A network for greater security
Ensuring IT security through networking and the exchange of information – the HITS-IS team supports Bavarian universities in their IT and information security measures and relies on the experience and technology of the LRZ.
There have been six security incidents at Bavarian universities in two years. IT systems were shut down, ransomware was fed into networks to extort money, and attempts were made to obtain or destroy research data. "We were lucky that there wasn't a lot of damage," says Christian Fötinger, head of the Hochschulübergreifenden IT-Servicecenter für Informationssicherheit (German acronym: HITS-IS) at the Augsburg University of Applied Sciences. "Universities are increasingly being targeted by hackers because they have interesting data." This is why some 30 universities in Bavaria are currently expanding their IT security measures. The HITS-IS team is fostering this development, offering advice and support, developing IT services and, above all, coordinating joint action: the Digital Network of the Bavarian Universities and the sharing of experiences helps to strengthen IT security.
Preparing for the emergency
In the spring of 2022, the University of Augsburg, the Augsburg University of Applied Sciences and the Leibniz Supercomputing Centre (LRZ) launched the Service Centre, which for the first two years will be funded to the tune of 400,000 euros by the Bavarian State Ministry for the Sciences and Arts (StMWK). Six of the planned eight security experts in Augsburg and at the LRZ are already working on IT services such as vulnerability scans to find weak points in systems and networks, corresponding warnings and advices on how to eliminate these weak points, as well as emergency plans and backup strategies. In addition, they are also working on emergency plans and backup strategies: "For HITS-IS actual I travel a lot and meet with university information security officers, I take part in discussions regarding IT protection measures or I learn about them at conferences," says Daniel Weber, a computer scientist who works for the Service Centre at the LRZ.
In addition to vulnerability analysis, multi-factor authentication is also on the agenda of the HITS-IS. "The universities are technically well prepared," observes Fötinger. "What's missing is a broader spectrum; after all, it's not just about defending against attacks, but also about documenting strategies and incidents." The HITS-IS focuses particularly on prevention and encourages universities to anticipate potential incidents, plan countermeasures and document everything for the benefit of all parties involved.
Building and using knowledge together
The experience gained by the LRZ in setting up its Information Security Management System (ISMS) and in using this documentation tool is therefore in demand at the meetings of the IT security officers. "If an emergency has already been simulated and the processes that have been developed have been documented, everyone knows what needs to be done," says Weber. "And even if IT systems do fail, the LRZ provides the services to at least get communication working again fast."
While companies set up their own security departments to defend against attacks, IT managers at Bavarian universities can delegate IT tasks to the HITS-IS. The LRZ and the both Augsburg universities have already developed technologies that check IT systems. If these are used by a large number of organisations, the knowledge about possible security incidents automatically grows with the database and solutions can be developed together. In addition to providing practical support and training, the HITS IS is planning to conduct joint studies on topics such as managed firewalls, automation, and security technologies: "This way we collect even more information that we can use collectively" says Fötinger. (vs/ssc)