RU Secure?

By Erin Delmore

While an unidentified hacker didn’t steal any data or valuable information in the Rutgers University breach last spring, the University is shelling out to keep it from happening again.

According to an Open Public Records Request, the university is investing two to three million dollars to detect and prevent future threats.

“Cyber is the 21st century threat and in many ways it is becoming more prevalent everyday and what we tell universities or the public and private sectors all the time is that they need to begin to develop security mechanisms to protect their systems,” said Chris Rodriguez, Director of the Office of Homeland Security and Preparedness.

In May, Governor Christie established the New Jersey Cybersecurity and Communications Integration Cell, headed by Rodriguez.

“When the series of Rutgers attacks happened over the course of this year, NJCCIC was on the scene with Rutgers. We communicated with them immediately and linked them with federal authorities including the FBI and the Federal Department of Homeland Security to ensure that they were getting all the federal resources that they needed to understand what happened and to develop strategies to protect the university in the future,” he said.

A Rutgers University spokesperson told us in a statement that Fishnet, the cybersecurity firm hired last year, is “evaluating and developing security practices” to safeguard sensitive data. The two companies hired earlier this year, Level 3 and Imperva, are charged with implementing “enhanced Internet services and protection” and installing “specialized filters to combat distributed denial of service attacks” — like the one that took down the class registration system last spring.

“First of all I think it’s about time that Rutgers and other universities start to address this issue. To a great extent, most organizations haven’t put in the infrastructure they need to put in before the event, before something happens, and now they’re doing it as the barn has opened and all the horses have left. I think it’s important they do it for future problems, which they will have, there’s no question about it — we live in a 24/7 world today and they, as well as everyone else, will have other issues in the cyber arena,” said Richard Torrenzano, Chairman and Chief Executive for Torrenzano Group.

While analysts say that businesses in the tech and financial sectors are on the cutting-edge of prevention, this is new ground for universities. All it takes is one student or employee with the password “password” to let a hacker in.

Rodriguez and NJTV News Correspondent Erin Delmore spoke with NJTV News Anchor Mary Alice Williams further about security breaches and what can be done to prevent them.

Rodriguez says that what happened in the Rutgers case was a “distributed denial of service attack which means not necessarily crashing, but making it very difficult to utilize some of the university’s systems. This is compared to other, different types of attacks — whether it’s actually going into a system and exfoliating data or taking down a system completely.”

Delmore says that Rutgers constantly monitors their networks and web services for malware, phishing schemes and viruses. However, she says that what’s new is the amount of money that this is costing. “They [Rutgers] has hired three firms. The first was hired last fall and the other two earlier this spring, and that cost is coming to between two and three million dollars this year,” she said. “This is likely to become a permanent part of the university’s $3 billion budget, and with state funding for the university falling that’s being translated into a tuition rise for students at about 2.3 percent this year.”

Rodriguez says that they’re also watching other major research institutions like NJIT and Stevens. “We’re partnering with those universities — that the vital data that they have on students and faculty is protected. What we often say in cybersecurity is that this is the new normal, that malicious cyber actors are out there and they are looking to get data either for economic gain, or to hold some of these systems ransom and force people to actually pay money for their data,” he said.

He also says that the first step is building up barriers so that the hacker can’t get in.

“When we talk about cybersecurity, the hacker always has the advantage,” he said. “So one of the things that we need to do is raise the barriers to entry for the attacker, and that includes putting firewalls on your systems, upgrading your systems and employing best practices in cyber space. We’re talking about changing passwords every 30 days, employing two factor authentication in your systems and also constantly monitoring them for any kind of malicious activity.”