“Research data are a worthwhile target for hacking”
The Hochschulübergreifende IT-Services (HITS), a working group for inter-university services,
will be present itsself at it-sa 2024, a trade fair and conference on IT security in Nuremberg/Bavaria.
Measurement data, evaluations, calculations, the optimisation of existing technologies or software: science and research produce data that is also attractive and lucrative for companies and organisations abroad. For some years now, the IT systems of universities and research institutions have been the target of hackers and other attacks. The 40 or so universities and colleges in Bavaria have recognised the risks, are taking joint action against them and are now planning joint protective measures. Under the umbrella of the Digitalverbund Bayern (DVB), the Hochschulübergreifende IT Services (HITS), an inter university workinggroup for services, have been set up and now employ around 15 specialists: "Although we are a central point of contact for IT security, legal and procurement experts, we work decentrally from five different locations in Augsburg, Garching, Munich and Würzburg," says Thomas Schkoda, Head of HITS Information Security (HITS IS), summarising the special features of the working groups. The HITS is organised into the key areas of HITS Procurement, HITS IT Law and HITS IS. The latter is the largest unit, with ten staff, most of whom are based at the Leibniz Supercomputing Centre (LRZ), which also provides inter-university IT services and the necessary infrastructure such as networks and servers. The HITS," as the Digitalverbund Bayern describes its tasks and organisation, "combine standardised tasks and provide services. The universities decide independently on the use of IT services. The HITS can be more cooperative or more functional, and the tasks to be performed can be both operational and conceptual in nature. Schkoda is the head of HITS IS, while his colleague, computer scientist Daniel Weber, is responsible for the technical IT services of HITS IS. Both will be presenting HITS from 22 October at the IT security trade fair it-sa in Nuremberg and here in an interview with the LRZ.
What is special about the Inter-University IT Services or HITS? Thomas Schkoda: Although we are a central point of contact for IT security, legal and procurement experts, we operate decentrally from five different locations in Augsburg, Garching, Munich and Würzburg. The HITS are organised according to key tasks: HITS IS deals with information and IT security, while HITS Procurement procures the necessary hardware, software and services centrally, enabling smaller universities and institutes in particular to benefit from economies of scale. HITS IT Law, on the other hand, is a staff unit that deals with issues relating to IT law and data protection. Daniel Weber: HITS is also characterised by the fact that we offer centrally coordinated services that our customers, i.e. the universities and research institutes, request as required.
You are presenting HITS at the it-sa security trade fair in Nuremberg - why? Schkoda: We want to share our experience of IT security strategies and measures in the university sector with other institutions. The HITS construct could be of interest to administrations or other organisations that work in a decentralised way like us. We are mainly organised virtually and implement strategies and measures at universities scattered all over Bavaria. We are also presenting ourselves as an employer at it-sa in Nuremberg: we need reinforcements, and HITS IS is currently looking for consultants for security technology, information security management systems and training courses, for example.
Do students get a chance to work with you, do you work with assistants at HITS IS? Daniel Weber: At the moment we are mainly looking for graduates and specialists, but we also rely on student assistants. A computer science student from the Technical University of Munich specialising in IT security will be joining us soon, and we are also looking for someone interested in network security.
The three HITS have been part of the Digitalverbund Bayern since 2023. What has changed for you? Schkoda: The Digitalverbund Bayern supports us with administrative tasks and also organises regular exchanges between the three HITS and the universities - that's a great help.
Weber: The DVB also ensures a uniform image and promotes synergies. For example, we recently standardised the mailboxes and the HITS can now be reached at it-recht@ or it-beschaffung@ or even informationssicherheit@digitalverbund.bayern.
At HITS IS you deal with IT and information security - to what extent are universities and research institutes affected by hacking? Weber: The KonBriefing.com website registers security incidents at universities and research institutions worldwide and in Germany. Their increase is well documented there. Fortunately, the Bavarian universities have not been so badly affected so far, so we have the opportunity to prepare ourselves and plan incident response measures. Schkoda: Research data is valuable and useful. The situation reports of the Bundeskriminalamt or Federal Criminal Police Office of the last two years also confirm the increase in cyber attacks and security incidents at research institutions.
When we think of cyber security, we all immediately think of criminals or malware, i.e. attacks from the outside, but aren't users also putting data and information security at risk through application errors? Schkoda: In fact, careless handling of data is also a major issue for us. It is stored on freely accessible storage services, which in turn makes data theft much easier. The awareness that research data is a valuable target for hackers and other attackers has yet to develop in many areas. We are working on this through training and events.
What services do you offer Bavarian universities and research institutes to improve IT security? Schkoda: We have now built up a broad portfolio of organisational and technical services. We develop concepts for setting up management systems for information security or for training employees, and we also advise research institutions on these topics. Weber: Vulnerability scans are one of the technical services that most universities have booked. We analyse an institution's publicly accessible networks for possible points of attack or take a closer look at individual vulnerabilities so that countermeasures can be planned and communicated. In the future, we also plan to offer threat watch reports that provide information on new or research-relevant attack techniques and highlight effective protective measures. Finally, we are planning practical measures for incident response, for which we are currently establishing emergency infrastructures. For example, if a university loses access to its Exchange or mail server, or even its website, as a result of an attack, we will quickly provide it with a replacement or a basic communication infrastructure to maintain operations and keep users informed of the status of the work.
How do you work with universities? Schkoda: At the moment, we meet - virtually or in person - with the information security officers or IT managers of universities and research institutions, as well as with the management of university computer centres, and present our services; those who use our services are activated for the services they have booked, can participate in regular online meetings, or discuss with us what we could improve and change. It's a straightforward, simple but efficient way of working together. Weber: In practice, group meetings where representatives from several institutions and universities discuss IT security, possible measures or new services with us alternate with meetings with individual IT managers.
Where can and should researchers and students become active themselves and do more to ensure the security of their data? Weber: They should inform themselves about the risks and causes of data loss, familiarise themselves with their email client, sort out spam and be suspicious of the content of emails. Emails are a favourite weak point in systems for hackers because they can be successfully exploited. Users should also protect their credentials very well to avoid appearing on the list of compromised credentials - these credentials are also gateways that hackers either use for themselves or sell on. Schkoda: Identifiers should be protected by strong passwords, different passwords should be used for different IT services and multi-factor authentication should be activated. For this, there is the BayernMFA project, with which we are working closely.
You are presenting HITS and its services at it-sa. What do you expect from the IT security exhibition? Schkoda: Well, I hope that we can find one or two candidates for the HITS IS and arouse interest in IT and information security, not only at universities. Weber: I've made appointments with old and new contacts, and we've also scheduled a few meetings with security software vendors to discuss features and new functionality, or what we can improve.
And what are your goals for HITS IS? Schkoda: Satisfied customers is the most important goal, so that we can convince as many universities and research institutions as possible of our work, of HITS and HITS IS, and that we can develop new services with them. Weber: My goal is to develop as many practical solutions to security problems in a network as possible, from which all participants can benefit and from which we can learn. With each new attack pattern, we gain experience, learn and can ensure that further attacks are prevented by sharing knowledge, which we call Cyber Threat Intelligence, or CTI. (Interview: vs/LRZ)
Thomas Schkoda (left) and Daniel Weber from the HITS IS at Digitalverbund Bayern.