June 26, 2018
Computing and Communications Services teams have been steadily adding additional network protection measures in an effort to continually improve the overall security posture of the University network. In the past six months we have made significant progress, and now we want to share these changes with the wider campus community so you can better understand these improvements, why they were necessary, and what it means for users on campus.
Threat Landscape
To understand why these updates were necessary, it is important to recognize that the University is under constant attack. Large organizations, and particularly higher education institutions, are prime targets for bad actors for a number of reasons:
-
They have a large internet presence
-
Universities have historically had open networks built for collaboration with limited security
-
Universities hold a wealth of important information, including student, staff, and research data
The Information Security team deals with thousands of issues each year including malicious network activity, phishing attacks, account compromises, fraud, and malware. Some examples seen at other institutions include a major ransomware attack at the University of Calgary [1] in 2016, a phishing scam which defrauded MacEwan University [2] out of $11.8M in 2017, and a massive cyber attack targeting 320 universities [3] around the world in 2018.
Several years ago, the University of Guelph's leadership team recognized the risks posed by cyber attacks and undertook a major initiative to increase the security posture of the campus network and infrastructure, and to increase security awareness on campus.
Network Security Enhancements
One of the major initiatives included in our security roadmap was the implementation of a next-generation firewall. Traditional firewalls control the traffic into and out of a network using simple rules based on ports and protocols. A next generation firewall includes all of capabilities of a traditional firewall and then layers on additional functionality which includes deeper traffic inspection, application awareness, identity awareness, intrusion prevention, and the ability to use external threat intelligence to automatically block threats. These are very powerful devices!
Here is a brief description of all of the network security improvements we have made:
-
Inbound port blocking project (2016/17) - This project was focused on reducing the University's attack surface on the internet. By blocking a number of ports known to be risky or used in cyber attacks, we were able to reduce an attacker's ability to access campus systems directly from the internet.
- Implementation of next generation firewall (February 2018) - This was a major milestone in our security roadmap! Having this technology in our infrastructure gives us many more defensive capabilities, allowing us to better detect, protect, and respond to security issues.
- Malicious URL blocking (May 2018) - Our new firewall has the ability to detect and block known malicious websites to prevent the spread of malware. Using threat intelligence, the firewall recognizes and blocks known botnet sites, SPAM sources, phishing sites, fraud sites, and malware.
- Intrusion prevention system (May 2018) - This is one of the most powerful features of the new firewall. An intrusion prevention system not only detects malicious traffic, but also has the capability to block it immediately. Malicious traffic could include known malware communication, port scanning, and exploit attempts against our infrastructure.
- BitTorrent blocking (June 2018) - The decision to block BitTorrent traffic on our campus network was made based on the security risks associated with that protocol and the fact that internet bandwidth is a finite resource. Over several months we analyzed traffic on our network and found that the vast majority of BitTorrent traffic was the downloading of copyrighted material. This traffic consumes bandwidth at the expense of legitimate traffic and poses a security risk to all campus users. In a recent study, security researchers found that 43% of torrented application files and 39% of torrented games contained malware [4]. In the end it was determined that the security risks associated with BitTorrent were too great to continue allowing it on our network.
- Application-based blocking (June 2018) - This is another advanced capability of the new firewall infrastructure. Instead of simply blocking traffic based on a port number, the firewall has the ability to detect and block traffic based on application signatures, which is much more effective and secure.
What Does it Mean For Me?
Hopefully this article has helped you understand the need for the improvements we have made. Extensive testing and preparation has gone into every change with full awareness of the potential impacts to the campus community. CCS fully recognizes that any change to our network has the potential to disrupt University business, research, and learning, so we thoroughly prepare for every change and look for input from multiple stakeholders before proceeding. As part of the approval process, University leadership including the Cyber Security Governance Committee, the Campus IT Leaders group, and the CCS Management Team are all consulted. As well, communication about upcoming changes are shared with the IT community on campus, any specific groups that may be impacted, and the CCS Help Centre so that they are prepared to respond to any issues reported by users.
Our goal is always to ensure that our changes never impact the ability of the University to meet it's strategic, teaching, and research goals. At any time if you have questions or concerns, reach out to the CCS Help Centre (x.58888 or 58888help@uoguelph.ca) or the Information Security team (infosec@uoguelph.ca).
Written by: Stephen Willem (Manager, Information Security)