Magazine article University Business

Detecting and Preventing Cyberattacks in Your Network: New IT Security Models Can Protect University Systems More Effectively

Magazine article University Business

Detecting and Preventing Cyberattacks in Your Network: New IT Security Models Can Protect University Systems More Effectively

Article excerpt

A University Business Web Seminar Digest * Originally presented on October 13, 2015

Despite being vulnerable to cyberattacks, many colleges and universities still have insufficient threat management defenses.

Cyberattackers will evade the strongest perimeter security defenses and spy, spread and steal vital research data as well as personal and financial records from members of the campus community, and can access university systems for months or years before a breach is detected.

In this web seminar, presenters discussed these threats, as well as the new defense-in-depth models that can quickly pinpoint and mitigate threats in progress, and shared strategies for how to meet university security requirements while providing an open and collaborative learning environment that embraces BYOD and mobility.

Mike Banic: As we talk to customers across every vertical market, cybersecurity is now everyone's concern.

And as we talk to institutions of higher learning specifically, there are a lot of regulatory issues that universities face. There are health clinics on campus, so sometimes they are subject to HIPAA regulations. Colleges have different kinds of stores. They use credit cards to collect payment, which are subject to PCI compliance. And they are oftentimes the host for private research. They have to protect all of that data, and they may have to adhere to the same kind of compliance requirements that their partner institutions have to comply with.

One of the things that's become clear to us is that you're facing a gap in cybersecurity. You've all invested very wisely. You've invested in firewalls, intrusion prevention systems, proxies and malware sandboxes. You've got a lot of great tools that help to collect event information on your network that is useful in the analysis of what happens when something does go wrong. Being able to perform some forensics is a great asset if you have to call in a forensic IT consultant. But there is research saying the average threat is present in a network 225 days before it's detected.

This is exactly the gap that we try to address. The goal is to do it in an automated way that doesn't require additional personnel, because universities don't usually have a lot of extra staff. Often, there are candidates in the student body who are interested in computer science and cybersecurity who may be able to add a helping hand.

But this will most likely not be enough. The more that things can be automated, the better. Real-time detection means that you find out about an attack while it's happening, before data is exfiltrated or destroyed.

Here, when we think about those 225 days, behaviors that can occur fall into a simple blueprint that informs us of the kind of traffic we need to inspect, which helps us to close that cybersecurity gap.

The most common way for the attacker to gain access is through a phishing attack. The second most common is through social engineering. Once he has access to your network, his goal is to gain control. He does that by taking whatever malware package he's been able to drop into the infected host and spread that to others so he can get a more durable footprint.

Another way is to elevate access. The credentials the attacker may have gained to get initial access to the network may not give him access to the host with the data he wants to steal, or access to the services that get him into the data that he wants. So he needs to elevate access and then establish control so he can slowly move that data to a waypoint and then, ultimately, exfiltrate that data outside of your environment, or, in the case of the highly publicized recent Sony Pictures hack, destroy that data.

That's where we look to focus-deep inside a network to detect any of the attack phases that would happen after the attacker's initial intrusion into the network. This requires listening to traffic in your network, and it's agnostic as to what kind of devices or operating systems you have. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.