AI is becoming ubiquitous in the higher education space, and with increased usage comes increased risks. For example, shadow AI usage–or the use of AI tools that have not been vetted or approved by the institution–poses unique challenges for college and university security offices. In a 2025 EDUCAUSE survey of staff and faculty at higher education institutions, 42% of respondents indicated that their institution did not have any AI-related acceptable use policies at the time of the survey. Without clear policies on which AI tools to use and how to use them, the risks of shadow AI and data mismanagement increase. While AI can be a great tool for students, faculty, and staff, it is imperative that campus security offices collaborate with their administration to implement policies that promote the safe and secure use of these tools.

For guidance on creating or refining campus AI acceptable use policies, we reached out to Maggie Abate to get her thoughts on creating campus-focused, research-informed AI acceptable use policies. Maggie is a Data Engineer and Research Liaison, bridging the important work happening at REN-ISAC and OmniSOC with the critical research efforts of Indiana University’s AI Lab in the Kelley School of Business Data Science and AI Lab (DSAIL). She is a self-described “avid AI-enthusiast” who works where cybersecurity meets AI. Maggie uses her expertise to empower members with access to innovative technologies, thereby enhancing their capabilities and driving progress. “In my free time,” Maggie told us, “You can find me vibe-coding an app like it’s a mixtape.” 

— 

(more…)

At a recent I-Light conference, OmniSOC led a session on tabletop exercises with member institutions. The session shared feedback from I-Light members for whom OmniSOC has facilitated these exercises and demonstrated how they help identify vulnerabilities. Members said these exercises provide real value by helping their organizations prepare for incident reporting and offering clear guidance on what to do during an attack. This work reflects close collaboration among OmniSOC, REN-ISAC, and I-Light. Together, we support a safer and more resilient cybersecurity community across Indiana higher education.

About I-Light
I-Light is Indiana’s high-speed, fiber-optic research and education network, enabling high-quality lives through high-quality connections. It connects more than 40 public universities and private colleges across 2,000+ miles of fiber, supported by a team with 160+ combined years of experience.

What Tabletop Exercises Are and Why They Matter

A tabletop exercise is a guided practice that walks your institution through a realistic cyber incident from alert to recovery. In a typical session, your institution will:

• Verify how alerts are detected and who is notified.
  
• Confirm roles, handoffs, and escalation points.
  
• Review incident reporting steps and timelines.
  
• Outline high-level containment and recovery actions.
  
• Coordinate internal and external communications.
  
• Capture concrete updates to policies, call trees, and playbooks.
  

Institutions leave with clarified roles, updated playbooks, and a prioritized list of fixes. Institutions make faster, more accurate decisions, meet reporting timelines with fewer errors, coordinate more effectively across technical and leadership teams, and recover with less disruption.

Are you looking to conduct tabletop exercises at your institution? Contact us.

Online Monday, November 17 – Saturday, November 22, 2025

This November, REN-ISAC and SANS are teaming up to bring you SEC511: Cybersecurity Engineering: Advanced Threat Detection and Monitoring. This online course uses hands-on labs and gamified challenges to provide real-world training experience in topics such as cloud monitoring, network detection and response, endpoint detection and response, security information and event management, and much more.

Participants can also gain the accompanying GIAC GMON certification to demonstrate their knowledge of defensible security architecture, network security monitoring, continuous diagnostics and mitigation, and continuous security monitoring. Register now to reserve your seat.

In July 2025, VirusTotal analysts uncovered a phishing campaign that relied on more than 500 malicious SVG files. Nearly fifty of the samples slipped past antivirus tools at the time of their first submission. The attachments looked like ordinary government portal icons. In reality, they carried code that redirected unsuspecting users to counterfeit login pages designed to steal credentials. While this campaign was broad in scope, its tactics could easily be adapted to imitate campus systems or research collaboration platforms.

What are weaponized SVGs?

SVGs are Scalable Vector Graphics. Unlike PNG or JPEG which are static raster images, an SVG is written in XML. That text-based format is powerful because it can describe images with precision and scale them without losing quality, but that same flexibility also allows attackers to add instructions inside the file. A weaponized SVG is simply an image file that does more than display a picture. Hidden within the code may be scripts, redirects, or even entire phishing pages.

How attackers are using them

Recent research has documented several methods now active in the wild. Some SVGs function as redirectors: the file looks like a harmless icon, but opening it quietly sends the user to a phishing page that copies an institutional login screen. Others contain entire phishing portals encoded in Base64. When a browser renders the file, the victim sees a fake sign-in page that feels legitimate. More advanced samples use embedded JavaScript to contact external servers and download secondary payloads such as remote access tools or ransomware loaders. To complicate detection, attackers bury these functions under layers of encoding and manipulate the Document Object Model so that scanners see only benign content.

Why higher education should be concerned

Higher education and research thrive on open collaboration. Faculty exchange diagrams with colleagues, staff send HR notices, and students share project files. Each of these exchanges is an opportunity for an attacker to disguise a malicious SVG as something routine. Once opened, the file may redirect a user to a counterfeit campus portal or initiate an infection chain. A single compromised account is not just a personal inconvenience; it can expose grant systems, research data, and even partner networks across institutions. The culture of trust and sharing that makes universities strong also makes them attractive targets.

(more…)

October is National Cybersecurity Awareness Month (NCSAM)! Co-led by the National Cyber Security Alliance (NCSA) and the Cybersecurity and Infrastructure Security Agency (CISA), NCSAM is an effort to provide resources to keep Americans safer and more secure online. To celebrate, REN-ISAC is offering a variety of free webinars during the month of October. Check our event calendar for more information.

Please join us for one or all of the following:

Get to Know the REN-ISAC
Wed 10/1 noon ET (4:00pm UTC)
Open to the Public

MISP @ REN-ISAC
Wed 10/8 noon ET (4:00pm UTC)
Members Only

Omnisoc: The Importance of Collaboration Amongst Higher Ed Institutes
Tues 10/14 noon ET (4:00pm UTC)
Open to the Public

Beyond the Breach: Executive Strategies for Safeguarding Student Data & Institutional Reputation
Wed 10/22 noon ET (4:00pm UTC)
Members Only

Panel on Innovative Hiring and Retention in Information Security
Wed 10/29 noon ET (4:00pm UTC)
Open to Public

This August, the 2025 REN-ISAC and OmniSOC’s Rising Stars Cohort graduated with a presentation of their projects aimed at leading organizational change. Rising Stars is a staff-development initiative within REN-ISAC aimed at cultivating people-leaders and changemakers within the organization. The 2025 cohort of Rising Stars were nominated by their managers to participate in the program. The cohort represented a variety of teams in the organization, and each was selected for their initiative on their respective team projects. 

2025 REN-ISAC Rising Stars cohort:  

• Daniel Osei, Senior Security Platform Engineer 
• Erica Brinkley, Administrative Manager  
• Joseph Potchanant, Executive Member Liaison and Customer Relationship Manager 
• Matthew Lutz, SOC Engineer 
• Megha Moncy, Security Analyst  
• Mikeal Jones, Security Analyst  

Josh Drake, REN-ISAC SOC and Security Services Director, led the second annual Rising Stars program. With his guidance, the group completed readings and discussions, then applied these lessons to their daily work. Topics included creating constructive working habits, identifying crucial stakeholders in an organization to get buy-in for change, and effectively communicating with staff and leadership. The program culminated with the cohort dividing into pairs to meet with REN-ISAC staff about ways the organization could improve, developing a project plan that addresses identified gaps in the organization, and leading the initiative to create deliverables on their project. During the graduation ceremony, each team pitched their respective projects to an audience of REN-ISAC leadership. 

REN-ISAC and OmniSOC recognize the importance of developing leaders from within our organization, and Rising Stars is one of the ways that we commit to doing this. The Rising Stars program develops staff at an individual level to prepare them for the next steps in their careers, but the program also facilitates cross-team collaboration for the organization. This gives participating staff a chance to see across the organization and talk about ways to make positive changes that impact all our teams. The 2024 Rising Stars cohort have each since moved into management positions of a REN-ISAC team or are crucial members of major initiatives in the organization, clearly demonstrating the impact of the program. We can’t wait to see how the 2025 Rising Stars cohort continues to grow professionally and drive innovation in our organization!  

When over a hundred higher education information security professionals gathered in Boston this August, the room was not there just to listen; they were there to imagine what could go wrong. At the 2025 Boston University Security Camp, Shane Albright, security advisor with REN-ISAC Information Security Assessment & Advisory Services, led that exercise with his talk, Incident Response Tabletop Exercises: They’re not just a game.

The session drew participants from nearly 30 colleges and universities across New England, including 20 REN-ISAC member institutions. Instead of focusing on slides or checklists, Albright invited the audience to step into the middle of a crisis: a simulated incident where decisions had to be made, roles coordinated, and blind spots revealed. The point was simple but powerful. If you do not practice together in a safe environment, you risk stumbling when a real event unfolds.

Tabletop exercises work because they are low-stakes rehearsals. They allow IT staff, administrators, and campus leaders to stress-test incident response plans without the pressure of live consequences. They expose gaps in planning and communication, but just as importantly, they build confidence and trust among teams that may have to make quick decisions under pressure. In higher education, where attacks are relentless and resources are finite, that kind of preparation is critical.

REN-ISAC designs and facilitates tabletop exercises tailored to the realities of higher education. If your institution is ready to strengthen its resilience, explore what a tabletop exercise could do for you. Reach out to Kyle Enlow at peer@ren-isac.net to start planning your own.

In higher education, a single missed update can turn into a serious breach. That’s why REN-ISAC’s Daily Watch Report has become a daily must-read for security teams across the sector.

Sent out each weekday, the report pulls together curated, critical threat intelligence from a wide range of trusted sources. It flags new vulnerabilities, malware activity, phishing campaigns, ransomware, patch updates, and other emerging risks and helps IT teams focus on what needs attention now.

Unlike generic industry digests, the Daily Watch Report is built specifically for higher ed. Members often say it’s helped them catch issues early and avoid potential incidents altogether.

While the report is available only to REN-ISAC members, it shows how real-time, community-driven intelligence can make a meaningful difference. In a fast-moving threat landscape, having the right information, delivered consistently and clearly, helps institutions stay prepared.

To access the Daily Watch Report and other member benefits, learn more about REN-ISAC membership at:

https://www.ren-isac.net/membership/index.html