Why universities are vulnerable to cyber attacks and REN-ISAC is so important.
GUEST COLUMN | by Todd O’Boyle
Universities have never had a more important place as a linchpin in a global system driven by knowledge, ideas, and innovation. Knowledge is replacing other resources as the main driver of economic growth, and education is the foundation for individual prosperity and social mobility. It’s no wonder that the competition among universities to attract the best and brightest has grown so fierce. For most institutions, competitive advantage results from its research and the quality of its graduates. Not only does a world class research program add to a university’s prestige in the eyes of prospective students, it also increases the potential impact its body of knowledge has on the global economy.
Institutions of higher education must find a way to protect their networks in a cost-effective way, while still preserving the freedom of their end-users.
This is why cyber attacks are a big deal for educational institutions. Below is perspective on why that is the case as well as prescriptive advice to higher education institutions that want to mitigate the risks of malware attacks.
Before getting into that, let’s consider the top reasons why universities are often targeted by attackers.
- University systems contain innumerable hours of research results.
Universities are a hub of research and often the site of new discoveries and emerging frontiers in every discipline. Principal investigators and other researchers at universities often store data about their current research, as well as publication drafts, patent applications and proprietary notes. This information could be very valuable to certain interested parties, making it vital that universities protect their networks against intrusions from nation states and other institutions who might seek to compromise intellectual property to further their work.
- Universities are built on a culture of openness and collaboration.
Universities are built on the tenets of knowledge sharing, collaboration and the free flow of ideas. This type of open environment is exactly what a university should aim to create when it comes to facilitating cultural progress and knowledge. However, in a culture fundamentally built on sharing and trust, students and professors are more prone to clicking on phishing links or accidentally downloading compromised files – putting them at a greater risk for cyber attacks.
- Universities have valuable personally identifiable information.
It makes sense that people often think of financial institutions, healthcare organizations and e-commerce companies as prime targets for data theft and compromise. But, as Jim Waldo, a computer science professor and CTO at Harvard pointed out, “There are parts of what a university does that are just like anyone else—we have credit cards, we have social-security numbers, we have health records, we have educational records—all of which we have to, by law, lock down in just as firm a fashion as corporations do.”
In other words, universities store information about their students and employers which can be financially valuable to criminals. Some examples of this information are social security numbers, credit card numbers, addresses and phone numbers, as well as medical, financial and professional details.
- IT departments have limited control over end devices used by students, professors and guests on their networks.
Universities are largely bring-your-own-device (BYOD) organizations, in that they do not own the majority of the laptops, computers and mobile devices that connect to their networks. Furthermore, faculty members and students generally have more control over their data than employees of companies or government agencies. Because of this dynamic, universities cannot guarantee endpoint security and must focus on securing the network instead.
- Universities have limited resources to defend the network.
If you work at a university, you are probably more familiar with the term “budget cut” than you’d like to be. In 2014, six years after the start of the recession, many universities were still funded at below-recession levels. With the focus on classroom experiences and public research, this often translates to fewer resources for the IT department, which makes it harder for them to detect and respond to attacks. This means that it can take years to even discover that a system was compromised (much less remedy it). For example, it had been nearly three years since Penn State’s network was breached when they discovered the incident in Summer 2015. (And they are far from alone in this.)
How Universities Can Begin to Fight Back Against Cyberattacks
Research and innovation is an important currency of any university. The true cost of a cyber attack revolves around the loss of intellectual property. What would happen if a cutting-edge research project at your university was successfully attacked and a foreign school was able to publish before you were?
We know that every dollar spent on IT staff and products takes away from research and education. That’s why we think it is important to give your security program focus. Below are a set of questions that we think you should optimize your security program to answer.
Why and how will I be attacked?
Don’t focus on the hypothetical. Pay attention to what is happening at other universities (through REN-ISAC and similar working groups) and study the attacks that are happening to them. Pay attention to not just the how but the why. What targets were the attackers going after? Do you have research programs focused on that? Chances are, those programs will be a target.
Be sure to “pay it forward” and share how you were attacked when it happens. Intelligence sharing is a two way street. The more you share, the more you’ll get back.
Have I seen this indicator?
Another component of REN-ISAC is the sharing of indicators. Ensure every component of your security program is set up to use this indicator data. Build automations to use the indicators, saving your precious resources for higher order analysis and incident response. It is the best view you have of actual adversary activity. If you have to decide between a hypothetical threat vector and an indicator in use today, pick the indicator.
What’s my biggest weakness?
Spend your energy understanding and fixing your biggest weakness. Are attackers stealing passwords to impersonate faculty or staff? Work on multi-factor authentication. Are they phishing your faculty? Educating faculty and students on how to recognize a phishing attack is the key. By focusing on fixing one problem at a time, you will provide students, faculty and staff the ability to really improve and not get fatigued by yet another security lockdown.
With so much at stake, it is very clear why cybercriminals are attacking universities at such high rates today. Based on current trends, we can only expect to see a rise in university-directed attacks. Institutions of higher education must find a way to protect their networks in a cost-effective way, while still preserving the freedom of their end-users.