Universities need to plug into threat of cyber-attacks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.theguardian.com/education/2015/mar/31/universities-cyber-attacks-research-criminals

In January last year, Queen Mary University of London came under attack.
There was no physical violence or break-in: this was a cyber-assault by the
online hacking collective Anonymous, which claimed to have stolen data,
including students’ personal details, from the university’s servers in
revenge for what it called “invasive” research sponsored by the Ministry of
Defence.

The case is now the subject of an information commissioner’s inquiry over
alleged breaches of data protection rules, and Queen Mary says it has taken
steps to “significantly mitigate” the risk of such a “one-off breach in
security” happening again. But can universities really be sure they can
protect themselves from cyber-attacks?

According to Professor Awais Rashid, director of Lancaster University’s
security research centre, the unique nature of universities makes it
difficult. As well as teaching and research, most are now involved in
commercial activity – from venue hire to privately funded research – but
they can’t be “shut down” in the way other businesses might.

Students come and go, bringing laptops and mobile devices; visitors pass
through from across the globe; researchers link up with organisations
worldwide. “In many companies, even their own staff can’t access the
network through a device that hasn’t been vetted,” says Rashid.

 Carsten Maple of the University of Warwick

The combination of students’ personal and financial details, confidential
data such as medical records, and commercially desirable research – plus an
intrinsic virtual (and cultural) openness – makes universities obvious
targets for cyber-attacks. Virtual assailants range from identity or
information thieves to disgruntled students. Once hacked, universities can
be left with high financial losses and reputational damage.

But despite the value of the intellectual property they hold,
vice-chancellors do not always take the issue of cybersecurity seriously
enough, says Martyn Thomas, visiting professor of software engineering at
the University of Oxford. “Anywhere where there is information of
significant value, people will be trying to steal it,” he says, “usually
with enormous success.”

However, even sophisticated monitoring systems are no guarantee of
protection, he points out, as Sony Pictures found to its cost when
sensitive emails about its top talent were exfiltrated and published online
last year.

This year, the government reissued guidance for organisations known as “10
Steps to Cyber Security”. It has also developed the Cyber Essentials
scheme, which is aimed at helping businesses and other organisations
protect themselves from attacks. Most universities have not yet taken those
steps, says Thomas, who recalls one institution that took months to realise
its system had been hijacked and was hosting a pornographic website.

But creating secure IT systems for “large heterogeneous organisations” like
universities is not easy, says Professor Carsten Maple, director for cyber
security research at Warwick University and vice-chair of the UK’s council
of professors and heads of computing. “Thankfully, many universities have
changed from the ‘computer says no’ attitude to one of ‘let us help you do
what you need in a secure and managed way’, he says.

IT security isn’t a new problem for universities. In 1986, an attempt to
resolve a minor accounting error in computer accounts at Lawrence Berkeley
National Laboratory, California, uncovered a West German hacker spying on
defence information for the Soviet Union.

Today, it is still the “huge processing power of universities that is
potentially attractive to the criminal fraternity”, says Dr Alastair Irons,
chair of the British Computer Society’s cybercrime special interest group.
He has noticed an increase in “phishing” attacks, in which recipients are
sent emails falsely purporting to be from university accounts.

 Ross Anderson, University of Cambridge.

“You can say, ‘I am going to close things down, run the university system
the way I run a bank’,” says Irons. “But then, of course, you can’t do all
the things you want to do as a student or academic.” However, cybersecurity
should be taken seriously and dealt with at board level by universities, he
adds – just as in any company with valuable data to protect. Universities,
he says, can be reactive and fail to perceive the extent of threats.

The key for universities, as they try to balance openness and protection,
is working out what information genuinely needs protecting and ensuring
they target their efforts on that. Guidance from Universities UK published
in 2013 emphasised the need to make informed assessments of legal,
reputational and financial risks posed by information held, and then
introduce “proportionate and appropriate controls that focus protections on
high-risk information”.

For the most sensitive data, such as NHS patient information, this involves
separation of computer systems to isolate valuable information completely
from the university’s main network, or placing it behind firewalls.

Hugh Boyes, cyber-security expert at the Institution of Engineering and
Technology, says: “If you’re working with sensitive or valuable research
data, then it behoves the university to put in place a system to protect
that data, and not just go for the cheapest system they can.”

For the institution as a whole, the focus should be on better
“cyberhygiene”, he says. Everyone has to learn to back up data and to
beware of phishing emails. “It’s about targeting and training people to be
a bit more savvy and not leave laptops on trains.”

But according to Ross Anderson, professor of security engineering at the
University of Cambridge, there is a danger of universities going overboard:
lurching into panic mode at the slightest hacking attack and imposing
needless and expensive controls. The appropriate way to deal with “threats”
such as a minor hack by a disgruntled student is to have the confidence to
ignore them, he says.

Yet, pressure from vested interests such as software companies, auditors
and others can push universities into needless action. “Universities as
public bodies are at risk of having to do completely unnecessary due
diligence because of inappropriately risk-averse responses to entirely
frivolous incidents,” he says. “Public sector organisations feel they have
to cover their arse all the time. The great majority of costs from
cybercrime are from flapping around.”

Like so many challenges raised by the internet, cybersecurity is less a
finite goal than a process – and one of risk management rather than risk
removal. The best things universities can do is ensure departments have the
appropriate level of security, says Anderson. And where data is of critical
sensitivity, it should be treated not only with top-level security but also
with an ethical approach.

“It is not just a matter of compliance, but of ethics,” he says. “If you
see university information security as being a subject like any information
security, then you will screw up. You have got to understand the context,
but this message is not getting across.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!