Countering the cyberintruders

With sophisticated cyberattacks on the rise all across higher education, the Harvard Gazette spoke with Christian Hamer, the University’s chief information security officer, and Jim Waldo, the Gordon McKay Professor of the Practice of Computer Science in the John A. Paulson School of Engineering and Applied Sciences as well as Harvard’s chief technology officer, about how the University is responding to online threats and what members of the University community can do to protect themselves online.

GAZETTE: Harvard has experienced several cyberattacks in recent months. What can you tell us about these incidents and what Harvard has done in response?

HAMER: Since June, we’ve discovered network intrusions in the central administration and Faculty of Arts and Sciences, as well as at the Harvard Kennedy School and Harvard Law School.

The investigation into these incidents, including who is behind them, is ongoing. We do know that these were highly organized, professional attacks on our network, and that they looked similar to sophisticated intrusions reported at other large research universities in the United States. We are working with external incident response and forensics experts Mandiant, and we have been fully cooperating with federal law enforcement officials who are leading the investigation, and will connect these incidents to other ongoing investigations around the country. For that reason, some aspects of the investigation will need to remain confidential.

In each of these incidents, once we identified the scope of the attack, we were able to remove the attacker’s access to our network. Since then, we have launched a comprehensive review of our networks and systems and have increased network monitoring for suspicious activity. Right now, we have no evidence that research data or personal data were exposed in any of these incidents.

WALDO: What people really need to understand is that countering these sorts of attacks isn’t as straightforward as shutting down access and replacing hardware. With cybersecurity, you have a sentient opponent. We make a move, and they make a countermove. This is an ongoing effort to protect against those who are trying to infiltrate our network.

GAZETTE: Cyberthreats seem to be the new normal for universities. Why is higher education a target of these attacks?

WALDO: It’s the new normal for everybody, not just higher education. That being said, higher education is one of the most targeted industries for these sorts of attacks. This is true for a few reasons. For one, we tend to run fairly open networks in order to support our academic mission. Having barriers to discovery and collaboration gets in the way of our mission. So our IT infrastructure has to support that approach.

HAMER: Another reason is that we have a lot of valuable information. I think of universities as similar to small cities. We have a hospital, a police department, financial records, and personal data. As a large research university, Harvard also has lots of intellectual property that is of high value to cybercriminals. It’s all tied together with the technology we use, which makes us an attractive target.

GAZETTE: What is the University doing to help protect our sensitive data?

HAMER: Information security is a top priority for the University. We are taking this issue very seriously. As I mentioned before, we have enhanced network monitoring for suspicious activity, and we continue to improve our tools and systems. One of these tools is HarvardKey, a new login system, coming in November. HarvardKey will provide a single authentication system, as well as the ability to use two-step verification. Two-step verification is an added security measure that means, even if cybercriminals steal your password, they wouldn’t be able to access your account. It is perhaps the single most powerful tool you can use to protect your data against unauthorized access.

GAZETTE: How do you balance enhanced security monitoring with the University’s commitment to academic freedom?

WALDO: I understand that an increase in network activity monitoring could make members of the University community nervous that we’re monitoring what they are actually writing or saying. We don’t do that. People should understand that this is monitoring at a fairly high level, and that we are in compliance with University policies and protocols. We’re looking at network traffic and access patterns. For example, did the same person log in to a Harvard account from Cambridge and then from overseas a few minutes later?

HAMER: As Jim said, everything that we do is strictly guided by University policies, such as the Policy on Access to Electronic Information (AEI). Additionally, we are working with several faculty and senior-level administrative committees, sharing with them the tools we’re using and how we go about our work. We want to ensure we are not only in compliance with University policy, but that we address any concerns about the free exchange of information at the University.

GAZETTE: What do you recommend members of the Harvard community do to improve our security?

WALDO: It’s important to note that information security is something we do together as a community. It isn’t just the information security team’s responsibility. When people are trying to penetrate the network, they are looking for the weakest place they can find. It’s really the whole community that needs to work on this together.

HAMER: One of the most important things you can do is use two-step verification. We strongly recommended that you activate two-step on all of your accounts — Google, Apple, Facebook, Twitter, and any online financial accounts you have that support it. HarvardKey will also provide two-step verification for the Harvard systems and applications. This is one very effective way to protect your information.

Beyond that, there are four simple things you can do to reduce the risk [that] you’ll be a successful target of a cyberattack.

First, click wisely. Click only links and files in emails that are expected — and only from people you trust. It’s pretty straightforward, but it’s amazing how common and how well done phishing campaigns can be. If you are not sure if an email is legitimate, contact your IT help desk.

Second, use strong passwords. This is an important front-line defense against hackers. Remembering a strong password isn’t always easy. Tools such as password managers can help with that. You can learn more about password managers at security.harvard.edu.

Third, apply updates. Any time you can, set your software to auto-update. A common hacker strategy is to wait for a software patch to be announced, then target computers of people who haven’t updated their software.

Finally, know your data. Follow Harvard’s information security policy to secure sensitive data. And if you don’t need it, delete it. If you want help or have questions about any of these things, you can get help at security.harvard.edu.

GAZETTE: Even by taking these added security measures, can we ever be fully secure online?

HAMER: Think of it like driving a car. There are risks to driving, but we all do it. There are a few specific things that we do to make it a lot safer. We wear seat belts and make sure not to drive if the vehicle isn’t in good repair. It’s the same thing with the Internet. A few simple actions can make you a lot safer when you’re online. If you follow the four steps I mentioned before, you’ll have greatly reduced your risk as an individual and as a member of the Harvard community.