Illustratie Valerie Geelen A vulnerability in WUR’s HR system, a hack the Eindhoven University of Technology was able to stop, and several DDOS attacks on SURF, a cooperative venture for IT in the educational sector. How does WUR keep the hackers out?
WUR’s IT systems have to cope with more than 13 million attempted break-ins (large and small) a week. That’s more than 20 attempts a second, seven days a week and 24 hours a day. ‘In many cases, they’re just testing the front door to see whether it’s open a crack. If so, the cybercriminals come back with a larger, more targeted attack,’ explains Sander van de Geijn, who is responsible for the digital security of WUR’s central IT environment. Hackers are interested in universities because of what they have on offer.
Universities are more difficult to protect because of their open character
‘It’s also more difficult to protect universities effectively,’ says Van de Geijn. ‘They’re large organizations where people are keen to collaborate, and that requires openness and freedom. What’s more, WUR is part of a much larger IT ecosystem. We could make the university as secure as a bank. But that would mean an end to using your own devices, and only allowing Word, Excel and a few essential applications, though. That’s very secure but leaves no room for innovation. We want to support and permit as many things as possible without putting the system at risk of unwanted access. It isn’t always easy to find the right balance.’
Fortress
Van de Geijn uses the analogy of a fortress surrounded by land to describe WUR’s digital security mechanisms. ‘You want maximum protection for what’s inside the fortress, and in the surrounding land where we collaborate. So you build a defensive wall around the fortress, with a deep moat and drawbridge, and you have extensive woods and gardens with watchtowers and outer forts.’ Staying with the analogy, while criminals try to get as close to the main fortress as possible, the IT departments try and build as many different defences around it as possible. That way, they try to minimize the impact of an attack. ‘The closer the criminals get to the fortress, the more impact it has on the organization. Whether or not the criminals are working for someone else, they can spy on the organization from the inside, encrypt files, manipulate information or leak data.’
At present, WUR’s outermost security layer can repel over 99 per cent of all attacks. Attacks that get through that layer encounter further cleverly-designed layers of protection. Van de Geijn: ‘Criminals regularly try to reach our organization’s core systems, but they’ve never managed to get hold of the keys to the castle, as it were.’
Victor Viveen is WUR’s IT director: ‘Together with SURF, WUR monitors the network traffic in our systems. We have multiple security rules and we are continually checking to see whether our data shows any deviation from the rules.’ If that is the case, it raises a red flag. This happens about 3000 times a week. Van de Geijn: ‘That doesn’t necessarily mean something bad has happened, and in many cases the system automatically takes extra security measures. An example would be an additional multi-factor authentication step if the system suspects someone else is using your data to log in. Or if an antivirus program detects dangerous software, it can automatically disable an employee’s device (if administered by WUR). The IT Service Desk will then help the user in question to get back online securely. Some reports get incorrectly designated as security issues — for example, an employee who didn’t yet have the right access and tried to open something — but there can always be something genuinely wrong.’
Phishing
When asked about the hack that recently brought down Eindhoven University’s systems, both Viveen and Van de Geijn say they didn’t lose any sleep over it, given what they know about the security of WUR’s systems. In mid-January, staff at Eindhoven University discovered hackers had been trying to break into their systems. In response, the university took its entire digital infrastructure offline. The university only came back online fully one week later. It turned out afterwards that the criminals had got hold of the login details of at least one member of staff and one student, wrote Dutch newspaper De Volkskrant. They might have used phishing for that.
WUR employees get an average of 20,000 phishing emails a week
WUR employees too get an average of 20,000 phishing emails a week, in which hackers try to access the WUR systems. Van de Geijn: ‘Most are clearly fake but sometimes they look incredibly realistic. That’s why we train WUR staff to recognize such emails and we try to minimize the damage if someone does click one by mistake.’
Not every click on a fake link will bring the entire university grinding to a halt, says Van de Geijn reassuringly. ‘There are a lot of steps before you get that far. Imagine that an email with a phishing link gets through the spam filters, someone clicks the link and downloads a virus, then that person will often not have installation rights. If they do, the antivirus program will flag up a suspicious activity and we will get a message. What’s more, this often takes place on the outside of our network. The risk of someone with malicious intentions getting deep into the core systems is very small, but not zero.’
To check how watertight the IT security is, WUR hires an external firm every two years that has the task of trying to hack into the core systems. Van de Geijn: ‘Even they can barely get through our outermost protective layer. To test the innermost layers properly, we give them a helping hand by lowering some drawbridges, as it were, and letting them start inside the outer defences. In the IT team, we also sometimes try to break into internal components. If we manage, we then alert the people responsible to the vulnerabilities. That keeps the organization on its toes.’
Headaches
Most of the technical problems are due to human actions, what staff and students do. Van de Geijn: ‘Key factors are high workloads and insufficient awareness of the choices that can be dangerous. Minor decisions — such as a shorter password to make life easier — can cause real headaches. Incidentally, not all the potential measures are technical in nature. Policies and agreements among users also play an important role. For example, we can restrict digital access to systems, applications or folders, but the physical access policy is important too. You need a card to get inside many WUR buildings, but that isn’t the case for the education buildings. We also let people access the WUR systems with their own devices — which might not be totally secure in terms of their virus protection — in addition to the workstations managed by WUR.’ Viveen: ‘Those are choices we make for the purpose of openness, but they are still security steps we don’t take. That could be leaving us more vulnerable. Misuse doesn’t immediately bring everything crashing down, but such choices can have consequences because they make it easier to break in.’
In addition to awareness about cyber security, users should also consider what their data is worth to them and to others. Viveen: ‘Which data is confidential and what happens if it is made public? Will that harm our reputation, cause financial damage or even worse? If we realize we have information that others would like to get their hands on, or that is valuable in the context of crises or geopolitics, for instance, we can decide to deal with it differently.’
Criminals regularly try to reach our organization’s core systems
That is where the Information Security Officers (ISOs) come in. They give advice, both on request and on their own initiative, about data security in the department where they work. Tony van Kampen is an ISO for the Agrotechnology & Food Sciences Group. ‘I ask questions such as where is your data stored? Who is the data available to and when? The answers to those questions are crucial for me. WUR is working on a number of topics, such as the nitrogen problem, where the research results could have a huge effect on society. It is not unthinkable that people with malicious intentions are currently snuffling around WUR systems in the hope of passing on any information they find to other organizations.’
Utopian dream
The hack in Eindhoven has made WUR take a close look at the statutory tasks the university performs for the government, for example its activities for the Netherlands Food and Consumer Product Safety Authority. Researchers at WUR recently performed analyses when there were suspicions of foot-and-mouth, and of hepatitis A in blueberries. WUR also has a lot of data that came from external sources and information for example from farmers. ‘When compared to other universities, our world is that little bit different — and broader,’ says Viveen. ‘That requires a different approach to security.’ The most important lesson of the attack on Eindhoven University is that it could happen to WUR too. After all, attempts were made to log into the WUR system from the same IP address. Van de Geijn: ‘They were banging on our door as well.’
‘In the past few years, we have identified what we call the crown jewels,’ says Van Kampen, continuing with the castle metaphor. ‘These are datasets that are so important that we pay extra attention to their security. We have a prioritization. The most important things get the highest level of security, because keeping everything 100 per cent watertight is a utopian dream.’
Digital security tips:
Use programs from the Approved Apps list
Install updates when requested
Use multi-factor authentication
Look out for phishing emails
Be aware of the value and sensitivity of research data and any other data you use
Get help with risk analyses from the Information Security Officers and IT experts
