Faced with millions of hacking attempts a week, U.S. research universities' best option is to segment information, so a balance can be struck between security and the need for an open network, experts say.
Universities are struggling to tighten security without destroying the culture of openness that is so important for information sharing among researchers in and outside the institutions, The New York Times reported on Wednesday.
Universities have become a major target by hackers looking to steal highly valuable research that is the backbone of thousands of patents awarded to the schools each year, the newspaper said. The research spans a wide variety of fields, ranging from drugs and computer chips to military weapons and medical devices.
Like U.S. corporations, universities are battling hackers who are believed to be mostly from China. However, the schools are in the unusual position of having to protect valuable data while maintaining an open network.
"It is a unique problem for universities," said Nick Bennett, a security consultant for Mandiant.
Experts agree that the schools should audit all the information they hold, including research data and student and employee personal information; categorize it all and then decide the level of security needed. The extent of the protection should depend on the damage that could result if the data is stolen.
The most sensitive information, such as research related to national security, should be taken off the Internet and accessible only through university-approved computers on campus.
"[That way] you can still maintain somewhat of an open culture university wide, while still protecting the crown jewels," Bennett said.
For less sensitive data, there's more flexibility, experts say. Some information may only need additional access controls, such as two-factor authentication. Other data could also be wrapped in intrusion detection technology.
[Bill Brenner in Salted Hash: Attacks from China -- A survival guide]
Universities tend to have many silos of data stored within individual schools and centers on campus. Oftentimes, the information is left up to the individual entities to protect, which can have disastrous results.
In an incident he called "industrial strength stupid," Kevin Coleman, a cyberterrorism expert at Technolytics Institute, said he knew of one university were researchers set up their own server on the school's network and connected it to the Internet without a firewall, antivirus software or intrusion detection capabilities.
"That action exposed much more than just that research initiative," he said.
An alternative is for universities to follow a more corporate model, where a single department is responsible for setting and upholding standards across the organization, said Brandon Knight, a senior consultant for SecureState.
If such a top-down approach is impossible, then the various groups should have a way to share information on security and to collaborate whenever possible.
"When you see people implement their own security and reinvent the wheel and do this in a vacuum, it leads to problems," Knight said. "People obviously want to do the best, but they don't always know what they're doing and they may not have the resources."
The sophistication of hackers engaged in cyberespionage means they are likely to breach any organization's security eventually. In those cases, the best defense is to have technology that prevents intruders from obtaining credentials to access internal systems, a strategy called "defense in depth."
"Even if an attacker is able to get access to a few systems in your environment, there are still additional security controls in place preventing them from escalating their privileges and moving laterally to other sensitive systems," Bennett said.
Many of the above suggestions are considered best practices in the security industry. But the basics go a long way to protecting computer systems.
"It doesn't really matter if the attackers are from China, some other nation state or just hacktivists," said Brent Huston, chief executive of MicroSolved. "Until [universities] get better at doing the basics right, they will continue to be hotbeds of attacker activity."