IT Security in higher education – spotting the attacker

It’s already a given that spotting an attacker is difficult in IT Security – they use compromised credentials to access any and all data available to that account. This means that the attacker is simply accessing whatever data the user was already given access to. So, how are you supposed to spot inappropriate access when it’s already been defined as appropriate?


It’s even more difficult when in an education setting. Universities are struggling to find a balance between academic openness and the need for computer security across their networks. IT Security solutions that perform user behavior analytics – the watching and analyzing of everything a user does in order to identify when they’re actions are “abnormal” – are less effective with student accounts, because a student’s “typical” behavior (online access, printing, data access, etc.) changes with each class and each assignment.

So, how are you supposed to know who’s bad and who’s good?


First, let’s breakdown who we’re looking for when trying to identify a threat actor. Individuals involved in a threat action typically fall into one of three categories:

Malicious users – These are your insiders that have shifted their loyalty from the education institution to themselves and are engaged in some kind of inappropriate activity (such as hacking, data theft, etc.) that benefits themselves over the organization.
Negligent Users – These are your unwitting participants in phishing and social engineering scams. They take the bait and help to infect endpoints with malware that maybe the attack (as in the case of ransomware) or simply provide a foothold for further actions by criminal online organizations.
External Attacker – Today, this is likely more a member of an organization than a loner. These individuals leverage hacking, social, malware, and many other toolsets to create a way into your network. Once inside, they work to take on one or more sets of elevated credentials to provide them with greater access and an ability to move about the network in an attempt to identify valuable data.

Of the three, it’s the malicious user and the external attacker that can be classified as threat actors (the negligent user certainly warrants monitoring so you can identify where the weakest points in your IT security – your users – are, but it’s not the focus of this article).

When you boil it down, the only way to really tell if someone is a malicious insider or an intent external threat actor is by allowing them to perform actions (such as launching applications, authenticating to systems, accessing data, etc.) and determine whether the actions are inappropriate.

But given the majority of your user population doesn’t act the same way in the next class – let alone the next week or month – it makes more sense to spot the threat actor by looking at leading indicators of threat activity, rather than waiting for the threat activity itself.

One of the most accurate leading indicators is one no malicious insider or external threat actor can get around – the logon.


By monitoring logon activity, it becomes a simple task to see if the usage of a given user account is appropriate or not.

In the context of a logon, students, staff, and faculty all show consistency – the logging on, generally, between open school hours in the case of students, and relative consistency around staff and faculty access.

The leveraging of Logon Management solutions provides education organizations with not only the ability to monitor logons and identify suspicious logon activity, but to also craft logon policies to limit the scope of account use, as well as to shut down access based on inappropriate logon behavior, lowering risk and improving security in an education setting.

On a Windows Active Directory network, this is achieved with the IT security solution UserLock.