Harvard CISO shares 5 pearls of IT security wisdom

Chief Information Security Officer Christian Hamer, who is responsible for policy and awareness across Harvard University and whose team handles security operations and incident response, took part on a panel last week at the Campus Technology conference in Boston (Campus Technology’s Rhea Kelly moderated; ESET researcher Lysa Myers was also an expert panelist). Here’s a selection of Hamer’s more notable observations: 

• Most important steps for protecting your network: We think all too often about IT security or information security [as being] about the bits and bytes, and what kind of widget we put on the network or somebody’s computer to protect it… But in general we have populations that want to do the right thing. They’re a lot more aware of the threats now because a lot of them have been in the media quite a bit recently. But they’re just not sure what to do or how to do it. And that’s probably the No. 1 thing that people could double down on. Does your community know what to do? Do they know how to do it? And do they know who to ask if they have trouble understanding that?

• Mobile security: “There’s a great industry around mobile device management and an interesting debate about whether this is something appropriate for higher ed or not… I don’t see myself asking a faculty member to install software on his or her personal phone. These things are really quite personal — if you’re not sure about that ask [New England Patriots quarterback] Tom Brady about how he felt about his phone. That said, this is an important area… that doesn’t mean you can just ignore this. I think it’s really about trying to abstract the data from the device. When you think about bringing your own device and mobile, that’s the way you need to think about it. I’ve heard plenty of people talk about these great MDM programs that they’ve come up with in higher ed, and then I’ll ask them, ‘So how many faculty members are using it?” and that’s usually where the conversation ends.”

• Best practices for security awareness among end users: “We’re going to be rolling out a campaign very soon focused around four best practices. (1) We want them to apply updates whether that’s on their phone, on their operating system on their computer, or for the individual pieces of software. That’s probably one of the single best ways to protect yourself. (2) We want them to use strong passwords, and that means unique and difficult to guess. But we also want to offer them tools, whether it’s things like password managers [Harvard has done an extensive pilot with LastPass via Internet2] or pieces like 2-step verification. (3) We want to make sure that people click wisely, going back to phishing issues. If we can get the user to recognize that there might be something a little off about this and not go there. (4) The last piece is about knowing your data. It’s really important to understand what do you have, whether it’s on your machine or a file share. Why do you have it? If you really still need it, and if you don’t, how can you get rid of it securely.”

• Convincing users to buy into best practices: “[One] way to enforce the point is that these are just good practices that people should use in their online life whether it’s at work, as a student or faculty member, or just at home. There ought to be a lot of self interest there.”

• The Internet of Things: “[This is] a giant issue. If you didn’t see the news about Chrysler [a Jeep being remotely hacked] and weren’t sure about how big an issue it is, it’s gigantic. I think the best thing we can do is understand where these devices are and try to wall them off from things, because at least in my experience they are not designed with security in mind at all… [People] are surprised when we come by and say that thing that they think is a digital sign actually has malware on it and needs to be taken off the network. The real danger area is where those things can intersect with critical data. We’ve seen proposals to put devices on our network that would collect recyclables and involve credit cards somehow, and that’s the part where you have to say OK, wait a minute, we need to separate these two things… [The long view] is that smart devices make our lives better and that’s fantastic but we need to understand that they’re not designed at this point with security in mind.”

MORE FROM CAMPUS TECHNOLOGY CONFERENCE: Americas just 2 weeks from IPv4 addresses running out