With Universities Under Attack, Security Experts Talk Best Defenses
Like U.S. corporations, universities are battling a growing number of cyberattacks, believed to be mostly from China.
Thu, July 18, 2013
CSO — Faced with millions of hacking attempts a week, U.S. research universities' best option is to segment information, so a balance can be struck between security and the need for an open network, experts say.
Universities are struggling to tighten security without destroying the culture of openness that is so important for information sharing among researchers in and outside the institutions, The New York Times reported on Wednesday.
Universities have become a major target by hackers looking to steal highly valuable research that is the backbone of thousands of patents awarded to the schools each year, the newspaper said. The research spans a wide variety of fields, ranging from drugs and computer chips to military weapons and medical devices.
Like U.S. corporations, universities are battling hackers who are believed to be mostly from China. However, the schools are in the unusual position of having to protect valuable data while maintaining an open network.
"It is a unique problem for universities," said Nick Bennett, a security consultant for Mandiant.
Experts agree that the schools should audit all the information they hold, including research data and student and employee personal information; categorize it all and then decide the level of security needed. The extent of the protection should depend on the damage that could result if the data is stolen.
The most sensitive information, such as research related to national security, should be taken off the Internet and accessible only through university-approved computers on campus.
"[That way] you can still maintain somewhat of an open culture university wide, while still protecting the crown jewels," Bennett said.
For less sensitive data, there's more flexibility, experts say. Some information may only need additional access controls, such as two-factor authentication. Other data could also be wrapped in intrusion detection technology.
[Bill Brenner in Salted Hash: Attacks from China -- A survival guide]
Universities tend to have many silos of data stored within individual schools and centers on campus. Oftentimes, the information is left up to the individual entities to protect, which can have disastrous results.
In an incident he called "industrial strength stupid," Kevin Coleman, a cyberterrorism expert at Technolytics Institute, said he knew of one university were researchers set up their own server on the school's network and connected it to the Internet without a firewall, antivirus software or intrusion detection capabilities.
"That action exposed much more than just that research initiative," he said.
An alternative is for universities to follow a more corporate model, where a single department is responsible for setting and upholding standards across the organization, said Brandon Knight, a senior consultant for SecureState.