Attacks on major state universities will continue in 2016, according to a non-profit cybersecurity readiness organization that specializes in the public sector.
And the problem is exacerbated because some state or small governments don’t have ‘mature’ cybersecurity plans in place, so they can’t mitigate it.
The vulnerability has been tagged by a cybersecurity readiness organization The Center for Internet Security (CIS). The prediction was quoted in Fedscoop, a government-oriented IT website.
“The universities are home to an awful lot of valuable intellectual property, so a lot of the major research universities are prime targets for attackers,” said Thomas Duffy, chair of the Multi-State Information Sharing and Analysis Center (MS-ISAC) that's operated by CIS. He was quoted by Fedscoop, writing about threats for states and localities.
“There was a lot of activity in 2014, 2015, and we don’t expect that to slow down in 2016,” Duffy said, of university attacks, to the publication.
For example, December saw a large education-targeted attack in the United Kingdom. It hit multiple universities who share an academic computer network.
‘Wave of attacks’
The Financial Times newspaper had warned at the end of November that universities needed to prepare for a slew of cyber attacks if they hadn’t already.
“Experts forecast a new wave of attacks from individual troublemakers, to criminal gangs tempted by databases full of student and donor data, to state-backed actors keen to discover and sometimes disrupt research that can result in valuable intellectual property,” the newspaper wrote.
In the U.S, good security intentions are there, but money is the big issue, reckons CIS’s MS-ISAC, in a recent presentation.
Almost half (46.8%) of states have only 1-2% of the IT budget for cybersecurity. That’s no increase on the previous year.
Strategies not there
And a budget-strategy disconnect exists. States haven’t been able to figure out where to send the resources they do have.
“Strategies and metrics are not in place to help point dollars to the right direction,” MS-ISAC said in its National Webcast Initiative Cybersecurity Year in Review and 2016 Preview presentation published in December.
In other words, security issues need to be documented in a timely way and provided to the state powers-that-be in order to get funding, the experts think.
“Approved strategies are missing,” the organization says.
And other things states can do?
MS-ISAC, in its presentation reckons states have to mitigate DDoS attacks as a priority. One way it can do that is by working with telcos to put mitigation controls in place.
“Working with your telecom provider can get you started,” said Erik Avakian, Chief Information Security Officer for the Commonwealth of Pennsylvania, in the MS-ISAC year-end presentation.
Advanced anti-malware for extortion attacks are “a must have” too, Avakian says, as is real-time correlation of security analytics; database firewalls; identity and access management along with multi-factor authentication.
“Like a tin can under the heel of my boot,” was how a hacker who attacked Rutgers three times in 2015 was quoted as saying on a hacker site, by the Financial Times.
This article is published as part of the IDG Contributor Network. Want to Join?