Members of OmniSOCResearchSOC, Trusted CI, CACR, and REN-ISAC will be presenting at the 2021 EDUCAUSE Cybersecurity and Privacy Professionals Conference. The Conference runs Tuesday, June 8th through Thursday, June 10th. and will “focus on restoring, evolving, and transforming cybersecurity and privacy in higher education.”

Presentations include:

From Ally to Accomplice: Driving culture change across organizations

Wednesday, June 9th, 11:00a.m. – 11:20a.m. ET

Presenting: Hannah Tun, Lead Security Engineer, OmniSOC, Jennifer Pacenza, Information Services Analyst, REN-ISAC, Amy Starzynski Coddens, Strategic Partnerships Manager, REN-ISAC

Many of us would consider ourselves allies to underrepresented groups. We stand in support of disenfranchised people, voices, and experiences. We sympathize, we educate ourselves, and we want to help. But is it enough to just be an ally? Recently, the term ally has been challenged by the concept of the accomplice. While the word does have inherent negative connotations, an accomplice in this instance means actively using your privilege to engage and change the systems supporting inequality. Accomplices put themselves at risk to remove barriers, misunderstandings, and even threats impeding political, professional, and personal equality. Allies and accomplices are not two separate categories. Instead, all accomplices are allies, but not all allies are accomplices. In this session, the panel will discuss ways to move from ally to accomplice. Discuss instances and spaces both professionally and personally where we were motivated to risk something of ourselves to advocate for another. We hope these examples will encourage an open discussion on tactics for moving from ally to accomplice in our individual spheres, with an emphasis on creating change from where you are right now.

Big Security on Small Budgets: Stories from Building a Fractional CISO Program

Thursday, June 10th , 2:00 p.m. – 2:45 p.m. ET

Presenting: Susan Sons – Deputy Director, ResearchSOC

No one in cybersecurity has an infinite budget. However, those booting up cybersecurity programs in organizations whose leadership haven’t fully bought in to the value of cybersecurity operations, bolting security on to an organization that has been operating without it for too long, or leading cybersecurity for a small or medium-sized institution often have even less to work with: smaller budgets, less training, fewer personnel, less of every resource. Meanwhile, the mandate can seem infinite. In this talk, Susan Sons, Deputy Director of ResearchSOC and architect of the fractional CISO programs at ResearchSOC, OmniSOC, and IU’s Center for Applied Cybersecurity Research, discusses approaches to right-sizing cybersecurity programs and getting the most out of limited resources for small and medium-sized organizations. This talk covers strategies for prioritizing security needs, selecting controls, and using out-of-the-box approaches to reduce costs while ensuring the right things get done. Bring your note pad: we’ll refer to a number of outside references and resources you can use as you continue your journey.

Until We Can’t Get It Wrong: Using Security Exercises to Improve Incident Response

Wednesday, June 9th , 2:00p.m. – 2:20p.m. ET

Presenting: Josh Drake – Senior Security Analyst, ResearchSOC, and  Zalak Shah – Senior Security Analyst, ResearchSOC

Incident response can be challenging at the best of times, and when one is responding to a major incident, it is rarely the best of times. A rigorous program of security exercises is the best way to ensure than any organization is prepared to meet the challenges that may come. The best cybersecurity teams have learned not just to practice until they can get it right, but to practice until they can’t get it wrong. They use a regular program of security exercises coupled with post mortem analysis and follow-up to ensure that the whole team, and all of the technologists and organizational support they work with, get better at handling incidents over time. This session will teach you how to build a security exercise program from the ground up and use it to ensure that your incident response capabilities can be relied on no matter what happens.

Lessons from a Real-World Ransomware Attack on Research

Thursday, June 10th, 12:25p.m. – 12:45p.m. ET

Presenting: Andrew Adams – Security Manager / CISO, Carnegie Mellon University and Von Welch – Director, CACR, Indiana University

In this talk, co-presented by the Michigan State University (MSU) Information Security Office and Trusted CI, the NSF Cybersecurity Center of Excellence, we will describe the impact and lessons learned from a real-world ransomware attack on MSU researchers in 2020, and what researchers and information security professionals can do to prevent and mitigate such attacks. Ransomware attackers have expanded their pool of potential victims beyond those with economically valuable data. In the context of higher ed, this insidious development means researchers, who used to be uninteresting to cybercriminals, are now targets. During the first part of the presentation, we will explain the MSU ransomware incident and how it hurt research. During the second part, we will elaborate on mitigation strategies and techniques that could protect current and future academic researchers. Finally, we will conclude with a question-and-answer session in which audience members are encouraged to ask Trusted CI staff about how to engage researchers on information security. Trusted CI has unique expertise in building trust with the research community and in framing the cybersecurity information for them. Trusted CI regularly engages with researchers, rarely security professionals, and has a track record of success in communicating with researchers about cybersecurity risks.

Google Drive, the Unknown Unknowns

Wednesday, June 9th, 12:00p.m. – 12:45p.m. ET

Presenting: Ishan Abhinit – Senior Security Analyst, CACR and Mark Krenz – Chief Security Analyst and CISO, ResearchSOC, Indiana University

Every day countless thousands of students and staff around the world use cloud storage systems such as Google Drive to store their data. This data may be classified public, internal, and even confidential or restricted. Although Google Drive provides users with ways to control access to their data, my experiences have shown that users often aren’t aware that they are exposing their data beyond their expected trust boundary. In this talk I will briefly introduce the audience to Google Drive, sharing some of my own experiences dealing with security concerns. Then I will provide an overview of the issues that academic and research institutions face when using it. I’ll highlight the security threats to your data and how to deal with various situations, such as when someone leaves a project, when data is accidentally deleted, or when data is shared and you don’t know it. In the second half of the presentation I’ll provide the audience with some solutions to these security issues that are useful to a variety of institutions large and small as well as individual projects and people. Some of these solutions were developed by me and my team to solve our own issues, and so now I’ll be sharing these solutions and tools with the community at large.

SecureMyResearch at Indiana University

Thursday, June 10th, 1:00p.m. – 1:20p.m. ET

Presenting: Will Drake – Senior Security Analyst, CACR and Anurag Shankar – Senior Security Analyst, CACR

Cybersecurity in academia has achieved significant success in securing the enterprise and the campus community at large through effective use of technology, governance, and education. It has not been as successful in securing the research mission, however, owing to the diversity of the research enterprise, and of the time and other constraints under which researchers must operate. In 2019, Indiana University began developing a new approach to research cybersecurity based on its long experience in securing biomedical research. This resulted in the launch of SecureMyResearch, a first-of-its-kind service to provide cybersecurity and compliance assistance to researchers and stakeholders who support research. It was created not only to be a commonly available resource on campus but also to act as a crucible to test new ideas that depart from or are beyond enterprise cybersecurity practice. Those include baking security into workflows, use case analysis, risk acceptance, researcher-focused messaging, etc. A year later, we have much to share that is encouraging, including use cases, results, metrics, challenges, and stories that are likely to be of interest to those who are beginning to tackle research cybersecurity. We also will be sharing information and advice on a method of communicating the need for cybersecurity to researchers that proved to be highly successful, and other fresh ideas to take home and leverage on your own campus.

Regulated Research Community Workshops

Tuesday, June 8th, 12:15p.m. – 12:35p.m. ET

Presenters: Anurag Shankar – Senior Security Analyst, Indiana University, Erik Deumens – Director UF Research Computing, University of Florida, Carolyn Ellis – Program Manager, Purdue University, and Jay Gallman – Security IT Analyst, Duke University

Supporting institutional regulated research comes with a wide range of challenges impacting units that haven’t commonly worked together. Until recently, most institutions have looked internally to develop their regulated research programs. Since November 2020, 30 institutions have been gathering for six workshops to share their experience and challenges working establishing regulated research programs. This session will share the process involved in making these workshops successful and initial findings of this very specialized group.

You can view the full agenda, including the on-demand program, online.