When it comes to cybersecurity, higher education has vastly different needs than other types of organizations. From a physical point of view, campuses are comprised of public spaces (areas where literally anyone can go), semi-public spaces (classrooms and faculty offices), and secured areas. At the network layer, the network surface is vast, encompassing everything from student housing to administrative offices to learning labs. Each of these environments is rife with a heterogeneous mix of unmanaged and untrusted devices. From a regulatory point of view, it’s diverse, potentially including PCI (where payments are accepted—like bookstores, cafeteria, cashier, donations/foundation, parking), HIPAA (infirmary, health centers), FERPA (registrar, administration), and numerous other state, local, and federal requirements.

All of this would be challenging enough given the complexity and number of moving parts, but add to it the fact that institutions don’t usually have armies of dedicated cybersecurity staff (in some cases, no dedicated staff at all) and challenges are compounded. Along with staffing challenges, there are also the ever-present issues associated with obtaining budget for tools and getting time from already-overloaded technical resources. Looked at through this lens, you start to see why higher education can be uniquely challenging when it comes to keeping the campus appropriately secured.

One thing that can help? Open source. Open source options are particularly compelling in a higher education context for a few different reasons. First, they’re free, so they don’t require jumping through budgetary hoops when we have a pressing need for tools. Second, there’s often a cultural fit. Since many institutions have a history of using open source, there may be open source expertise on hand already; this helps to remove one of the more significant adoption barriers in many enterprises.

With this in mind, I’ve listed out the most useful (in my opinion) open source tools that institutions can pick up and use with minimal ado. It goes without saying of course that these aren’t the only tools out there. There are, in fact hundreds—if not thousands—of great tools that I haven’t mentioned. Some I’m not mentioning here because they require specialized expertise to use effectively, they’re not generically applicable to higher ed, or there just wasn’t space within this article to do them justice. For example, a tool like the Metasploit Framework, while arguably one of the most useful security tools out there, requires a degree of technical expertise to use well. An institution without dedicated security staff or minimal IT staff might not be equipped to use it effectively. As I’ve listed out each tool, I’ve included brief rationale outlining how an institution might employ and derive benefit to solve particular challenges. 

1.  Security Onion

The first tool on the list is an open source Linux distribution that targets security monitoring. It comes with a host of built-in tools (e.g., Snort, Suricata) designed to help you monitor your environment for security-relevant activity at multiple levels of the stack. One of the advantages that using the distribution has, over just installing and using the underlying toolset directly, is that Security Onion includes a helpful setup wizard. Even if the organization doesn’t have an army of security operations staff, the tool allows you to still stand up a full-featured monitoring solution in relatively little time. Also, because campus environments can be both wide and malleable (for example as learning-oriented environments might be set up for a particular purpose), using this tool has the advantage of a “drop-in,” short-term monitoring solution for a transient environment without incurring additional hardware or licensing costs.

2. Cuckoo Sandbox

One of the unique things about higher ed is that there’s a large percentage of students who, well let’s just say have a love for hijinks. Therefore, suspicious files—many of which may not match a known malware signature—may arise and require further investigation. Sometimes IT departments may just need to answer the question “Is this thing malware or not?” One of the easiest ways to do that is to run it in a sandbox and see if it causes adverse effects. The Cuckoo Sandbox helps do exactly that. It provides a sandbox environment where you can open a suspicious looking file to see what it does: files it opens, network connections it makes, resources it allocates. Really squeezing the most value out of the tool will of course require technical acumen that smaller institutions may not have at their disposal. However, using this tool just to examine whether a given program is malware or not is quick and relatively straightforward.

3. Docker

Yes, I’m including Docker in the security tools list even though it is not a tool primarily focused on security alone. I’m including it because of the potential security benefit that can arise through using it. The Docker Community Edition (Docker CE) is a tool that allows users to create “containers”—lightweight, portable modules within which applications can run. Just like with OS virtualization, multiple applications living in different containers can be running next to each other on the same container engine runtime. How is this useful for security practitioners? A few ways. Aside from being a way to help better manage application deployment (always a good thing and valuable from a security point of view), it also can help make accessible other security tools that might have been overly complex to install and get running without it (in fact, you’ll see an example of this next). There’s not enough space in a short article like this one for a full background on how to use Docker to get maximum value in your shop but, suffice it to say that it’s a tool worth getting to know.

4. OpenVAS

In the past, I’ve hesitated in suggesting to educational institutions the OpenVAS open source vulnerability scanner. Why? Not because it’s not a great tool. To the contrary, it’s been one of my go-to options since it forked from Nessus back in the day. It’s because, historically, installing it and getting into an operational state can be complicated. Nowadays though, because of containerization environments like Docker (see the prior item), you can stand up a fully functional instance (or nearly so) with just one command. For those organizations that need to bolster their vulnerability assessment capability in a pinch (and who doesn’t?), using OpenVAS—particularly pre-packaged containers—is well within the reach of even those organizations with limited technical staff.

5. NIPAP

What do campuses have a lot of? IP address space. Keeping track of what IPs are associated with what URLs in DNS, what ranges are assigned to what pools in DHCP, what static addresses are assigned to what devices, and so on can be a logistical nightmare when you’re talking about a network landscape as complex, large, and fluid as a typical campus. Keeping track of this is important for security as well as (of course) for technical management and operations purposes. Relatively simple to deploy and use, the open source IP address management tool NIPAP (Neat IP Address Planner) can help bring order to the chaos by helping you keep track of what’s assigned where, can help with subnetting, and otherwise help replace the complicated Excel spreadsheets in use now in absence of a planning tool for this purpose.