(This was originally published on Optimal Partners’ blog.)
Cybersecurity is one of the most pressing issues facing Higher Ed institutions currently. Unfortunately, third-party penetration testing and vulnerability assessments can be incredibly expensive, especially for large universities. It may sound too-good-to-be-true, but there is a suite of cybersecurity programs offered for free to help private companies and Higher Ed institutions mitigate the risks of cyber threats.
National Cybersecurity Assessments and Technical Services
The Department of Homeland Security provides a series of cybersecurity programs through their National Cybersecurity and Communications Integration Center (NCCIC). As part of the NCCIC, the National Cybersecurity Assessments and Technical Services (NCATS) team aims to help prevent cybersecurity breaches and provide assistance if an incident does occur. Their mission “is to measurably decrease the risks present in our Nation’s cybersecurity infrastructure,” and according to their annual report, they’re doing a great job of fulfilling that promise. In the fiscal year 2017, NCATS helped mitigate 300,000 vulnerabilities while conducting cyber hygiene scans for more than 600 government and private sector stakeholders.
Earlier this year, we had the opportunity to speak with a few members of the NCATS team to discuss their programs, the application process, and some of the concerns that we and others had about their offerings. What follows is the summation of that interview, an interview with one of their clients, and additional research into the programs they offer.
NCATS primarily offers two programs, the Risk and Vulnerability Assessment (RVA) and the Cyber Hygiene (CH) program. The former, and more robust of the two, involves a team of NCATS engineers performing a series of tests on your university’s network and providing an in-depth analysis of the overall strength of your cybersecurity. The latter is an ongoing non-credentialed scan of your IP perimeter. According to Sean McAfee, a member of NCCIC, “what you see is what you get” when it comes to their services. He expressed that “it’s the same level of expertise from our side. It’s the same scans and tests, regardless of whether it’s the private sector or a university.”
Risk & Vulnerability Assessment
As the more resource intensive option, the Risk and Vulnerability Assessment requires more preparation and planning from both parties, but it may also yield more impactful results. An average RVA engagement takes approximately two weeks. Once initiated, the NCATS team will assign four to five engineers to your institution who will begin their assessment off-site. Once that phase of the assessment is completed, NCATS may require a conference room or office at your institution to complete the second portion of onsite testing.
NCATS’ RVA toolkit includes vulnerability scanning, both internal and external, and social engineering, an exercise to assess how vulnerable your users are to phishing attacks. “We can test what happens if an end user clicks and downloads a malicious file,” McAfee said. During 2015, the RVA’s phishing emails resulted in an average click rate of 25%. Due to more awareness and training, the average click rate fell to 10% in 2017. If your institution doesn’t require the additional phishing testing, NCATS has you covered; the assessment is very flexible, allowing clients to tailor it to fit their institution’s specific needs.
While the RVA gives an overall assessment of your institution’s cybersecurity, the Cyber Hygiene program is meant to provide “an adversarial view of what holes can be found on your perimeter.” The remote scan showcases any vulnerabilities or trends in your IP perimeter from week to week and provides thorough reports on those vulnerabilities. It can even summarize the progress that your institution is making towards fixing any previously identified issues.
As free services, both programs offered by the NCATS team follow a formal process for applications. When asked how long it would take to set up their programs, McAfee reassured us that once an agreement is signed and the proper technical information is provided, the Cyber Hygiene program can be up and running in as little as 48 hours. As for the Risk and Vulnerability Assessment, it could potentially be up to eight to twelve months from the time of signing before the logistics and resources are in place. The NCATS team has a finite set of assessments that they can do each fiscal year, so if you are interested in their services, the sooner you reach out to them the better.
After researching the NCATS’ cybersecurity offerings online, we came across a lot of comments expressing potential clients’ concerns with the programs. For example, many commenters were worried about “big brother” finding backdoors into clients’ networks and not notifying them. When asked about some of these concerns, McAfee explained that although the NCATS team works with other government agencies, like the Department of Defense and National Security Agency, maintaining a trusting relationship with clients is of utmost importance. “Relationship building and establishing trust with the communities out there is a driver for what we do every day.”
The relationships that NCATS has with other agencies are beneficial for clients, McAfee said. “It’s about taking information that is sensitive and being able to create a product for the communities that don’t have classified access, and getting that information to our stakeholders to best utilize in their environment at any point in time.”
McAfee reassured us that the NCATS team considers client privacy paramount to their operation. “We’re guided by a very strong legal team and our general counsel, as well as our formal agreements with those groups.” When it comes to trust, it’s hard to deny that the NCATS team has a good track record. As of our interview, their Cyber Hygiene program had 415 stakeholders after two years of operation. “We get a lot of return customers,” McAfee said.
A Client’s Perspective
Along with our interview with members of the NCATS team, we also had the opportunity to interview one of their clients, David Marion from Bridgewater State University. When asked about the concerns we had about the NCATS programs, Marion responded by saying that he sees the NCATS team as coworkers, not big brother. “We’re all on the same team,” he said. “No one is pointing their fingers at anyone else.”
His experience working with the NCATS team was a win-win for everyone involved, he explained. The IT department at BSU wasn’t sure whether their network was one hundred percent secure, so they reached out to the NCATS team for help. “We were able to send an email to the Department of Homeland Security and they were able to provide us some additional steps to see whether we were vulnerable or not.”
Marion mentioned that even if you’re not worried about your institution’s cybersecurity, the NCATS Cyber Hygiene program is “a quick, easy way to take the temperature of your infrastructure each week. It’s about demonstrating to leadership that security can do things for free.” Once your institution’s leadership see what is possible with free services, they may be more inclined to invest more in paid cybersecurity programs.
Although there may be better overall cybersecurity analysis services out there, it would be very difficult to get the level of expertise and support provided by the NCATS team for a better price. With additional services, such as a phishing campaign assessment, in development as of the time of our interview, the NCATS suite of programs can give you the reassurance you need about the strength of your university’s cybersecurity and potentially save your institution tens of thousands of dollars. To learn more about the NCCIC and NCATS programs, visit their website.