Data Security | Feature
4 Ways to Bolster Your Hacker Defenses
Last year, higher education faced nearly 2 million data breaches, according to a recent report--a tally surpassed only in 2006, which had a reported 2.03 million records breached. Whether it's Chinese hackers or malicious individuals closer to home, security officers agree that malware attacks are growing more frequent as well as more sophisticated and specifically targeted, and that traditional perimeter defenses involving firewalls and antivirus software are still necessary but increasingly insufficient.
CT asked four security experts for their tips and best practices for staying ahead of security threats on campus.
1) Move Cybersecurity Up the Governance Chain
When Indiana University suffered two small data breaches a decade ago, the issue of data security quickly leapt to the top of administrators' priority list. In retrospect, that was a stroke of luck, says Fred Cate, a law professor and director of IU's Center for Applied Cybersecurity Research and Institute for Information Policy Research. "It got the attention of the administration and trustees, who recognized the responsibility they have to the public to protect data," he notes. As a result, the IU cybersecurity team now reports directly to the trustees. "That has made all the difference," Cate stresses.
The position of cybersecurity in the governance structure is key to how many resources it gets. "IU has a large IT operation and an influential CIO, so it would devote considerable resources to security in any case," admits Cate. "Nevertheless this cybersecurity reporting structure keeps its profile high."
A security posture is always a question of balancing resources available and the nature of the risk, he continues. Traditionally it has been hard to get funding to improve defenses, but the uptick in security breaches actually makes it easier. "As in the corporate world, it is ironic that if you suffer an attack, that makes it much easier to get resources for security. And if someone else is attacked, the closer geographically and the more the victim looks like you, the more impact it has."
2) Consolidate Security Solutions
Of course, large universities with research networks have greater concerns about security than small colleges, and they typically have more resources to apply. Still, even small colleges need to do more than just have a firewall or intrusion prevention system, says Jim Brausen, director of the education market for Sunnyvale, CA, network security firm Fortinet. They also need application control, anti-spam and antivirus, a virtual private network, and data loss prevention software designed to detect potential breach or exfiltration transmissions.
"We see people move toward a consolidated approach rather than multiple, ad-hoc point solutions they have to manage individually," Brausen says. "They really need to control it with one interface." In addition, he recommends avoiding any per-user fees, to help keep costs down.
Brausen suggests asking three questions of any consolidated security solution vendor:
- Have their products been evaluated by an independent third party such as NSS Labs?
- How often are security updates done and how they are managed?
- Does the solution have an impact on throughput on the network?
3) Know the Enemy
Andrew Howard, a Georgia Tech Research Institute research scientist who heads up its organization's malware unit, says institutions are starting to take the threat of targeted attacks such as spear phishing more seriously. "We have seen a real change from people denying that they are under attack to trying to figure out how they can limit the damage," he says. Georgia Tech researchers are developing a malware intelligence system that will help corporate, higher education and government security officials share information about the attacks they are fighting.
To better identify potential attackers, the University of Pennsylvania has developed a homegrown DNS (Domain Name System) sinkhole called SafeDNS at Penn. A DNS sinkhole tracks websites known to be the source of malicious content, explains Melissa Muth, senior information security analyst at Penn. If a computer user attempts to reach such a site in the course of web browsing or other activity, the service redirects the computer to a safe location.
One benefit of creating and running the service in-house is that Penn can tailor the list of malicious domains to include those it sees in phishing messages, she adds. "We've seen a 97 percent reduction in compromises," with only about two to three false positives per year. Every day the service updates a list of about 50,000 sites that are known to be hosting malicious software.
4) Collaborate and Share Intel
After 9/11, the White House created 16 sector-specific cybersecurity threat analysis groups (for instance, for banking and finance), called Information Sharing and Analysis Centers (ISACs). The CIO of Indiana University at the time, Michael McRobbie (now IU's president), went to the White House and pushed for an ISAC focused on higher education and research networks. That led to the start of the Research and Education Networking Information Sharing and Analysis Center, or REN-ISAC, 10 years ago. The group has now grown to more than 380 institutions and has turned out to be one of the most active ISACs, notes IU's Cate, who is also the executive director of REN-ISAC.
REN-ISAC receives reports of malicious websites from members and disseminates them to the group, along with threat reports from third parties.Member institutions get access to feeds of threat indicator data that can be used in conjunction with their local protections. A system for sharing best practices has grown up around the operational unit, including member meetings and webinars.
One of its projects is the Security Event System, which is an effort to automate the reporting and sharing of threat information. "When we get threat information and send it out, a person still has to act on it," Cate explains. "We are looking at how to automate it so changes could happen to your firewall much faster. We're not there yet, but we are working on it."
