With universities under attack, security experts talk best defenses

Faced with millions of hacking attempts a week, U.S. research universities' best option is to segment information, so a balance can be struck between security and the need for an open network, experts say.

Universities are struggling to tighten security without destroying the culture of openness that is so important for information sharing among researchers in and outside the institutions, The New York Times reported on Wednesday.

Universities have become a major target by hackers looking to steal highly valuable research that is the backbone of thousands of patents awarded to the schools each year, the newspaper said. The research spans a wide variety of fields, ranging from drugs and computer chips to military weapons and medical devices.

Like U.S. corporations, universities are battling hackers who are believed to be mostly from China. However, the schools are in the unusual position of having to protect valuable data while maintaining an open network.

"It is a unique problem for universities," said Nick Bennett, a security consultant for Mandiant.

Experts agree that the schools should audit all the information they hold, including research data and student and employee personal information; categorize it all and then decide the level of security needed. The extent of the protection should depend on the damage that could result if the data is stolen.

The most sensitive information, such as research related to national security, should be taken off the Internet and accessible only through university-approved computers on campus.

"[That way] you can still maintain somewhat of an open culture university wide, while still protecting the crown jewels," Bennett said.

For less sensitive data, there's more flexibility, experts say. Some information may only need additional access controls, such as two-factor authentication. Other data could also be wrapped in intrusion detection technology.

[Bill Brenner in Salted Hash: Attacks from China -- A survival guide]

Universities tend to have many silos of data stored within individual schools and centers on campus. Oftentimes, the information is left up to the individual entities to protect, which can have disastrous results.

In an incident he called "industrial strength stupid," Kevin Coleman, a cyberterrorism expert at Technolytics Institute, said he knew of one university were researchers set up their own server on the school's network and connected it to the Internet without a firewall, antivirus software or intrusion detection capabilities.

"That action exposed much more than just that research initiative," he said.

An alternative is for universities to follow a more corporate model, where a single department is responsible for setting and upholding standards across the organization, said Brandon Knight, a senior consultant for SecureState.

If such a top-down approach is impossible, then the various groups should have a way to share information on security and to collaborate whenever possible.

"When you see people implement their own security and reinvent the wheel and do this in a vacuum, it leads to problems," Knight said. "People obviously want to do the best, but they don't always know what they're doing and they may not have the resources."

The sophistication of hackers engaged in cyberespionage means they are likely to breach any organization's security eventually. In those cases, the best defense is to have technology that prevents intruders from obtaining credentials to access internal systems, a strategy called "defense in depth."

"Even if an attacker is able to get access to a few systems in your environment, there are still additional security controls in place preventing them from escalating their privileges and moving laterally to other sensitive systems," Bennett said.

Many of the above suggestions are considered best practices in the security industry. But the basics go a long way to protecting computer systems.

"It doesn't really matter if the attackers are from China, some other nation state or just hacktivists," said Brent Huston, chief executive of MicroSolved. "Until [universities] get better at doing the basics right, they will continue to be hotbeds of attacker activity."

Read more about network security in CSOonline's Network Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags The New York TimesapplicationsChinauniversity attacksData Protection | Network SecuritysoftwareMandiantdata protectionhackingintrusionnew york timessecurity

More about Bill

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place