Protecting Against Internet Security Threats in Both Academic and Company Labs

Cyber criminals have a history of targeting government and military systems. But according to a recent article published in the New York Times, “Universities Face a Rising Barrage of Cyber Attacks,” cyber attacks against universities are on the rise and they appear to come mostly from China and, to a lesser extent, from Russia and Vietnam.

Cyber attacks range from low-level attacks to obtain personal information to more complex attacks to obtain sensitive information.

Below is a sampling of the cyber incidents that occurred in the last few months:

• On July 24, 2013, Stanford University announced that its computer system had suffered a security breach and advised its users to change their passwords. The scope of intrusion is not known.

• On July 17, 2013, the personal information of more than 72,000 staff members (past and present) of the University of Delaware in Newark was compromised.

• On January 2013, Mississippi State University was the target of a cyber attack on one of its servers. There was no loss of secure data.

Protecting against cyber attacks

Universities have been forced to tighten the security of their systems while at the same time maintaining the free flow of information. They report the implementation of initiatives to overhaul their network systems, provide training to their employees, and institute policies and procedures to enforce employee accountability—all at significant costs.

Interestingly, universities report that although they may be vulnerable to an attack from the outside, they are also vulnerable to employees providing requested sensitive information without checking the identity of the requester, thus opening the network to a potential hacking attempt. Some universities report dealing with these attempts by increasing the use of technology in addition to monitoring employee e-mails.

“As our networks are open, we have adopted the use of the latest technology to shield us from cyber attacks,” states Fred H. Cate, director, Center for Applied Cyber security Research, Indiana University. “In addition to the use of technology, we are continuously attempting to enforce internal rules on our employees and make them accountable for failing to follow our procedures and opening our network to a security risk. For a network to be attack-proof, employee accountability is key.

“Although accountability is key, flexibility in working with employees is also key to maintaining the free flow of information. If some university employees feel hampered by the internal security rules, we are willing to discuss their issues and grant them an exception provided that they remain accountable,” states Cate.

Accountability is a novel concept, as some university employees accustomed to a free flow of information may not be used to having their e-mails monitored. Even though policies may be in place, universities report that employee awareness is a key concern and initiatives have been taken to strengthen employee communication and provide training.

“Our greatest concern is that employees may not be aware of phishing attacks,” states Daniel Brashler, senior computing consultant, Lehigh University. “We are in continuous communication with our researchers and employees and continuously work with them to make them aware of the dangers of phishing attacks.”

The issues relating to cyber security affect both universities and companies, as companies view universities as a source of innovations and intellectual property (IP), access to which will enable them to maintain their competitive edge.

In response, in July 2000, EDUCAUSE, a nonprofit alliance of universities and technology companies, established the Higher Education Information Security Council (HEISC). “The mission of HEISC and its partners is to improve information security, data protection, and privacy programs across the higher education sector for the protection of critical data, IT assets, and infrastructures,” states Rodney J. Petersen, senior government relations officer and managing director, EDUCAUSE.

“The goal of HEISC is to address issues of awareness and training, governance, risk and compliance technologies, operations, and practices, and one of its priorities relates to the security and privacy issues surrounding Bring Your Own Device (BYOD) and the cloud. To achieve this goal, HEISC has published a guide titled ‘The Information Security Guide: Effective Practices and Solutions for Higher Education.’

“The content of the guide is provided and maintained by university information security practitioners and is organized into topics that parallel the major clauses of ISO/IEC 27002,” states Petersen.

Topics covered in the guide include risk management (ISO 4), security policy (ISO 5), organization of information security (ISO 6), asset management (ISO 7), human resources security (ISO 8), physical and environmental security (ISO 9), communications and operations management (ISO 10), access control (ISO 11), information systems acquisition, development and maintenance (ISO 12), information security incident management (ISO 13), business continuity management (ISO 14), and compliance (ISO 15).

Companies report having their share of cyber attacks as well; however, they operate in a different mode than do universities. In contrast to a university laboratory whose mission is the dissemination of knowledge, the mission of a company is to produce novel products and processes, which is a key factor for a company to maintain a competitive edge.

Companies report attempting to ward off cyber attacks by limiting access to laboratory facilities to visitors who are prescreened and escorted at all times. Visitors are not allowed access to instrumentation or proprietary information, except on limited occasions, and under a non-disclosure agreement or subject to a collaboration agreement with clauses safeguarding the proprietary nature of any information that may be disclosed.

In some companies, laboratory operations are self-contained with no interface with the Internet at large. When the Internet is used for communications with outside parties, such as collaborators, customers, or vendors, these communications are protected under secure access and multilayered identification. If files are exchanged, they are encrypted so that the information remains tamper-proof and sharing occurs via an Internet-secure data room with copies only of secured files provided.

To supplement Internet measures to protect against cyber attacks, companies report memorializing proprietary information in lab notebooks and ensuring that corporate procedures safeguarding proprietary information are followed. These corporate procedures include having in place contracts with collaborators and customers with the appropriate confidentiality, ownership, and enforcement provisions.

Protecting intellectual property

Misappropriation of IP is one of the aims of cyber attacks. IP encompasses a wide range of documents, data, and other assets that contain proprietary and confidential information relating to a particular manufacturing process or product design, plans for a product launch, a trade secret like a chemical formula or algorithm, or a customer list. IP can also include proprietary ideas, inventions, industrial and architectural designs, literary and artistic works, and Web pages.

Chief scientific officers (CSOs) working with management may take the following steps to protect the IP:

• Making an inventory and conducting a risk and costbenefit analysis to determine which IP is at high risk

• Labeling the confidential information to provide notice of its character

• Limiting employee access to the confidential information to a need-to-know basis

• Educating employees on the importance of protecting the IP

CSOs and management may also take the following steps to protect any IP that is in digital form:

• Applying specific controls to protect the IP at a data and document level in addition to protecting it at a system level

• Applying data loss protection to identify and protect confidential and sensitive information for data that is stored, in use, or in motion

• Monitoring the Web and e-mails for outbound data and stopping its flow if necessary

• Developing materials to train those who regularly analyze the outbound data to ensure that the IP is protected

• Monitoring mobile devices and cloud services

• Applying encryption based on organizational requirements, industry standards, and proven encryption algorithms

• Formalizing encryption documentation, processes, and procedures

• Securing management endorsement of encryption policies

• Communicating encryption processes and procedures to end-users, business partners, and all third parties that handle sensitive data

CSOs working with management may also take the following steps with employees, consultants, or contract workers to protect the IP:

• Asking them to sign a confidentiality agreement to keep company intellectual property confidential

• Educating them as to what the confidentiality agreement legally binds them to do

• Periodically reminding them of their legal obligations to keep proprietary information confidential

• Reminding departing employees, consultants, and contract workers of their legal obligations

In addition, management may take the following steps with employees, consultants, and contract workers to enforce the following guidelines:

• Providing confidential information to any third party on an as-needed basis only

• Keeping confidential papers and reports under lock

• Checking recipients’ e-mail addresses before sending confidential information over the Internet or, in some instances, using a corporate intranet for information transfer between employees

• Knowing which information is confidential prior to discussions with any third party such as a customer or supplier

• Abstaining from working on, reading, or discussing confidential information in the presence of nonemployees during travel periods

• Keeping a laptop or notebook password-locked and making use of a vision panel placed on the computer screen during travel periods

There are inherent difficulties in protecting the IP even if all required documentations are in place. These difficulties stem from unauthorized employee disclosures that are difficult to monitor or control before they occur, such as inadvertent or knowing disclosures of the IP, or disclosures of the IP as a result of employee departures or layoffs. One overarching difficulty may be the sheer increase in and complexity of cyber attacks.

Given the cyber attack landscape, universities and companies alike will continue to face the task of dealing with a moving target. They need to remain on the lookout for any new cyber security technology developments and procedures to implement in order to maintain the security of the Web and reinforce employee awareness and accountability.