DPI662: Improving HKS Cybersecurity with LastPass
You have asked me to investigate how HKS can improve its cybersecurity. Identifying all possible threats to HKS’ digital assets is an ongoing process of threat modelling. However, as a first step, I recommend that we push as many students and staff as possible to take advantage of the free LastPass Premium service offered by Harvard Information Security.
I make this recommendation because HKS is particularly vulnerable to the risks associated with credential re-use. First, many of our students use their HKS email address for other services, particularly those that provide student memberships or discounts and require an .edu address. Secondly, according to the Digital Citizens Alliance, 87 percent of people between aged 18 to 30 re-use their passwords. This suggests that many of our students, and likely many of our staff, are using their HKS credentials across multiple accounts. In the likely event of a data breach in another organisation housing those credentials, cyber criminals will gain access to leaked HKS credentials that allow them to gain access to our digital assets.
Higher education institutions like HKS have assets that are likely to draw the interest of threat actors. Our servers are rich sources of intellectual property, such as research produced by the Harvard Community, as well as personal information, such as the internal directories stored on KNET, both of which are high-value targets for cyber criminals. For example, the FBI’s Internet Criminal Complaint Center has warned of criminals taking Professors’ personal information to file fraudulent income tax returns. Furthermore, access to the email accounts of our students and staff would provide cyber criminals with access to rich information such as medical records, financial information, social media accounts, confidential communiques and travel plans.
While some threat actors target higher education institutions for the high-value information, other threat actors target them because of the low barrier to entry due to the credential re-use mentioned earlier. A report released in March 2017 found that there were almost 14 million email addresses and passwords belonging to faculty, staff, students and alumni from the largest 300 higher education institutions in the U.S. available for purchase by cyber criminals on Dark Web sites. Of those email addresses, 80,100 belonged to Harvard University students and staff.
As HKS Professor Bruce Schneier said, “any password that can be easily remembered is vulnerable to a dictionary attack”. However, the cognitive load required to remember different passwords for each log-in means that many of our staff and students are likely using the same password across multiple accounts, thereby increasing our exposure to security breaches. Using a password manager like LastPass can allow students and staff to generate secure and unique passwords that would take millions of years for a computer to crack, but requires remembering only one master password.
The main benefit of using a password manager is that it allows students to use longer, unique and more complex passwords. Therefore, it is not enough to encourage staff and students to use LastPass to merely transfer their existing passwords to the LastPass “vault”. Rather, at the time of installing LastPass, they should also be encouraged to generate new, complex passwords (which is a feature of LastPass) to replace any that were overly simple, repetitive of other accounts, or easily guessed.
LastPass and other password managers are not without their vulnerabilities, and that is why I am not recommending that we make this a mandatory requirement. Staff and students may wish to do their own research as to which password manager they feel is most secure. Furthermore, LastPass and other password managers do not provide universal protection. For example, they do not protect against vulnerable password-reset features such as easily-guessed security questions. However, of the alternative ways in which students and staff are likely to manage their many passwords (e.g. using the same password, using simple passwords that are easily recalled, or recording their passwords in a physical location), using a password manager is certainly the most secure.
We should consider what sort of tools we can use and incentives we can offer to make the use of LastPass as attractive as possible. For example, we could use prompts on log-in to advertise the related benefits of using a password manager, such as protection against phishing from fake websites (given that LastPass will only provide credentials if it detects the real URL), or allowing students and staff to securely share passwords with others rather than texting or emailing a password.
Most security mechanisms involve a trade-off with usability and convenience. For example, we have experienced some backlash regarding the mandatory enforcement of two-factor authentication via Duo Mobile as it provides an additional hurdle. However, the benefit of LastPass is that once the passwords are stored within the “vault”, usability and convenience for students and staff improves. We should therefore promote the time that can be saved from using LastPass, particularly when used through a browser extension.
There is no silver bullet to prevent security breaches due to weak passwords. However, with frequent reminders and ongoing monitoring, we can educate HKS students and staff on the importance of strong passwords and the benefits of a password manager.