A Plan for an Information Security Program for a Local University

Introduction

In recent times, American institutions of higher education have become prime targets
of cybercriminals, especially those involved in extortionist ransomware attacks. As a newly
hired Chief Security Officer of a local university, I will be responsible for establishing and
maintaining a university-wide information security program to ensure the security of the
university’s information and data assets. In this paper, I outline the plan for rolling out the
security program. In the plan, I propose an enterprise firewall to prevent ransomware
incidents from occurring in the first place, identify government resources the university may
resort to in its fight against ransomware and outline some of the techniques the university
may use to gather electronic evidence in the event of an attack. But first, I document the
prevalence of ransomware attacks targeted at colleges and universities and what these
institutions are doing about the problem.
Recent Computer Hacker Attacks Targeted at Institutions of Higher Education
For some time now, cybercriminals have been using malicious software called
ransomware to target institutions of higher education then attempting to ransom them
(McKenzie, 2021). In a nutshell, this is how a ransomware attack works. Using ransomware,
stolen credentials and phishing emails to access IT networks, cybercriminals gain access to
and steal sensitive information or block its legitimate owners from accessing it through
encryption. They then demand payment in exchange for allowing the targeted institution to
regain access to its data. If their demands are not met, they threaten to sell the data or publish
them on the dark web.

PLAN FOR AN INFORMATION SECURITY PROGRAM 3
For cybercriminals, colleges and universities are especially lucrative targets because
they possess sensitive data, including student data and research information (McKenzie,
2021). In addition, they often have critical, time-sensitive operations. In 2020 alone, there
were at least twenty-six ransomware attacks targeted at colleges and universities, double the
number of attacks reported in 2019. Meanwhile, the amounts of ransom demanded are rising
quickly. In 2020, the average ransom demanded by ransomware attackers was $312,493, up
from $115,123 in 2019. In July 2020, the University of California, San Francisco, admitted to
paying $1.14 million to hackers who stole, encrypted and threatened to publish sensitive
information from the university’s school of medicine. UCSF was one of the many institutions
ransomware attackers targeted using NetWalker, a type of ransomware.
How Other Institutions of Higher Education are Dealing with Ransomware
Institutions of higher education have put in place several measures and processes to
prevent ransomware attacks or to reduce their impacts should they occur. Indeed, more than
90% of American institutions of higher learning report having a Business Continuity Plan
(BCP) or a Disaster Recovery Plan (DRP) that incorporates a malware attack recovery plan
(Sophos, 2021). Of the 90%, 51% have a full and elaborate plan, while 39% have a partially
developed plan. However, the fact that some of the nation’s high profile universities like
UCSF are among the most recent victims of ransomware attacks despite most institutions of
higher education reporting having plans for recovery from malware attacks is troubling. This
fact could be an indication that these institutions need to shift their focus from malware
incident recovery to the prevention of malware incidents in the first instance.
BCPs and DRPs are not the only coping strategy American colleges and universities
are counting on to deal with malware. Other strategies include having adequately trained staff
capable of stopping malware incidents (reported by 60% of institutions), the use of anti-

PLAN FOR AN INFORMATION SECURITY PROGRAM 4
ransomware technology (reported by 58% of institutions) and working with a specialist cyber
security company that operates a complete Security Operations Center (SOC) (reported by
34% of institutions) (Sophos, 2021). Emboldened by these measures, the majority of heads of
IT at American colleges and universities do not expect to be hit by ransomware in the future.
That said, it is worth noting that many IT professionals in the higher education sector
who do not expect their institutions to be attacked are putting their faith in perceived
solutions that do not offer any protection from ransomware. These solutions include
cybersecurity insurance against ransomware and air-gapped backups. While insurance may
help cover the costs of dealing with an incident, it does not stop the incident from happening.
Similarly, while backups are valuable for restoring data following an incident, they do not
stop an institution from being hit.
Enterprise Firewall: A Recommend Anti-ransomware Technology for the University
In line with what other colleges and universities are doing about ransomware, a
technology the university can invest in to lower the threat of ransomware attacks is anti-
ransomware technology. However, it is worth noting that anti-ransomware technology is a
broad area. Anti-ransomware technologies can be grouped into several categories, depending
on their intended levels of protection. These categories include, among others, perimeter
protections, network defences, and endpoint protections (Frenz & Diaz, 2018). Because
perimeter protections should be any organization’s first line of defense, they are the focus of
this plan. Perimeter protections include firewalls, proxy server and web filters, SPAM filters,
and VPN or remote access.
Given the desirability of preventing ransomware attacks from happening in the first
instance, the university should implement perimeter protections, especially an enterprise
firewall. Because a firewall is the most foundational of these protections, it is the cornerstone

PLAN FOR AN INFORMATION SECURITY PROGRAM 5
of this plan. While a firewall at the perimeter is likely already in place for the university, it
will be important to ensure that the firewall is configured for ingress and egress filtering
(Frenz & Diaz, 2018). Ingress filtering controls the types of communications permitted into
the organization’s network, whereas egress filtering controls the types of communications
permitted to leave the organization’s network. Both ingress and egress access controls ought
to be based on the least privilege model. A system that does not need access to external
systems or information sources should be barred from communicating with external systems.
In terms of the costs involved, the university should expect to spend something in the
region of $120,000 on an enterprise firewall, with about $50,000 required upfront and the
majority of the total cost going toward hiring a great security administrator (Mullins, 2021).
The major cost areas of the investment will be software, hardware, personnel, training and
extras. For software, as an example, Raptor Firewall NT v6.5 with virtual private network
(VPN) module and unlimited mobile users costs about $20,000. For hardware, the university
will need a server with a fast processor, enough RAM, excellent NICs, and a great backplane
for the SCSI internals. Dell PowerEdge 2400 is one such server and costs about $10,000.
For personnel, the university will need to hire a dedicated security administrator who
will be responsible for the university network’s external effects. This should be a position
distinct from the network administrator who is responsible for the network’s internal
operations. A security administrator should cost about $70,000 a year (Mullins, 2021). To
keep the security administrator current in the field, the university will need to spend about
$9,000 on their training. In addition to the firewall software, and to keep the firewall
performing at its peak at all times, the university will need to acquire a number of software
packages. These include WebTrends Firewall Suite (about $3,000), WebTrends Security
Analyzer (about $6,000) and CyberCop Sting (about $2,500). Finally, in terms of

PLAN FOR AN INFORMATION SECURITY PROGRAM 6
maintenance costs, the Raptor Firewall NT v6.5 comes with a standard maintenance contract
at $1,200.

Using Government Resources to Fight Ransomware

The primary law the university would resort to in prosecuting cyber crimes committed
against it is the Computer Fraud and Abuse Act (CFAA). The law protects all computers on
computer networks, whether government-, business- or privately-owned, and covers
extortionate cybercrimes like ransomware attacks. The Act provides for both civil and
criminal penalties. Criminal penalties can range from ten to twenty years, depending on the
severity of an offence. Specifically, the CFAA prohibits: (1) unauthorized access or
surpassing authorized access to a computer and accessing information of national security
importance; (2) unauthorized access or surpassing authorized access to a computer that is
used in foreign or interstate commerce and accessing the information on it; (3) unauthorized
access to a computer used by the U.S. government; (4) knowingly gaining unauthorized
access to a computer with the intent to defraud; (5) damaging a computer either recklessly or
intentionally; (6) trafficking in passwords and (7) engaging in cyber extortionist threats (such
as those involved ransomware incidents).
Other relevant laws that touch on cybercrimes include the Electronic Communications
Protection Act (ECPA), which protects communications in storage or transit. The Electronic
Espionage Act of 1996 and the Defend Trade Secrets Act of 2016 are additional sources of
civil and criminal penalties against the theft of valuable intellectual property, including trade
secrets.
Besides the laws outlined above, the university could make recourse to the FBI’s anti-
ransomware program. The program seeks to educate the public on ransomware attacks,
including how to prevent, detect and mitigate them. Under the program, the FBI issues

PLAN FOR AN INFORMATION SECURITY PROGRAM 7
periodic public advisories. In its latest public advisory, released in March 2021, the agency
warned that cybercriminals were increasingly using the PYSA ransomware to target and
extort education institutions (McKenzie, 2021). Meanwhile, the FBI discourages victim
organizations from paying ransoms as doing so is counter-productive, both to the
organizations and to the public. Ultimately, whether or not they decided to pay the ransom,
the FBI urges organizations to report ransomware incidents to their local FBI field offices or
online on the agency’s Internet Crime Complaint Center.

Types and Costs of Technologies for Gathering Electronic Evidence
Should the university fall victim to ransomware attacks despite implementing the
above measures, it may find itself needing to work with computer forensic experts to gather
electronic evidence from a variety of sources, including hardware, firewalls, and cell phones.
In this section, I outline how the university might go about gathering evidence.
Now in its seventh version, EnCase Forensic is perhaps the most widely recognized
computer forensics utility (Easttom & Taylor, 2011). The core functions of Encase Forensic
are to: acquire evidence, process evidence, perform deep forensic analysis, compile findings
and archive cases. The tool is able to acquire evidence from a variety of hardware, including
hard drives, removable media and tablets and smartphones. In terms of cost, the EnCase
Forensic software costs about $3,700, inclusive of a one-year subscription (Digital
Intelligence, n.d.).
Unlike hardware, firewalls do not need specialized software or hardware for one to
gather digital evidence from them. This is because most firewalls log activities, and by
monitoring those logs, one can obtain valuable evidence (Easttom & Taylor, 2011). Usually,
firewalls log activities that can be divided into three broad groups: network connections,
administrative actions and critical system issues. Network-connection logs are records of all

PLAN FOR AN INFORMATION SECURITY PROGRAM 8
successful and failed connection attempts. Administrative actions include changing
permissions, adding users and related actions. Critical system issues entail hardware failures.
In cases of cyber-attacks, these logs can provide valuable evidence. For example, connection
attempts will usually prelude any attack. In terms of costs, other than the costs of setting up
the firewall (as discussed in the previous section), there should be no additional costs
involved in gathering digital evidence from the firewall.
Finally, to gather digital evidence from cell phones, either of two programs that can
be used: Data Doctor and Device Seizure. Both programs are able to recover all contacts,
inbox and outbox data (Easttom & Taylor, 2011). In terms of costs, Data Doctor costs $169
while Device Seizure costs significantly more: $1,095. Even though the programs themselves
cost little, they usually need to be used with much more expensive hardware known as mobile
device forensic tools. These tools provide a relatively easy way of extracting data from
various mobile devices, either logically via Bluetooth, infrared or cable, or physically via
cable or JTAG (Casey, 2011). The tools work more or less in the same way: they transmit
commands to the phone and record feedback that bears information that has been extracted
from the phone’s memory. The tools include, among others, Cellebrite’s Universal Forensic
Extraction Device (UFED) and Logicube Forensics’ CellDEK. As an illustration of their
significant costs, a new UFED device costs between $5,000 and $15,000, depending on the
model (Lovejoy, 2019).

Conclusion

In response to rising cases of ransomware attacks targeted at American colleges and
universities, in this paper, I have outlined the plan for rolling out a university-wide
information security program to ensure the security of the university’s information and data
assets. I have proposed a $120,000 enterprise firewall as the foundation of the program. The

PLAN FOR AN INFORMATION SECURITY PROGRAM 9
idea to prevent ransomware incidents from occurring in the first place, rather than waiting for
them to occur then responding with firefighting solutions. I have also identified government
resources the university may resort to in its fight against ransomware. These include various
cybercrimes-related laws and the FBI. I have also described some of the techniques the
university may use to gather electronic evidence – from the firewall, hardware and cell
phones – in the event of an attack.

PLAN FOR AN INFORMATION SECURITY PROGRAM 10

References

Casey, E. (2011). Digital Evidence and Computer Crime: Forensic Science, Computers and
the Internet. Waltham: Elsevier Inc.
Digital Intelligence. (n.d.). EnCase Forensic Software + 1 Year Subscription. Retrieved from
Digital Intelligence: https://digitalintelligence.com/store/products/s5300
Easttom, C., & Taylor, J. (2011). Computer Crime, Investigation, and the Law. Boston:
Course Technology.
Frenz, C., & Diaz, C. (2018). Anti-Ransomware Guide. Open Web Application Security
Project.
Lovejoy, B. (2019, February 28). Retrieved from 9To5Mac:
https://9to5mac.com/2019/02/28/ufed/
McKenzie, L. (2021, March 19). Colleges a ‘Juicy Target’ for Cyberextortion. Retrieved
from Inside Higher Ed: https://www.insidehighered.com/news/2021/03/19/targeting-
colleges-and-other-educational-institutions-proving-be-good-business
Mullins, M. (2021, March 20). Evaluating the real cost of an enterprise firewall. Retrieved
from TechRepublic: https://www.techrepublic.com/article/evaluating-the-real-cost-of-
an-enterprise-firewall/
Sophos. (2021). The State of Ransomware in Education 2021. Burlington: Sophos.