University of Queensland uplifts its vulnerability management

The University of Queensland has upgraded its vulnerability management tooling as part of an ongoing security improvements program.

The university said it had selected cloud-based Tenable.io to “to see, predict and act to reduce cyber risk across its domestic campuses.”

Tenable.io is used to scan the university’s “complex environment made up of tens of thousands of personal devices, vendor partnerships and connections to remote teams and other institutions,” information technology services (ITS) deputy director Dr David Stockdale said in a statement.

Stockdale told iTnews that the depth and breadth of vulnerability management capabilities is newfound.

“We have been doing vulnerability management at the University of Queensland for quite a while but not quite as across the whole of the environment or to the depth as we would like,” he said.

“The [Tenable.io] product is about getting full visibility over the environment, understanding where the risks may lie, and making sure they meet our risk appetite statement, that they’re manageable and we feel comfortable about it. 

“Because of the large, complex nature of a university, we have some solutions that are in place that have a higher degree of risk than other organisations. You might have embedded devices in instruments, and those can be left vulnerable. 

“We’ve got to figure out where they are, how we manage them, and how we mitigate that risk.”

Stockdale said that prior to using Tenable.io the university scanned only portions of its environment deemed to be higher risk than others.

“We’re able to now scan the environment as opposed to just specific parts of the environment,” he said.

“In the past we would have assessed what’s the most likely [area] to be impacted and where the highest risks were and we’d scan that, because we couldn’t afford to invest in the people power to do everything. 

“Now we’re in a situation where we’re moving to be able to scan the whole environment and understand it and what the risks are.”

Stockdale said universities had moved away from places academics congregated to become a “major influence on the economy”, turning research into products and commercialising the products either via spin-out or with partners.

This raised the profile of universities generally, but it also made them a bigger target.

“There’s definitely an increase in research that translates into product at the end of it,” Stockdale said.

“Changing the profile of the university ... obviously attracts a different type of scrutiny - from governments about the importance of it, but also from people with nefarious motivations, whether it’s cyber crime or other types of things.”

This is perhaps reflected in the increased reporting of cyber attacks against Australian universities over the past year-and-a-half, though Stockdale noted the University of Queensland had not changed the way it dealt with threats in the short-term in response to these incidents.

“I think we’re very fortunate at the University of Queensland that we’ve had a very strong leadership direction to improve our security posture over the last number of years, and we’ve made significant investments in that,” he said.

“With the work we’ve been doing, we’ve been well set up for what’s emerged in recent weeks and months. 

“Having said that, there’s never any guarantees and I wouldn’t want to tempt fate. But equally so I think we’ve been very proactive in working to improve our security posture over the last few years and we’re very committed to that.

“I think that’s served us well where we haven’t had to change our course in any way just recently.”