Q&A: Joy Hughes, CIO and Vice President for Information Technology, George Mason University

Ever wonder about the cybersecurity challenges that face our institutions of higher learning? Well, wonder no more. We were fortunate enough to spend some time with Joy Hughes, CIO and Vice President for Information Technology, George Mason University. Below is an exclusive Q&A with Ms. Hughes. We hope you find this post as enlightening as we do.

Overall, how would you grade information security at our nation’s institutions of higher education?

Most schools do an excellent job of protecting their central systems and infrastructure. Some schools struggle with protecting distributed systems, sometimes not knowing which of these systems have highly sensitive data stored on them and sometimes not being sure that the administrators of such systems are up to speed with respect to needed security precautions. In some cases, the designated system administrators have too many demands on their time to even be able to implement the precautions.

Do you think schools are, or will be, ripe targets as criminals use increasingly sophisticated tools to steal information?

Not particularly. Master cybercriminals have much more fertile fields to plow. There have been very few cases where criminals have actually profited from stealing information from a school’s database. There are several reasons for this. First, we seldom store data that would enable a criminal to gain access to a bank account, except on our highly protected central systems. Second, banks and credit card agencies are much more sophisticated than a few years ago and have implemented multi-layered defenses against a criminal who knows only a name and an SSN gaining access to an account and being able to transact business.

On the other hand, universities are seeing spammers become more sophisticated in their efforts to penetrate a machine and take it over in order to make money spamming. These spammers are not interested in the data on the machine; they are interested in controlling the machine. Between the spammers and the mischief makers, university security departments never run out of work to do.

Tell us how GMU protects itself from being a victim of data breaches and 4) In terms of data breach trends, have you all seen an increase in attempts to breach GMU?

While criminals are not targeting GMU in order to steal data, when spammers and mischief makers gain access to machines on which sensitive data are stored, serious and expensive problems are created for the university. Responding to a breach is expensive; shutting down systems important to carrying out university business is disruptive; notifying constituencies that someone managed to get into a machine that had stored on it their personal data is expensive and time consuming; but even more important, it strains the trust bonds between the university and its stakeholders.

For all these reasons, we work hard and spend much money in order to keep people from breaching machines on which sensitive data are stored. This includes creating policies that severely restrict who can store sensitive data; auditing machines that have significant sensitive data stored on them; segregating machines with sensitive data into a different part of the network; specifying standards and responsibilities for system administrators; taking over the management of servers when the department is unable to secure them adequately; and implementing various intrusion prevention and detecting systems.

Do you all have any cyber-security educational initiatives aimed at helping the students to be more aware of identity theft?

We use the educational resources contributed by the higher education community to the EDUCAUSE/Internet2 Network and Computer Security Task Force. We also develop our own resources, which means we create flyers, posters, articles in the student newspaper, presentations at student orientation, etc. Before we allow the computers of students in university housing to connect to the network, we run a scan on them to make sure they are free of malware and that they have automated update of patches and anti-virus definitions. This can all be for naught if the student responds to a clever phish.

We do all of the above to protect the student’s machine from being taken over by a spammer or being damaged by malware or used to disrupt the network by a mischief maker. While we also deploy materials that warn of identify theft, we know that the student is in more danger of identity theft when they hand their credit card to a server in a restaurant than when they connect their computer to a network. Moreover, eighty five percent of the students in the residence halls have chosen to have their computers placed in the protected zone on the network so that nothing can be downloaded to their machines unless they take action to initiate the download (usually via a phish but sometime via downloading “free” software).