What can we learn about infosec from the Varsity Blues college admissions scandal?

There is tremendous pressure with successful parents to get their kids into top colleges. Graduation from a top school doesn’t just bring with it the prestige of its diploma, it’s also the connections and job opportunities that come from the college experience at those institutions. For instance, graduates have a great likelihood to work for prestigious companies that only recruit at select schools, and the chance to effectively start their work career on third base.

With this comes a market for parents who want their children to succeed and who do not have the grades, athletics or extracurricular activities that mark someone as being exceptional and are willing to pay for it.

The Varsity Blues scandal, which has been all over the news cycles and clickbait-y sensationalist ads lately, is an example of what this kind of pressure will lead some people to do. Parents paid William Rick Singer large amounts of money to get their children into top colleges by bypassing the standard admission processes. He did so by both paying people to either take tests for these kids or having them take the tests with assistance, and by paying college coaches to indicate these kids were prospective athletes, and therefore subject to less stringent admission processes. This allowed children that were otherwise unqualified to get a top-tier education and the commensurate opportunities.

How did Varsity Blues work?

This process took advantage of two very important aspects of the higher ed ecosystem. First, college coaches outside of football and basketball don’t make much money. According to Christian Fisher, in his Houston Chronicle article “How much money do college coaches make?,” in 2012 the median salary for a collegiate rowing coach – one of the sports targeted by Singer – was $58,250. Women’s gymnastics coaches earned a median salary of $73,679.

Outside of Division I football and basketball, collegiate coaches don’t earn all that much. When someone offers several times someone’s salary to do something shady, there’s a high chance they’ll accept it. That’s what happened to John Vandemoer, former sailing coach at Stanford, who accepted $270,000 in bribes to designate two students as recruits.

Secondly, there’s not much scrutiny of the smaller sports, such as rowing, soccer or water polo. These are sports that often lose money for their universities, and are supported by larger, more profitable programs…like football and basketball. There’s often less scrutiny on these programs simply because they don’t get the same level of attention by the media and have less financial expenditures.

What did it expose?

What this scandal exposes are two areas of operational security that we need to be aware of. The first is the need to evaluate all recruits to a program with the same level of scrutiny. Due to a number of scandals and criminal prosecutions – especially involving college boosters, former coaches and companies with Division I men’s basketball – the level of scrutiny on college basketball recruits is very high. This should be the same across the board for all recruits and programs. The relaxed scrutiny allowed coaches to submit their own recruits in and call them legitimate without being questioned.

Secondly, there needs to be follow-up on financial disclosures. While coaches now have significant background checks for personal conduct, there needs to be the same for financial disclosures, much like public employees. After all, Aldrich Ames, for all his attempts at covering up, was undone by the appearances of $5,000 to $9,000 in his bank accounts after his sanctioned meetings with a Soviet arms control specialist. This was according to the Washington Post’s January 26, 2018 article, “Rick is a goddamn Russian spy: Does the CIA have a new Aldrich Ames on its hands?”

How does this apply to information security?

This applies to infosec in two ways. First, through supply chain security. Second, through increased background checks, reviews and financial disclosures. Both of these have been exploited and have decreased security because of it.

There are often two paths in large corporations when it comes to onboarding new devices and services. There’s the path that everyone takes, and there’s the path that the many others take, often using cost centers or programs where there’s not direct oversight from the main corporate entity.

This allows representatives of companies to purchase products or services without the oversight or scrutiny of teams such as enterprise architecture, information security or finance. This bypassing of controls allows insecure products or services to directly be placed on the network, often with the blessing of senior executives and little accountability.

What complicates matters is that the security, enterprise architecture and legal teams that need to review these systems and address concerns are overwhelmed and spend more time tracking down information than assessing risk. The contracting process relies on a lot of manual entry of unstructured data into systems to be effective, and many ERP system implementations leave a lot to be desired. Plus, there’s also the breaks from workflow that accompany these requests, and the commensurate bypasses of systems of record due to them.

What can we do better?

If there’s an argument to be made for standardization at the contract level, with no exceptions, this is it.

One of the major security challenges that I’ve seen is items that don’t follow a good intake process. There needs to be C-suite support for one intake process that everyone follows. This should be backed up by an immutable system of record that has enforceable and validated workflows, as opposed to ones that can be easily bypassed.

Electronic Data Interchange is evolving to include smart contract-driven workflows that trigger events and can be validated and verified. Contracts need to move to enforce workflows, cryptographic verification and validation including corresponding strong identity management and dispute handling. They need to be searchable and in a standard structured format.

The Varsity Blues scandal shows us how falsified data can be easily entered into systems of record. We need to stop that, enforce good workflows that don’t easily allow bypasses and mitigate risk by keeping everything structured, verified and searchable for the security teams, enterprise architects and lawyers to do their jobs better.

Background checks and reviews allow us to verify and validate with a reasonable degree of accuracy that someone continues to be reliable. We put a lot of people in positions where they have power, and don’t continue to verify and validate the appropriateness of their access, their business need to do so or whether or not they present additional risk to the organization.

It’s not just about filling out a form and sending it to see whether or not they have unpaid parking tickets. It’s about providing continual assurance that someone is performing appropriately and does not present additional risks. The simple acts of verifying and validating recruits and making sure that the coaches continually presented credible ones, checking their financial disclosure forms and re-verifying them could have significantly mitigated these risks.

What the Varsity Blues scandal and the parallels to infosec have in common are good intentions at their cores. Parents want the best for their children and were willing to break the law and bypass others to so. People within companies will often look for ways to bypass process if they have a sense of urgency to address issues. However, these good intentions do not make up for both the increased risks and the impact of their actions.

Information security has many parallels to current events. The Varsity Blues scandal provides a window by which we can see how to improve operational security through better supply chain security and continual review and validation of team members.

Good security is not buying the latest tools, using the latest cool technologies or looking good. People, processes and technologies should be deployed, in that order, to provide continual risk mitigation, deal with exceptions and provide verifiable solutions.