Benchmarking cybersecurity at Canadian universities

Brian Lesser, Ryerson University Panel Discussion

Early this year 37 Canadian universities began CUCCIO’s first attempt at cybersecurity benchmarking. A large working group was struck and we started to work with Bitsight, a cybersecurity rating service. Bitsight provides overall security ratings, grades for things like patching cadence, file sharing, and botnet infections, as well as detailed forensics. From their data we can already see that larger and more complex universities have lower or “basic” security ratings, very few universities have “intermediate” ratings, and none have achieved an “advanced” rating. Of course we’ve started out with many questions. Are these rating relevant to universities? Do larger and more complex universities have to work a lot harder at security? Is it possible for any university to achieve an advanced rating? What other information should we gather and how will all this help us develop better security practices?

This panel will explore some of the detailed results from our benchmarking work. We hope by the time of the panel to be able to discuss some ideas about best practices for improving the security posture of different types of universities from primarily undergraduate through comprehensive to research intensive. To start the conversation there will be a brief presentation by the panelists of our observations to date. Warning: we have just started this journey and there may be a lively debate about the results so far.

The panel will include at least one CIO and CISO as well as other members of the CUCCIO cybersecurity benchmarking working group. The panel may range in size from 4 to 6.

Building a Strategic Plan for Information Security

Hugh Burley, Thompson Rivers University

You’ve hired an Information Security Professional, allocated hundreds of thousands or even millions of dollars to security technologies, training, awareness, policies & standards, human resources, tweaked old processes and developed some new, but no one is really sure what’s going on and there doesn’t seem to be a clear path forward.

The CISO/Director/Manager has come up with a 150 page tome that they call an Information Security Strategy and there is a lot of detail. It references ISO 27001-2, PCI, CoBiT, ITIL, FIPPA/HIPA/PEPIDA and the top 20 Security Controls. Only the CISO/Director/Manager has read it all the way through, but it isn’t clearly connected to either the IT Strategic Plan or the University’s Strategic Plan.  In the mean time the University is trying to become PCI compliant; various departments/faculties/division have presented you with the defacto cloud solution to their business problems; the Privacy Office is demanding that your provide PIA information; the last audit indicated that the University’s controls could use some basic remediation for passwords, access control, encryption, etc; and the Board would like to know what risks this cyber security stuff really posses to the University, but the most urgent need is to deal with the most recent incident, and while recovering from that everyone knows that the next major incident is only a click away.

This probably sounds all too familiar and there are no magic bullets.  Can your University get to an information security strategic plan? Will it make any difference?

In this interactive presentation, we will have the opportunity to see how one medium sized school is doing and consider what’s working and what isn’t.

CANARIE Identity Workshop: Hands on Federation with Shibboleth, ADFS, and Azure for R&E

Chris Phillips, CANARIE Inc.

As an early adopter, CANARIE continues to invest in evaluating and evolving technologies and standards in order to deliver enhanced federated identity solutions. Expanding the possible ways to leverage federated identity is key to extracting the most value for your campus.

In this workshop, CANARIE will share experiences gained from expanding their services to leverage AD FS and Azure as well as updates on Shibboleth, focussing on the most recent developments.

Attendees will observe a walk-through of the installation and configuration of the new ADFS Toolkit solution offered by CANARIE as well as our experiences and lessons learned alongside the eCampus Ontario initiative to deploy to every university and college in Ontario using federated identity.

Changing The Culture Of Security

Michael Spaling, University of Alberta
Gordie Mah, University of Alberta

Change.  Culture.  Security.  These three words have the power to attract many types of people while sending others running for the hills.  How we approach them is instrumental in creating an effective security posture.  We have seen many positive shifts in the University of Alberta’s security culture in the last few years and would love to share our approach by highlighting successes and failures.

This presentation will cover key changes to our institution which are driving security out from being a roadblock to instead serve as an enabler.  We’ll look at these changes from three different angles including the creation of the U of A’s first ever dedicated security team, changes across our department and changes across the institution as a whole.  We’ll then parallel these changes with Campus Alberta and the University sector across the country.

Developing a Model for Cybersecurity Maturity Assessment

Tariq Al-idrissi, Trent University

Cybersecurity has become a topic at the top of the priority list for most university IT operations across the country. CIOs have spent a lot of time, rightfully placed, on; understanding the magnitude of the cybersecurity problems that they face, educating their Boards, putting in place strategies around preventing breaches, preparing for breaches, and responding to breaches.  A lot of dollars have been invested, but did it really make a difference?  “I think so” is the last answer that your Board wants to hear.  Did your university achieve more cybersecurity maturity in the process?  Can you quantify that?

There are multiple ways to assess cybersecurity maturity at your institution:

  1. You can hire an external firm to assess your cybersecurity maturity.  Some firms will use their own methodology while others will utilize a blend of industry standards, such as ISO 27001 or the NIST Framework for Improving Critical Infrastructure Cybersecurity.   The key here is to be assessed to establish a baseline and to be assessed again at some future interval to demonstrate maturity growth. This can be expensive.
  2. Try to assess maturity yourself by utilizing a canned survey (InfoTech Research or Gartner) or attempting to apply an established standard yourself.  The problem with self-assessment today is that there is not a set methodology on the approach. What are the key questions to ask?  Who do you ask these questions of?  Do you collect the data via a survey only or some other method?

This session will focus on presenting a model and tool for self-assessment based on the NIST Framework for Improving Critical Infrastructure Cybersecurity.   This model will address the following questions;

  1. How do I organize a self-assessment?
  2. What questions do I ask of whom?
  3. What format do I ask these questions in?
  4. How do I analyze the responses and quantify my cyber security measures?
  5. What does my maturity profile look like?
  6. What actions do I need to focus on following an assessment?
  7. When should I complete my next assessment?

In addition to showcasing our efforts at developing this methodology, Trent University is happy to share what we have developed so it can be adopted at other institutions. It is our ultimate goal to use a subset of maturity scores and generalized data for benchmarking purposes across the whole university sector in Canada.

From Stone Tablets to Wearable Technologies: A History of (Cyber) Security and Its Relationship to How We Collectively See the World

Colin Couchman, Western University

Examine any survey of Information Technology leaders and you will more than likely find Cyber Security at the top of major issues plaguing the technology sector as we move more deeply into the 21st Century.

There are many challenges in front of Higher Education as we seek to remediate, consolidate, and innovate in our various environments, but Cyber Security is a topic that touches upon all we do, where it is in policy and best practice development, cyber hygiene awareness campaigns, or making safe our applications and data.

The idea of privacy and the need to be secure is not a new subject. It is a topic rooted deeply into our histories and is intrinsically linked to democracy and free-thinking.

The Magna Carta was a doctrine set upon King John in 1215 due to the excessive abuses of his government. Before this ‘great charter’ there was nothing establishing personal privacy (limiting search and seizure), there was nothing dictating that everyone fell under the rule of law, and there were no limits on arrest and seizure.

The Magna Carta developed ideas that founded the common laws we see today, systems which would serve as the foundation for nearly all the world’s modern democracies. At this heart of this charter lies a chief principle – the idea that individuals possess the rights of privacy and freedom from abuse.

How do we understand Cyber and Information Security and Privacy within technologically-equipped and complex Higher Education institutions? This talk will discuss the challenges and solutions by examining myth and reality.

Understanding the past can give us insights into where we go tomorrow.

From the Trenches: Security Case-Studies

Ben Steeves, University of New Brunswick
Erik Denis, University of New Brunswick

Everyone has a story to tell, but the people who work day-to-day in IT security have some of the best ones. Usually we share them amongst ourselves, looking for a sympathetic ear or advice. In this talk, though, UNB is sharing our stories, from the terrifying to the trivial.

We’ll describe some of the more interesting stories of higher-ed information security, experienced first-hand by the presenters. We’ll take a deep-dive into the situations, their causes, and the changes they prompted in both our technical environment and our approach to cybersecurity.

All of our stories have a common theme and it is that security incidents are always about people.

The second half of our presentation is dedicated to how we’re addressing the urgent need for better cybersecurity awareness throughout the organization. We’ll discuss the tools, methods and results we’ve been able to achieve so that — with a little luck — these kinds of stories are something we only ever hear about, and never experience again.

Going all-in on cybersecurity awareness

Jessica Gallagher, Ryerson University
Brian Lesser, Ryerson University


Moving to a cyber-secure culture means challenging deeply ingrained convictions and changing people’s habits on a large scale. This year, Ryerson University went all in. We simulated five phishing campaigns against 65,120 people in one month. We gave away a lot of little prizes and some not-so-little ones for turning on two-factor authentication and for reporting phishing attacks. We pushed security messages through every channel we could, including pop-up messages that appeared over 1.3 million times in the portal. We measured everything from time-to-close on pop-up messages to two-factor adoption by role, to the number of people who reported phishing attacks.

How did we reach student, faculty and staff segments? Stepping outside the IT realm to take a marketing communications approach was integral to designing our campaign. Join us as we share details of our approach and results through graphs, bar charts and videos. One conclusion to share is: yes, you can change culture and people’s behaviours, but don’t expect that you can do it all in a month or even in a year. It took years to develop the environments, habits and cultures we all work within today. It will take persistent efforts over the coming years to foster measurable improvements that will make Canadian universities safer places.

How Automating Copyright Infringement Notices Can Save Your Sanity

Blair Sawler, University of New Brunswick

In 2017, the Information Technology department at the University of New Brunswick received approximately 200 copyright infringements claims in six months, and this was with our residences on an external internet service provider. Staff were dedicating too much time identifying clients on our network before sending out notices advising them of a copyright claim. Our team was manually looking up IP addresses in logs, matching them up with User IDs, and then sending out notices. Each infraction notice could take up to 30 minutes to track down the data. This resulted in almost 100 hours of staff time (almost three weeks annually) dedicated to sending out notices. We knew we needed to come up with a new process to not only automate the notices, but to track repeat offenders. This presentation will discuss and demonstrate how we have taken the copyright notice from the owner of the material, and automatically integrated data from various sources including Active Directory, DHCP and RADIUS: all stored within QRadar. We also made use of our ITSM tool: FootPrints to track and send out notifications to our clients.

Identity access management vision, roadmap and architecture in Higher Education

Sabrina da Silva, Simon Fraser University
Birds of a Feather

Presently, many higher education institutions have their identity and access management solution under review. An increase in cloud services adoption, user expectation, security risks and complexity of integrated services has led to a strategic revision for current processes. A holistic view of the institute is required to build an encompassing identity management vision and consolidate strategies. This comes along side an identity roadmap and architecture that reflect business requirements, set to accomplish shared institutional objectives. Currently, SFU has under development its identity management vision, roadmap and architecture. The main focus of this session is to discuss strategies and share insights for this topic in Higher Education.

PCI Compliance....Getting there, Staying there, Please make the pain stop!

Frank Nadon, Mount Royal University
Birds of a Feather

This presentation is not a step by step cookbook to become PCI compliant, but it will highlight the key points required to achieve PCI compliance, maintain PCI compliance and also discuss upcoming technology changes/improvements that should make PCI sustainment easier to manage.

Topics discussed:

– Key components of a successful PCI project

– Sustainment activities

– Future payment technologies to improve security and minimize sustainment efforts

– Team structure and suggested training

The participants should get some helpful tips regarding establishing or maintaining PCI compliance at their institution regardless of which stage they are at in their PCI journey.

Rallying The Troops: Practical Tips for Raising Information Security Awareness

Carrie Leslie, University of British Columbia
Stephanie Stewart, Simon Fraser University
Allison Yanke, Wilfred Laurier University

For IT professionals in higher education it is no surprise that for the past three years information security has been identified by EDUCAUSE as the top IT risk facing post-secondary institutions. However, for many faculty, students, and staff outside of IT, information security means nothing more than persistent reminders about password changes.

Despite advances in technology, human error is still a leading factor in successful cyber attacks. In order to offer the best defense against this, IT departments need to effectively communicate about the importance of information security and explain how everyone has a role to play. But how? In a university environment there is a fine balance between discussing threats and offering reassurance, as well as inspiring action without cultivating a climate of fear. Many institutions also struggle with human and financial resources to support these types of efforts. So how should you go about “rallying the troops” and getting everyone on board to address information security?

In this interactive session that offers perspectives from three different universities, we will explore best practices and lessons learned derived from a variety of communications initiatives used to educate university communities about information security. Participants of this session will leave with practical ideas for encouraging employees to make information security a priority and how to reinforce key behaviours that will help to raise awareness and mitigate cyber security risks at their own institution.

Recurring CyberSecurity Themes in Higher Education: CUCCIO Security SIG

Jeffrey Gardiner, Western University
Panel Discussion

This annual CANHEIT information security session is interactive and explores current information security themes that reappear within the Canadian university sector. Panel members represent the CUCCIO – Security Special Interest Group (SIG) that are active valiantly helping to defend Canadian Universities.  These same folks communicate in monthly phone conferences and ongoing/frequent information sharing. This session is also attended by a wide-range of university IT domains ranging from CIO, networks, developers and more, in addition to security practitioners. The wide-ranging attendees are a testament to the focus and priority information security has gained not only in the university sector but generally. We hope to see you for this interactive session that provides insight into current security pain points, lessons learned, and varying perspectives among the cohort.

Securing Higher Ed: the politics, expectations, and realities

Jonathan Coller, University of Saskatchewan
Shari Baraniuk, University of Saskatchewan

In 2017 in the aftermath of several high profile sector incidents at higher ed and public institutions, the University of Saskatchewan launched a series of major IT Security projects to reduce its exposure. These projects ranged from targeted new technical controls to major shifts in policy and organization structure. This presentation will explore where we started, why we chose our projects, and the political and consultation process required. We’ll also discuss the challenges, successes, and surprises we’ve encountered along the way.

Securing our Neighbourhood to Secure Ourselves: Lessons from a National Community of Cybersecurity Vigilantes

Julian Corduneanu, CANARIE Inc.

Just as a secure neighbourhood strengthens the security measures of each household, the security of Canada’s higher ed institutions is strengthened by the practices of all other institutions. Although institutions continue to participate in regional and national groups to learn about new threats and share best practices, most do not collaborate on cybersecurity operations.  To strengthen the whole community through greater visibility of the breadth of security issues and foster a shared culture of learning, a proactive and systematic joint approach to security is critical. One approach to towards the adoption of this culture has been CANARIE’s Joint Security Project, launched in mid 2017 in cooperation with ISED.  With the participation of 40 institutions, the project supports an operational progression to how infrastructure, people, and processes align to collaborate on security best practices and risk mitigation.  The project also involves Canadian cybersecurity researchers in advancing the analysis of aggregate cybersecurity data.

In this session, the manager of CANARIE’s security program will discuss the lessons learned in orchestrating a collaborative security project among widely diverse institutions, and where Canada’s higher ed institutions may further collaborate to continue to secure the neighborhood.

Securing the National Research and Education Network, Federation Style

Bala Kathiresan, BCNET
Gerry Miller, MRnet
Alfonso Licata, ORION
Terry Nikkel, University of New Brunswick
Jill Kowalchuk, CANARIE Inc.
Panel Discussion

A recent cyberattack on the UK National Research and Education Network (NREN), Janet, highlights that NREN security is a necessary layer in ensuring the highest performance standards and availability of the broader research and education system. Canada’s NREN, comprising CANARIE and twelve regional and territorial partners, continue to invest in and evolve our security capabilities in an environment of real threats and rapid change.

Given the federated model of Canada’s NREN, designing and implementing joint security projects is an important new step to ensure consistent security for connected institutions across the country.

The NREN Security Information and Event Management (SIEM) deployment project is the first initiative of a broad, proactive strategy to detect, assess, and mitigate security threats and incidents. This project is a prominent example of how Canada’s NREN is taking a cohesive approach to incident response through the collaboration of NREN partners and member institutions.

During this panel, executives from NREN partners across the country will discuss their plans for implementing a federated approach, and how it will benefit Canada’s research and education community.

Security Frameworks: Sharing University Models

Richard Lacombe, HEC Montréal

Cyber Security is on everybody’s minds. It’s not just an IT problem anymore, University administrations turn to IT to provide a framework to mitigate risk and increase overall IT Security maturity.

3 Universities (number to be confirmed) will share their IT Security Frameworks and will present specific elements of their incident management processes.

The limitation of SIEM and the next steps to leverage your investment

Hugo Dominguez, McGill University

Security Incident and Event Management (SIEM) tools have either been on the radar of many organizations or been implemented and proven to be essential tools for incident investigation, forensic analysis and often operation tools.

However, most implementation fall short of demonstrating real value as a pro-active toolsthan can efficiently contain incidents or act as cornerstone of your incident response process.

This presentation aims at exposing the limitations of most SIEM implementations, what should organization consider next to maximize their investment and what can an organization with no access to SIEM solutions do to create some incident and event management capabilities.

Think before you click. Launching Simon Fraser University's #CyberAware campaign

Stephanie Stewart, Simon Fraser University
Naomi Zhang, Simon Fraser University
Poster Session

Cyber Security Awareness Month is an internationally recognized campaign held each October to help build awareness on the importance of information security. The goal of the campaign is to inform people the simple steps they can take to protect themselves and be more secure online.

In 2017, Simon Fraser University launched its first Cyber Security Awareness month campaign with a focus on phishing awareness. Leveraging visual storytelling and various communications tactics, this campaign decoded cyber security with the goal of engaging staff, faculty, and students to become #CyberAware.

This poster presents how the campaign was designed with the user in mind, what tactics were used, and the lessons learned.

Two paths to two-factor authentication

Jason Testart, University of Waterloo

Enabling two-factor authentication is one of the best things you can do to protect your own accounts, but moving an entire campus to two-factor authentication takes work and perseverance. Do you use a service or roll your own system? Do you make it optional for students but required for employees, or maybe required for some applications but optional for others? What happens when someone leaves their authenticator at home and can’t log in when they get to work? And, how many people will actually use it? In this presentation we will talk about the options, the challenges, and drivers for adoption of two-factor authentication at two universities.

Workflow for Effective Privacy Reviews of Ed Tech

Dr. Janni Aragon, University of Victoria
Poster Session

BC has some of the most strict privacy regulations in Canada. There are effective ways to manage the constraints. To this end, you must have good relationships with your IT colleagues, teaching and learning colleagues, and the privacy office. This session will workshop the workflow for managing ed tech projects.

CANHEIT-TECC 2018 : June 18-21