SafetyDetectives had the honor to interview Ralph Russo, Director, Information Technology Programs and Senior Professor of Practice at Tulane University. We discussed Tulane’s cybersecurity courses, what’s the current state of cybersecurity awareness, and some expert tips on the best ways to prevent and react to the most common cyber attacks.
What’s the story behind Tulane University: How did it all start, and how has it changed during the years?
New Orleans in 1834 was one of the busiest international port cities in the world. But the city wasn’t just importing goods from across the world, they were also importing deadly diseases like yellow fever, malaria and smallpox. In an effort to treat these diseases, learn more about them and train more doctors, the Medical College of Louisiana was formed.
By 1847, the Medical College of Louisiana was a newly established public institution, the University of Louisiana. But in 1884, wealthy merchant Paul Tulane, a native of Princeton, N.J., wanted to express his appreciation for the city that made him his fortune. He donated more than $1 million in land, cash and securities “for the promotion and encouragement of intellectual, moral and industrial education.” His generous gift transformed the University of Louisiana into Tulane University. In 1886, the H. Sophie Newcomb Memorial College was established as Tulane’s co-ordinate college for women.
More than 180 years later, Tulane University has become one of the most respected educational and research institutions in the country. Tulane is a member of the prestigious Association of American Universities, a select group of the 62 leading research universities in the United States and Canada with “preeminent programs of graduate and professional education and scholarly research.” Tulane also is ranked by the Carnegie Foundation for the Advancement of Teaching as a university with “very high research activity.” Of more than 4,300 higher educational institutions rated by the foundation, Tulane remains in a prestigious category that includes only two percent of universities nationwide
The Tulane School for Professional Advancement (SoPA) offered the very first continuing education classes more than 130 years ago. Tulane offered freehand and mechanical drawing to men, as well as courses for teachers in 1886. A little over 50 years later, in 1942, Tulane’s Division for Teachers merged with the College of Commerce and Business Administration’s Night Division to create University College.
What programs and degrees do you offer that are related to cybersecurity?
Tulane SoPA offers the following Cybersecurity Degrees/Certificates online:
- Bachelor of Science in Information Technology/Cybersecurity Concentration
- Master of Science in Cybersecurity Management
- Academic Certificates in:
- Cyber Leadership (4 courses, 12 credits)
- Cyber Defense (4 courses, 12 credits)
October was cybersecurity awareness month. What do you think about the current way online media spread awareness about cybersecurity? Can it be improved?
Media reports on Cybersecurity lean into fear, and short-shrift solutions. In the cases where solutions or approaches are offered, they are often either too high-level and vague, or overly technical, jargon-filled, and unhelpful to a lay person – depending on the media outlet.
Like great technology instructors, it is relatively rare to find a communicator who can impart technical knowledge in a way that is easily understandable by their audience.
What are the essential steps that educational organizations should take to protect their websites and employees from hackers?
Education organizations require a similar approach to cybersecurity as most other organizations. The difference lies in the fact that education organizations, by their nature, are required to allow non-technical, widely dispersed, possibly underaged people as “insiders” (as opposed to managed visitors), while also potentially housing research, and large amounts of personally identifiable information (PII)
Some initial recommendations to protect education organizations are:
- Multi-factor Authentication for access (Authenticator apps, SMS/email etc.)
- Basic Cybersecurity training for users including Phishing, Smishing, safe practices, strong passwords. Consider a white-hat phishing email to identify and train susceptible employees.
- Endpoint security
- Network segmentation
- Auto-update device software (browsers, OS etc), hardware
- Device encrypted hard drives (e.g. bitlocker)
- Offline/Air-gapped secure Backups in case of ransomware, other issues
- Wi-Fi encryption
- Have a response and recovery plan that is practiced BEFORE you are hacked, including table-top exercises
- Inventory all systems/hardware/internet connections and diagram/document results
- Stay up to date with NIST recommendations
- Consider adding tools to assist in monitoring/alerting/responding/forensics such as a SIEM, IDS
- Consider hiring a reputable pen testing group to test defenses and identity weak spots
- Consider cyber insurance if a private entity – the insurer will ensure that most/all of the above are in place before issuing a policy
And what is your suggested course of action if a website gets hacked and data breached?
The first thing is to realize you probably won’t be able to completely address the breach immediately, so avoid taking actions that might destroy evidence.
Also, response differs based on the nature of the organization and its mission. For example, completely disconnecting from the internet immediately might be a good step in many cases, but untenable in others.
A priority would be to get an expert in breach response in to assist. Just being an “IT” person is often not enough to handle a significant breach and the responses/forensics needed. Also, bringing in a third party may speak to an organization’s due diligence. It is recommended that the organization have an ongoing relationship with a MSSP before a breach.
In many cases, a timely notification to law enforcement (including IC3.gov) is not only recommended but required. Also, if you have Cyber Insurance, they will need to be notified up front.
Your expert may then want to segregate affected systems from critical unaffected systems, document changes vs original settings, quarantine malware, protect logs (for evidence), and disable remote access. Requiring all users to change their passwords is often a good practice as well – hopefully, MFA is in use.
As you certify that systems/servers etc. are free of malware, bring them back online in a considered, prioritized fashion.
These steps (and much more) should be worked out relative to the school’s specific systems, users, and data as part of the organization’s response and recovery plans which are reviewed/updated at least annually and practiced.
Is There Any Recent Cyber-Attack That Concerned You More Than Others?
The 2020 SolarWinds Hack was very concerning to me. This hack infiltrated the SolarWinds Orion product which was used by many Fortune 500 companies, and US government/military/etc. agencies to manage their IT systems.
This hack not only was a supply chain hack that rode in on a compromised Orion update, it also targeted a ubiquitous IT management system (Orion) that had significant access/permissions on customers’ infrastructure.
18,000 SolarWinds customers installed updates that left them vulnerable to hackers. Since these customers were major defense /security /financial /government agencies, this hack was terrifying in its nature, especially since it has been attributed to a foreign nation (Russia).
And what about your future? What is next for Tulane University?
Tulane University SoPA’s Information Technology Programs recently were granted accreditation by ABET (leading international accreditor for engineering and technology academic programs) and NSA’s Center for Academic Excellence in Cybersecurity Programs, validating our efforts in creating quality courses and programs.
Going forward, we will continue to change with the technology and approaches, offer additional professional industry certifications along with our academic degrees, expand our online programs, and continue to attract the best tech faculty available. The goal of providing students with the finest academic degree using an applied approach for industry readiness will perpetuate.