Duke CISO Addresses Duke Cyber Club
By Joanne Kim. October 23, 2019.
Richard Biever, Duke University’s Chief Information Security Officer, and Mary McKee, the Director of Identity Management and Security Services in Duke’s Office of Information Technology (OIT), spoke at a Duke Cyber Club event on September 30, 2019. They discussed security approaches at educational institutions and the IT Security Office’s initiatives to create a safer, more robust digital network at Duke.
During the past nine years, Biever said he witnessed immense growth and advancement within the university’s security office. The IT Security Office first began as a department of three people but now boasts twelve employees who work alongside other OIT departments, ranging from web applications to networks. As technology and attack methodologies change, so too are the methods IT security must use. To wholly understand and mitigate threats that face the institution, the team has shifted its procedures away from the reactive nature of earlier times and instead towards a proactive, risk-based approach.
Biever also spoke on the transformation the campus has undergone in terms of cybersecurity. Just a decade ago, regularly managed laptops and the use of mobile encryption were rare. However, now, ITSO and OIT, partnering with departmental IT groups, manage and secure more than 30,0000 Duke-owned devices. OIT also manages multiple 10 Gb Internet connections that serve a network with more than 100,000 devices on the network, sustaining close to 8 Gb of network traffic on a daily basis (10 during the ACC tournament!) for campus use alone. Currently, approaches such as log monitoring, network analysis, and multi-factor authentication are being utilized to monitor and protect Duke systems. Despite these advancements, Biever is looking towards the future, asking “How can we automate reactions to threats?”
One of the ways Biever and his team are hoping to best answer that question is by implementing new security methods. The first is an approach to threat intelligence called STINGAR, a shared intelligence network for network gatekeeping and automated response (stingar.security.duke.edu). Currently being used by 16 other schools and Duke, STINGAR’s goal is to help the higher education community identify network based attackers (including nation-state actors), share data, and take action upon threat intelligence. A key part of STINGAR is to use “honeypots.” These are simulated computer systems, designed to attract hackers. By placing honeypots intentionally, malicious actors and bots can try to interact with the simulated system just long enough for the security team to identify malicious IP addresses or domain names or gain an understanding of the attackers’ methodologies with the goal of shutting them down.
Biever also noted that not all threats to Duke’s information security are aimed directly at the Duke network or systems. The 2018 Chegg breach, which eventually led to the exposure of Chegg’s account database (an unauthorized party gained access to part of the company’s database on users), affected around 100 Duke students with accounts on the homework, test prep, and tutoring Ed Tech company. Hackers were able to mine passwords and gain access to Duke systems using Chegg accounts by testing out various password combinations because some students utilized the same password for their Chegg account as their student netID login. Biever recommends students use different passwords to secure their accounts in order to ensure that multiple breaches do not occur, and use a password manager like LastPass to protect and store their different passwords.
Students continued the conversation by asking about VPNs and multi-factor authentication. Biever’s broad response to these questions was that “being able to secure all channels is a challenge.” He stated that the team could not always guarantee security, therefore, building an accurate detection program to identify when an attack is occurring is necessary and a primary focus.
The conversation evolved to a discussion on cybersecurity threats at the corporate level and in higher education. According to Biever, corporations are mostly concerned with securing financial-related information, since most of their attackers are motivated to steal money or Personally Identifiable Information (PII). Universities function like a city: the security team must be ready to deal with financial fraud, nation-state attacks, defacement attacks, and scanning attacks. Generally, universities focus on a broader spectrum of threats than one might expect. Biever concluded by noting that both corporate and educational institutions are attacked by the same threat attacker tools, and therefore, can learn much from each other.
While talking about Duke’s efforts to improve cybersecurity, McKee talked about a new initiative that the Identity Management and Security Services department in OIT is working on. Her team is running trials to implement a new method of multi-factor authentication that would not require the use of Duo Two Factor Authentication, making the login process more convenient and seamless for students and faculty. Those interested in trying the new Duke Unlock service can visit https://accounts.oit.duke.edu/unlock.
Biever closed by stating that his role is “more of a mission than a job” and is something that he is very passionate about. He encourages all Duke students to get more involved with cybersecurity by engaging in Duke OIT’s October events for Cybersecurity month and by becoming informed consumers of technology. Students are also welcome to engage the IT Security Office by visiting www.security.duke.edu, or asking questions at email@example.com.
Joanne Kim is a sophomore at Duke studying Public Policy and Psychology. She is currently serving as co-Vice President of Ethical Tech and is a member of the Duke Cyber Team.