their best work, the best way.
It starts with you.
Mark Herron is UB's Information Security Officer. He has more than 20 years of experience in information technology, security and compliance; his expertise includes risk assessment and mitigation, as well as compliance and governance.