• About
    • Bio
    • Projects (by type)
    • Projects (by firm)
    • Projects (by location)
    • Blog
  • Interventions
  • Contact

Urbanslate

Ganesh Ramachandran: Urban Designer, Planner & Placemaker

  • About
    • Bio
    • Projects (by type)
    • Projects (by firm)
    • Projects (by location)
    • Blog
  • Interventions
  • Contact

The LastPass Review

You are Chief of Staff to the Dean of Harvard Kennedy School and a faculty member is proposing that LastPass be made mandatory for all faculty, students, and staff. You have a meeting with the Dean and the Head of IT - what would you recommend and why?

About LastPass

“LastPass” is an online password manager that stores encrypted passwords online. LastPass is a freemium password manager that stores encrypted passwords online. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones.[1] The blog below explores the question of whether a post-secondary academic institution (Harvard Kennedy School in this case) should mandate such a password manager for the benefits of its faculty, students and staff.

History of Digital Security Breaches at Harvard

In the summer of 2015, Harvard revealed that the University’s IT systems were breached in June affecting 8 colleges and administrations. While HKS was not in that list, it could’ve easily been Kennedy School instead of the Graduate School of Design. As a result of the incident Harvard tightened up its digital security protocols rolling out Harvard Key with two-factor authentication.

Evaluating Digital Assets, Assessing Threats & Consequences

The security-plan recommendations of the open-source Surveillance Self-Design Guide is used as a basis for analyzing the assignment scenario. I would begin by asking the following questions:

  • What digital data do HKS Students have in the cloud that is worth protecting

  • Who do the Students (and HKS) want to protect from?

  • How likely is the threat level?

  • How bad are the consequences for the students if their digital security is breached?

  • How much trouble do the students have to go through if LastPass is made mandatory?

Increasing Attacks on Educational Institutions

Since mid-2000, there has been an increasing trend of cyber attacks against post-secondary institutions. According to Educause, “551 data breaches occurred at U.S. universities between 2005 and 2013”. A study by the Identity Theft Resource Center underscores the increasing cyber threats for US Colleges and universities. The open ecosystem established for the sake of free flow of ideas and knowledge within the university also renders them more vulnerable to the threat by hackers. The latest Data Breach Investigation Report (DBIR) produced by Verizon provides crucial perspectives on threats different organizations are facing. While the report address a range of industries from Financial Services to Manufacturing - the data highlights the lurking danger for Educational institutions.

Pages from 2019-dbir-executive-brief.jpg

Protect the Student to protect the Institution

Open academic environments are highly vulnerable to both physical and digital security breach. It takes a security apparatus even at the cost of personal privacy to ensure personal and institutional safety. We have long signed off our right to be recorded by close-circuit cameras as a trade-off to thrive within a safe space that is monitored 24/7. Just like students are required follow ‘Active Shooter Protocols” to protect themselves in case of an existential threat by an external agent, it is not unreasonable to ask the same student to take the extra step of installing a password protection softward protect themselves and their privacy information.

Unlike bodily harm, a malware attack or a data breach within a students personal computer could easily be the ideal channel to break into the larger institutional database that has lot more to lose. There is no skin off Harvard’s back if a student who chooses not to lock his/her bike loses it. However a network breach through a personal account is likely to have larger ramifications.

Attack Patterns & Threat Actors

According to the Verizon report, Web Application Attacks are among the top three attack patterns within Educational Institutions. Currently, almost all of HKS student’s digital interactions are performed with web application and the data is stored in the Cloud. It has been proved, users tend to gravitate to similar usernames and passwords to deal with the ever increasing demands for authentication, thereby rendering them more vulnerable to data breaches. While LastPass is not perfect, it certainly offers a robust perimeter of digital defense with two-factor authentication.

When it comes to Educational Services, threat actors are equally split between external and internal parties. In other words, a good share of potential hackers may very well be the insiders - an integral part of the educational community we are trying to protect.

What if LastPass gets hacked?

Perhaps it was a coincidence. But LastPass was hacked in July 2015 - the summer when Harvard was hacked. The goal was to breach the password vault. But even LastPass cannot hack its own vault without the user’s master password. As the saying goes, there is nothing like a perfect security. But if a simple installation of a user-friendly password manager can exponentially decrease the threat levels for personal computing and institutional networks, its a trouble worth going through to protect our data, privacy, and free exchange of ideas.

References:

2019 Data Breach Investigation Report / Verizon

2015 Harvard Security Breach / TechCrunch

https://www.upguard.com/blog/the-lucrative-rewards-of-hacking-higher-education

What Cyberthreats do Higher Education Institutions Face? / Forbes

https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ LasPass







Tuesday 10.29.19
Posted by Gr
Newer / Older

Powered by Squarespace.