We are now well into the fall semester, and the past month has been busy with the influx of students and faculty returning to campus. I want to commend all of you for your hard work and dedication in ensuring a smooth start to the new school year. The beginning of the semester is a critical time for us, as thousands of new devices connect to the network and we need to be extra vigilant.
In this month’s newsletter, you’ll find updates on some of our major projects, and we will look at chapter three of The Human Side of Postmortems.Cognitive Biases
Most of us like to see ourselves as rational, analytical thinkers. Years of behavioral science have taught us that human brains actually have two modes of thinking: System 1 thinking is fast, and leaps to conclusions based on years of experience and pattern recognition. System 2 thinking is slower, not automatic, and requires more effort. System 1 is more energy efficient, so the brain tends to rely on it more frequently. Another thing we know is that the more stress you are under, the more you will rely on System 1.
System 1 thinking can be very useful. However, it is also subject to being misled by any number of cognitive biases. These biases are typically ways that our brains systematically deviate from thinking of decision-making that would be considered purely “rational”. They are hard-wired into our brains—we have to deliberately choose System 2 thinking in order to avoid these mental blindspots. Here are a few that are very common in our day-to-day work:Confirmation bias refers to our tendency to seek out and favor information that confirms our existing beliefs or assumptions. In IT, confirmation bias can lead us to miss potential problems or overlook simpler solutions because we focus on proving our initial hypothesis rather than thoroughly investigating other possibilities. Being aware of confirmation bias can help us be more objective when troubleshooting issues or evaluating new technologies.
Hindsight bias causes us to see past events as more predictable than they really were at the time they occurred. In IT, hindsight bias may tempt us to think that a failure or security breach that has happened was preventable or obvious. However, we have to remember that decisions in the moment are made with imperfect information. Rather than dwelling on what we "should have known," we can focus our energy on learning from the past to improve future outcomes.
Escalation of commitment (aka, sunk cost fallacy) describes our tendency to continue investing time, money, or other resources into something simply because we've already put significant resources into it. In IT projects, it's important to evaluate projects based on future potential rather than past expenditures. If a product or technology is no longer worth sustaining, we shouldn't let prior effort or investment prevent us from making a change. It's better to cut our losses and redirect those resources to more promising solutions.
Of course, now that you know about these three, make sure not to fall into the GI Joe fallacy! If you want to read more about the fascinating world of cognitive biases, check out Wikipedia’s List of Cognitive Biases. It’s so long that the various biases are grouped into sections by category. Reading through it really highlights how common they are in day-to-day life, and how deeply they are part of the human brain.
Update on the Annual Risk Assessment Process
The IT Risk, Policy & Compliance team makes slight updates to our annual risk assessment process each year. This year, a significant change was made to reduce the workload to IT custodians. IT resources that were assessed last year are not in scope this year unless they have experienced a significant change (e.g., a major OS or application upgrade, a change in authentication model, a change in custodianship, etc). All the devices that are skipped over this year will be assessed during the 2024 cycle, so that all resources will be assessed at least once every other year. If you have any questions, reach out to ra@tamu.edu for more information.
Wins & Successes
- Security Operations coordinated with IT Enterprise Operations to reduce the number of servers in production that lacked EDR (Crowdstrike) from 824 to 265 in a 30-day window. This resulted in a total reduction of over 67%. Efforts to identify and remediate servers without EDR continue.
- During operations with a client, the Systems & Application Security team discovered a network behind a NAT firewall that was not being scanned. Working with the local IT pros, they deployed agents on all systems behind the NAT and added 180 agents to cover an area that previously had zero visibility.
- The Identity Security team has been auditing Duo user objects, and removed nearly 50,000 stale accounts with no active affiliation from Duo. This will enable a significant license savings when Duo switches license modeling.
Security by the Numbers
Just in the last month:
- 929M malicious websites blocked; 99% of all network connections from internet blocked at firewall
- 53B cyber attacks and malware blocked
- 66k computers monitored; 4.9B endpoint processes
- 232 petabytes of network data scanned
- 114.8M mail messages scanned for spam, phishing, viruses; 58.9M messages blocked at gateway
- 7,501 public data shares detected and investigated
- 294k active NetIDs (183k with Duo enabled)
- 3.2M Duo auth events
- 186k devices tracked in the IT asset management system
Major Project Updates
Wrapping Up & Reminders
This October is the 20th Cybersecurity Awareness Month, emphasizing the importance of cybersecurity across all industries and domains. I'm proud of the work our team does year-round to protect the university's systems and data; your expertise and diligence does not go unnoticed. It is through your daily actions that we continue to cultivate a culture of cyber awareness and resilience.
Please keep up the great work—and don't forget to share any cybersecurity tips and advice with your colleagues, friends and family this month! I encourage you to share your thoughts and suggestions with me at any time, and you are always welcome to schedule a meeting with me.
Adam Mikeal
Associate Vice President and Chief Information Security Officer