Triangle universities strengthen cybersecurity as hackers grow bolder

kblunt@newsobserver.comAugust 4, 2013 

20120628 Malvertisement

TODD — MCT

While the federal government presses charges against a ring of foreign hackers who infiltrated some of the country’s largest corporations, American research universities continue to struggle with similar threats.

Institutions of higher education have long been under siege by cyber criminals, but in recent years intellectual property has become a prime target of sophisticated attacks. That has left the Triangle’s research universities scrambling to bolster their security efforts.

“We’ve put all these things into place that have made us more secure, but while we’re doing that, the bad guys are working faster and we’re struggling to keep up,” said Ramon Padilla, deputy chief information officer and interim information security officer at the University of North Carolina-Chapel Hill. “They just have more manpower. It’s a tough fight. If you meet anyone who says they’re ahead, let me know.”

All three of the Triangle’s research universities have recently expanded their information security departments and budgets. UNC has doubled its security staff in three years, bringing the number up to 14 after it completes its latest round of hiring. Duke University and N.C. State University each now employ about six people to deal exclusively with information security.

Cybersecurity has long been a concern in higher education, as colleges and universities house troves of data highly coveted by online criminals. University networks contain students’ social security numbers, parents’ and donors’ financial information and other sensitive files.

Institutions that focus heavily on research – including UNC, N.C. State and Duke – hold additional appeal for hackers. Research universities generate information that could aid in a range of activities, from product development to terrorism.

“We think we’re seeing more attacks on valuable intellectual property,” said Fred Cate, director of the Center of Applied Security Research at Indiana University Bloomington. “Much of it has value that would lead to discovery. Many people think China is the main source of the attacks, but a lot of that is not based on evidence. Attacks don’t come with location information that’s easy to identify.”

Universities spend a lot of time and money ensuring their data processing and storage methods comply with the myriad laws that protect students’ educational and health records. But some of those developments have come at expense of protecting research, according to Cate.

“Universities only began taking concerted measures to protect intellectual property within the last two or three years,” he said. “We’ve definitely been a latecomer to this dance. Even today, some universities don’t have specific security measures to protect research. It’s not even close to a consistent practice.”

Firewall

To strengthen its defenses, UNC is planning to install a firewall that will surround its entire network. It will cost about $500,000 to obtain and implement, and it will be fully functional within the next two years.

The university already maintains an intrusion detection system that helps block about 87 million unwanted connections to its network every week, Padilla said. That’s up from about 30 million three years ago. He estimated that the system examines between 15 and 30 percent of all network traffic.

“If we examined all of the traffic, it would just eat up the system,” he said. “We’re trying to cover the most important parts.”

Instead of inspecting traffic, the firewall will allow only certain types of connections by default. Padilla estimated about half of UNC’s peer institutions have taken similar measures to secure their data, while others have built firewalls around certain areas of their networks, such as research and data hubs.

Duke and N.C. State haven’t gone as far as to build wraparound firewalls, but both are taking measures to strengthen the security of valuable information. N.C. State is establishing a framework to establish data location and sensitivity. The university is working to map exactly where all of its research and personal data is stored, and it plans to color-code the data according to its value.

“Different sensitivities of data will be coded green and purple,” said Kerry Digou, manager of information security at N.C. State. “Green means the data is in the public domain, while purple means it’s sensitive. We want to spend more effort protecting the purple stuff.”

Duke is taking a similar approach. Richard Biever, Duke’s chief information officer, said the university is working to establish protected enclaves where researchers can work without the threat of sifting through their findings from behind a computer screen.

“It’s one of those things we’re constantly evaluating,” he said. “We want to improve on what we already have because types of attacks change over time.”

Open environment

Unlike an individual or a corporation, universities can’t build fortresses to protect digital data. Their network structures have to have some doors and windows to allow for the exchange of information in an environment that thrives on openness.

“Cybersecurity wrestles with traditional academic culture,” Cate said. “The major question is, ‘Does this intrude on academic freedom?’ Another big issue is money. It’s not cheap.”

Thousands of Internet-connected devices, from laptops to smartphones, enter and exit university networks every day, further complicating the cybersecurity landscape. By maintaining relatively porous networks, universities inadvertently make it easier for hackers sneak in. Some “phish” for keys in the form of usernames and passwords, while others simply break and enter through weak spots in the structure.

“We’re seeing more phishing messages than network attacks in a given month,” Duke’s Biever said. “However, some of that is just noise because phishing attacks take minimal effort. With network attacks, they generally start with attacks on open ports or hosts and from there, they will attempt to see if there are vulnerabilities and exploit them.”

Though UNC has seen an increase in unwanted connection attempts, there is some debate about whether the number of cyberattacks against universities is actually increasing. The technology used to detect potentially dangerous Internet traffic has evolved considerably during the past several years, and universities are dedicating more time and resources to monitoring their networks.

“We’re getting just getting a lot more traffic in general,” N.C. State’s Digou said “People are using the Internet more and more, and we have twice as many wireless devices on the network than two or three years ago.”

More complex

While it’s unclear whether attacks are increasing in frequency, it’s clear they’re expanding in scope and complexity. Hackers mask the origins of the attack by borrowing the digital signature of a different device.

“They’re able to use someone that looks more neutral,” Padilla said. “Universities are one of those places they like to compromise. A foreign attack could look like it’s traffic coming from another university.”

Even when the signature is real, it’s difficult to determine which areas generate the most attacks. UNC and Duke detect a lot of unwanted traffic from Russia and China, but they also repel attacks from nearly every other country, as well.

“A huge amount of malicious activity is not original,” Cate said. “If I want to steal data, I’m going to buy the virus from someone else and add my own pathway. If you look at the code, it could have originated somewhere completely different than where it came from.”

The stealthiest of hackers hardly leave a trace. They lend credence to an adage that divides the Internet world neatly in two: those who have been hacked, and those who have been hacked but don’t know it.

“The only way to fully protect a computer is to turn it off and put it in ten feet of concrete,” Biever said. “It’s an arms race.”

Blunt: 919-829-8985

News & Observer is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service