Universities learn to deal with hacking

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.therecord.com/news-story/4121013-universities-learn-to-deal-with-hacking/

Coders like to tell a joke. There are two types of people, it goes: those
who have been hacked, and those who are about to be hacked.

The quip is telling: cyber attacks, from Nigerian email scams to
sophisticated Chinese phishing operations, are a fact of life online.

Whether you're a teen with a laptop or a big bank with complicated servers,
you likely are not immune to hacking.

Post-secondary institutions are particularly and increasingly targeted by
hackers, according to IT specialists, intelligence agencies and university
officials.

With cyber attacks on the rise, schools are trying to protect not only
valuable research in fields like biochemistry and engineering, but the
vaunted culture of openness that makes universities unique.

It's not clear exactly how many hacking attempts Canadian universities face
any given day; few, if any, schools keep track of that number.

American universities are more forthright, and if their example is any
indication, the problem may be very large indeed. Bill Mellon of the
University of Wisconsin said the school saw as many as 100,000 daily
hacking attempts from China alone.

Whatever the figure, most Canadian universities agree the number of serious
hacking attempts is growing.

"The sophistication of the attacks is increasing, and the number of
attackers," said Jason Testart, director of information security services
at University of Waterloo.

"We are seeing increases in the attempts to get into our systems," said
McMaster University spokesperson Andrea Farquhar. "Some of those are very
determined. I don't think we're alone in that."

McMaster recently doubled the number of employees focused on cyber security
from two to four to combat the growing wave of attacks.

But universities are often coy, if not downright secretive, about hacking.

The University of Toronto turned down an interview request, instead sending
general answers by email. McMaster refused to let their IT specialists
speak to the Star. McGill University declined several requests for comment
over the course of months.

When they did talk about the issue, most schools were reluctant to disclose
what sorts of research was targeted by hackers, or whether the attacks had
been successful.

"You're laying out your vulnerabilities, potentially" by talking about what
is targeted, said Lori MacMullen, executive director of the Canadian
University Council of Chief Information Officers.

U of T's information security director, Martin Loeffler, was more blunt.

"As such information might encourage or facilitate attacks against the
university, we don't disclose data on successful or unsuccessful attacks,"
he said in an email.

Often, it's simply impossible to tell whether research or student
information has been compromised or stolen. For one thing, when a hacker
steals research, unlike when a carjacker steals a BMW, they can leave the
original intact.

And hackers often take pains to avoid being detected.

"They aren't the sort of people who would go into a university network,
steal it and then publicize it," said Ronald Deibert, a cyber-security
researcher at U of T.

That means it's often impossible to tell something as basic as the country
where a hacking attempt originated.

Sometimes hacks come from botnets, fleets of computers on the Internet
deployed by a puppet master. Cyber-security staff at universities can find
themselves playing whack-a-mole with IP addresses from around the world.

"Let's say they're looking for a specific vulnerability — one minute you're
seeing traffic from Germany, the next minute, anywhere: China, South
Africa, Japan, the U.S.," said Waterloo's Testart.

It is occasionally possible to trace the origin of cyber attacks, however,
and American schools say that certain countries are associated with
particular types of online theft.

"Typically, Russian intrusions have targeted personally identifiable
information . . . used for identity theft," said Tracy Mitrano, director of
IT policy at Cornell University in Ithaca, N.Y. Chinese hackers, meanwhile,
tend to probe for engineering and biochemistry research.

Canadian schools conduct sensitive, marketable research, too, of course. In
2010, the last year with available data, Canadian universities were granted
398 patents.

Hackers have taken note, according to CSIS, the spy agency.

"Because Canada is a leader in many areas of science and technology,
Canadian research institutions — public and private — make for attractive
targets," CSIS spokesperson Tahera Mufti wrote in an email. "Cyber
attackers and other hostile actors are always looking to steal intellectual
property, often to give foreign companies a competitive edge over Canadian
ones."

Mitrano said hackers target a wide range of scientific research,
"everything from semiconductor performance to the physical ware in
computers, to any software, in biology — my goodness — genomics, medical
research."

Despite the growing volume of hacks aimed at universities, many of them are
reluctant to concede that the online threats faced by post-secondary
schools are unique.

"The internet threats we face are really no different from any other
organization — they're trying to get at data," said Testart.

But the wide-open, diffuse nature of universities makes them harder to
protect against hackers than corporations or government agencies.

Unlike a bank, say, universities are comprised of thousands of faculty and
students logging on to the school's servers with laptops from coffee shops
or their living rooms.

That means hackers can infiltrate any one of those IP addresses and burrow
into university networks when the user logs on.

"You're only as good as your weakest link, and the hackers try to identify
that weakest link," said Sumon Acharjee, chief information officer at
Sheridan College.

In that way, the sheer size of universities can be a liability.

"If you're in the SkyDome and it's full, you have a better chance of
pickpocketing than if you're in a park and there are only a couple of
people," Acharjee said.

What's more, not only do universities' own members provide "on-ramps" for
hackers, so do academics around the world collaborating with their
counterparts in Canada.

For research to go smoothly, MacMullen said, "you may need to allow
researchers from another university access to your network."

Government ministries, for example, can erect firewalls that prevent
employees or outside users from accessing their networks unless the
computer is in a government office. Universities couldn't do that without
thwarting the kind of information sharing at the core of their mission.

That natural porousness means that some of the people charged with
patrolling universities' digital borders have learned to accept a degree of
risk.

"There are so many threats, you can't get 100 per cent of everything," said
Waterloo's Testart. "There might be something that'll slip through your
defences. You can't build Fort Knox."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.