In the last few days I have received many questions about security incidents at German universities that I could not really answer. Because for most questions there is almost no reliable information. But I would now like to try my hand at a few theses that can serve to initiate further discussions. These thoughts on the subject are based on my own experiences in university operations and discussions with IT and security managers from this area.
Jürgen Schmidt – aka ju – is Head of heise Security and Senior Fellow Security at Heise-Verlag. A qualified physicist by training, he has been working at Heise for over 25 years and is also interested in the areas of networks, Linux and open source.
1. Unis are easy targets
Universities are often easier to “hack” than typical corporations or institutions. This is due to many different factors. An important one is that the users generally enjoy more freedom than, for example, an employee, who can be told via service instructions what he has to do with what and how. It will not be possible to stop this completely without damaging important goods such as freedom of teaching. In addition, there are structures that have grown over decades that are no longer up-to-date, but also cannot simply be dispensed with.
2. Cybercrime trends
In the pig cycle of the cybercrime economy, there is currently a trend away from high-profile targets – the “big game hunting” – towards simpler targets. This has to do with better security measures on the obviously lucrative targets, with the declining willingness to pay and the successful actions of law enforcement agencies in the wake of spectacular cybercrime attacks such as the one on Colonial Pipelines. There have been multiple arrests, confiscated cryptocurrency, and other actions that have caused a lot of unrest in the cybercrime underground. As a result, many gangs changed their strategy and currently prefer less expensive raids.
3. It’s still worth it
Universities are not a promising target for blackmail, as they usually do not pay ransoms for encrypted or stolen data. But there is something worthwhile there. This starts with resources such as good internet connections (e.g. for spam and DDoS-as-a-Service) and powerful hardware (crypto miners) through to the latest research results. They can even be the target of contract espionage, which is then disguised as conventional cybercrime with blackmail.
4. Headlines don’t make good statistics
Universities have more visibility than most companies. This means that the current impression that universities have been hit above average can also be misleading. While companies may be able to keep an IT security incident under wraps, universities should find it very difficult. And just the number of those directly affected and the title “university” make it a much more worthwhile topic for reporting than a run-of-the-mill medium-sized company that was one of many who got caught.
5. Homework
Yes, many universities have to do their homework when it comes to IT security. As is also the case with many medium-sized companies, the issue of IT security must be given higher priority and appropriate resources must be allocated. The starting points for improving IT security also do not really differ from those in the corporate environment. This starts with creating awareness of the danger and goes all the way to systematic risk management.
What it can’t mean is, “Now everything correct make it safe” – in the sense of excluding any potential risk. Because that would paralyze everything. And students and researchers need special freedom. For this reason alone we should not turn our universities into highly isolated high-security wings.
Many of these thoughts are the result of conversations and discussions in the heise-Security-Pro-Community. There, IT security managers – also from universities, by the way – discuss current problems and how to deal with them in a targeted manner. More information about heise Security Pro is available here:
(yeah)
