Call for bids unrelated to a particular breach, university claims
Seeking professional services to assess its cybersecurity risks, Concordia University put out a call for bids on July 28, through the publicly accessible Système électronique d’appel d’offre du Québec (SEAO). Companies had until August 28 to send in their bids.
In an email to The Concordian, director of public relations and university spokesperson Mary-Jo Barr claimed the “cybersecurity risk assessment is done as a proactive measure.” She added that the university is “simply managing the information security risk that all institutions and companies are facing nowadays.” According to Barr, the assessment is “part of [Concordia’s] ongoing investment in IT security.”
The objective of the project, the call for bids explains, is to evaluate the cybersecurity risks of all faculties and departments at Concordia University. The IITS director of infrastructure and operations, Mike Babin, was not available for comment.
The scope of the project covers the administration, teaching, research centres, applications, data and infrastructures, along with the support of the latter.
In an interview with The Concordian, Benjamin Fung, a McGill University professor and Canada’s research chair in data mining for cybersecurity, explained universities have different information systems for different purposes, such as a finance system, a payroll system or a system to manage research grants. The role of an IT department, or in Concordia University’s case, IITS, is to “integrate its systems together into one big system in order to support its day-to-day operations.”
“Every system has its own vulnerabilities,” Fung said. “The most difficult part is that different combinations of these systems may create different combinations of vulnerabilities, and this is unavoidable.”
The call for bids lists three deliverables to be provided in the form of reports.
The first is an assessment of Concordia’s maturity in terms of cybersecurity — the people, processes and tools at its disposal — and cybersecurity risks. The second deliverable will require the bid winner to “define the target location in terms of cybersecurity model and architecture,” according to Barr.
The last deliverable will prioritize improvement opportunities and develop a three-to-five-year plan, including “the estimated budget and the level of effort necessary.” The document indicates the bidder will have to present its reports to Concordia’s senior management.
According to the call for bid, the winning company’s evaluation must also include interviews with the central IT department, the IT department of all four faculties (arts and science, engineering and computer science, fine arts and the John Molson School of Business), the libraries’ IT department and at least 12 of the university’s 24 research centres.
Fung said there are multiple ways outside firms can assess a cybersecurity apparatus. One of them consists of having white-hat hackers — also known as ethical hackers — intentionally break into the system to assess the risks. “They are not bad guys,” Fung explained. “They are trying to hack into the system, and then they will inform [the institution] of the vulnerability in the system.”
Another technique, according to the McGill professor, is to hire a network monitoring company to spot suspicious network traffic and inform the university. In April 2017, a job posting for a position called “network security analyst” was posted on Concordia’s website. Accoding to the job post, the employee would report to the manager of IITS’s network services and be responsible of ensuring “that network services are available on a 24/7 basis with minimal interruptions which may be caused by physical or virtual threats.”
Cyberattacks at Concordia
In less than two years, Concordia has been the victim of two cybersecurity breaches. In March 2016, keyloggers — devices that can capture keystrokes — were found on computers in the Vanier and Webster libraries. Keyloggers are able to record all the keys pressed by a person on a computer, allowing them to remember everything that was typed. In a story published on the university’s website at the time, the school indicated it was “taking proactive measures to increase security where public computer workstations are located.”
In April 2017, the university’s online course system, eConcordia, was hacked. In an email to users, the eConcordia management team wrote that “there may have been unauthorized access to the eConcordia/KnowledgeOne information system.”
About a month before, 120 computers at the Université de Montréal were also infected, in this case, by a WannaCry virus attack, which encrypted user files. According to the technology magazine Wired, WannaCry creates “encrypted copies of specific file types before deleting the original, leaving the victims with the encrypted copies which can’t be accessed without a decryption key.”
In an email to The Concordian, Barr said the call for tenders was not related to a specific issue.
One of the ways to minimize the chances of being cyber-attacked, Fung said, is to educate university staff and faculty. “Basically, tell them not to click on some [strange] emails and attachments,” he said. “The most vulnerable attack channel is always humans.”