As the University of Colorado’s Chief Information Security Officer (CISO), Dan Jones leads and coordinates the systemwide information security program in partnership with the campuses and system administration. The Office of Information Security works with the campuses to provide services and expertise to support confidentiality, integrity and availability for data across the university.
A conversation with Jones about information security often hits upon a key word: complexity. And that’s without referencing the CU Boulder alumnus’ own complex dual role at CU, which also has him serving as the Associate Vice Chancellor for Integrity, Safety and Compliance at CU Boulder. In that post, he oversees public safety, flight operations, compliance coordination, accessible technology and, yes, information security.
Last year’s onset of the pandemic only added to the complexity of cybersecurity across CU.
“We talk about the ‘attack surface’ – from the perspective of an attacker, that’s where can they target you,” Jones said. “When you have more systems at employee homes, it spreads that attack surface that much larger, which makes it harder to manage the environment for Information Technology. We have more devices being used, and more people using personal devices at home. So it increases the complexity of security.”
In his free time, Jones likes to keep things simple: reading, cooking, getting outdoors.
“I’m hoping I’ll be able to get out the paddleboard soon,” Jones said. “Hiking or getting out on the water are how my wife and I spend time. That was one of the advantages of the pandemic, was getting to see my wife more often.”
1. What special circumstances do CU and other institutions of higher education face when cultivating a culture of positive information security?
When I talk to my colleagues in the private sector about higher education, I use the analogy, from Frances Draper (a wonderful colleague who recently passed away), of a research university being like a small city with a lot of high-tech industries. It’s like you have city government, a medical clinic, city services, businesses and maybe even some residential, when you consider student housing.
We’re really one of the most highly regulated sectors. We have student data and FERPA (Family Educational Rights and Privacy Act) requirements, there’s health insurance and HIPAA (Health Insurance Portability and Accountability Act), there’s Department of Energy requirements, requirements for grants and contracts. So that makes it more difficult: How do you think about security without having to think about 20 different sets of regulations? A typical IT person or faculty member, they’re not going to be able to keep track of all those regulations. So how do we present a set of expectations that maps to all those different requirements?
Because we don’t have a top-down corporate infrastructure, a large part of what we have to rely on is training and awareness to make sure everyone understands their security requirements.
2. How does the Office of Information Security approach the management of sensitive data?
I’ll start with top-down: So as CISO, my role is thinking strategically in terms of what is the university to do to protect our IT resources, to protect the information of our students and employees and alumni. So it’s thinking strategically about that, and understanding that keeping the university secure isn’t something that only the Office of Information Security achieves. It takes everyone.
The office also oversees security operations for CU Boulder and system administration. So if there’s a security incident, we’re managing that, doing monitoring, looking at logs and comparing that with intelligence we get from partners – “Oh, we’ve been told about this potential bad thing. Do you see that somewhere on your network?”
Where most employees see us, hopefully, is in the training-and-awareness realm. We want to make sure people have the information they need, understand what they need to do and how to play their part in protecting the university.
3. The Accellion cyberattack earlier this year brought information security to top of mind for the CU community. What’s the latest on CU’s response, and what security challenges loom on the horizon?
In June, Ukraine and U.S. authorities did make arrests of the gang that was involved with the Accellion breach. So it’s good to see that the federal government was able to make progress and see some justice there.
The attackers published stolen data on the dark web. CU got a copy of that to validate what was published relative to the notifications we sent out. We then wanted to do our due diligence and make sure nothing was missed. We determined roughly 1,200 files were deleted, so we sent out notices at the end of June to the individuals who were part of that last batch.
We’re going to do an exercise to make sure the university learns from this. One of the lessons from Accellion is, we have to do more to build better data services so people don’t have to download spreadsheets and send them around in email. That will be a focus going forward.
In addition to other core security improvements, we’re partnering with IT to make sure we continue, as attacks get more sophisticated, to have better technical protections around email. Multifactor authentication is a priority for the university.
4. How has the field of IT and cybersecurity evolved since you began your career?
It’s the level of complexity. We have known for a long time there are things you need to do, like make sure you have good passwords. And two-factor authentication isn’t necessarily new, but it’s the level of complexity – the number of different applications, the increased reliance on data – that has changed.
There are more people who need to use data and do analysis as part of their day-to-day job. And the data is so interwoven: It’s not just that I’m an employee with data that I created and am keeping track of, or I’m a faculty member tracking grades – and that’s it. Somebody else needs that grade information, has to correlate that information with other grades, has to correlate that information with student success.
Another part of the change is how quickly the rate and speed of malicious attacks has increased. We used to do an annual experiment where we would set up a new system on the internet, sometimes called a honeypot, and you’d wait and see how long it took for someone to try to attack it. We don’t do this anymore, because it went from us waiting months to only waiting minutes, just because of the speed of the systems that attackers have. You can’t set up a new system without it being discovered and people trying to take advantage of it within literally minutes.
You also see that in terms of people sending phishing emails: They may not know whether an account actually exists, but they’re making a bet that dan.jones exists, and they’ll try permutations on that with common names.
5. What responsibility does each faculty and staff member have in supporting information security and in maintaining the confidentiality and integrity of information?
The first thing people need to do is be aware of the sensitivity of the data they have. Ask yourself, if this were my information, how would I want someone else to protect it? If I have a spreadsheet with student IDs and names and grades, I can’t just email that out broadly or make it available to anyone with a Google account. I have to protect sensitive information that’s in my hands.
Also, ask yourself, do I need this data? We don’t need data lying around. If you don’t need it on your desktop or laptop because the university has another copy of it, get rid of it.
Likewise, just like people need to be aware of their own safety at home – you want to lock the door – they need to be aware that people are going to try to take advantage of them. There are malicious individuals who really are trying to trick you. That could be by sending fraudulent or phishing emails, which try to trick people into divulging information or getting them to go to a malicious website. Always be conscious about clicking links on an email. Be skeptical. It’s the old adage, if it looks too good to be true, it probably is.
Increasingly, people need to be aware of, when they’re using their personal device – their home computer or their phone – that they’re responsible for security on that. So don’t put sensitive data on your personal device. If you’re reading email on your phone, make sure you have a PIN and basic security in your device.
The most important thing people can remember is to ask: If you have a question, check with your desktop support person or security team. If you get a weird email, stop, pick up the phone and ask about it.
Another good resource is our website: https://www.cu.edu/security.