Anthony O’Mara, VP EMEA of Malwarebytes, highlights the cyber security issues universities are facing and what steps they can take to protect themselves from a cyber attack
Oxford, Warwick, and Greenwich Universities are among many of the higher education institutes to have fallen victim to attacks in recent years, with hackers attempting to steal research data and documents. The problem has become acute enough to warrant the publication of cybersecurity guidance for universities and colleges by the UK Government’s National Cyber Security Centre (NCSC) recently.
No organisation today is immune from the threat of cyber attacks. While we most often hear about breaches suffered by retailers, financial institutions and, since the infamous WannaCry ransomware attack in 2017, healthcare providers, many other types of organisations are becoming appealing targets for cybercriminals. In particular, our universities and institutes of higher learning have become prime targets for bad actors looking to exfiltrate the vast amounts of sensitive data and valuable research information they hold.
Universities have no choice but to take notice of what is now a very real threat, and ensure they have the necessary security measures in place to protect themselves against cyber criminals. Especially given recent reports outlining that whitehats carrying out penetration tests on the online infrastructure of UK universities had a 100% success rate in every test within two hours.
Under increasing attack
Universities hold vast amounts of data and that is catnip to any cyber criminal. It’s estimated that nearly half a million data records are stolen every day – and considering the average ransom demand by a hacker to release files has almost doubled in 2019, it shows no signs of slowing down. A study of cyber security in higher education suggested that tens to hundreds of thousands of records are exfiltrated in each attack that takes place on an educational establishment.
It’s likely, therefore, that this volume of data is a major contributory factor to the findings of our report, State of Malware 2019, in which the education sector was found to be a target for every single threat category. It was the top industry impacted by Trojans, which incidentally was the top form of malware for 2018.
Essentially, information stealers, Trojans are a variant of malware originally designed to target the banking industry. They are particularly devious, deceitfully worming their way into an organisation’s network to access and steal valuable ultra-sensitive data, which can then be sold on the black market. An attack of this measure can be devastating. In February, the ‘Emotet’ Trojan forced Columbia State Community College to shut down its entire network – and suspend classes – for two days.
Education took second place for ransomware in our study too, just behind the consulting sector. In two separate incidents in 2017, computer systems at both UCL and Ulster University were forced offline following ransomware attacks which left staff unable to access critical files.
What’s more, universities are coming under increasing threat from DDoS attacks. The University of Edinburgh’s online services were out of action for two hours in September 2018 after a massive DDoS attack flooded it servers with junk traffic. And in a somewhat bizarre incident in 2017, a botnet made up of more than 5,000 connected devices, including vending machines, overwhelmed the servers of a US university campus, bombarding it with repeated and frequent DNS queries, most of which were related to seafood, crippling their network.
The growing number of connected devices exacerbates the problem. In another report on defending networks at higher learning institutions, it was suggested that each student on a campus represents an average of seven different IP addresses, significantly widening the potential attack surface.
It’s hardly surprising, then, that the same report found four in five IT professionals believed securing campus networks had become more challenging in the last two years, and it’s only becoming more challenging.
Security solutions and education
Unfortunately, the growing sophistication of malware, and the increasing number of potentially vulnerable endpoints, means that a suitably determined criminal will find a way of illegally accessing a university’s network. It’s critical, therefore, that IT security teams do as much as they can to protect their systems, and ensure they have a robust plan in place to deal with an attack if and when one occurs.
Given the complexity of networks today, and of the threats to their security, traditional anti-virus solutions are no longer enough. Instead, a layered approach to security, made up of a suite of different security solutions, is now the safest option. Some newer endpoint protection solutions can help remediate any damage, for example, and may contain a roll-back feature capable of restoring a compromised device to a pre-attack timeframe and regularly monitor the latest threats to ensure the solutions is up-to-date.
Training users is important, too. Staff and students should be educated on the general health of their technology, such as ensuring their software is kept patched and up to date, and taught how to identify malicious looking emails to thwart attempts at phishing and social engineering. Interestingly, many universities also require you to install approved security software on your device as well as an app from the university to help protect the network. Indeed, an organisation’s users are widely regarded as its largest potential vulnerability– albeit largely unintentionally. Simply clicking on an innocent-looking link can lead to a full-blown data breach. And this training should be regular and ongoing. The threat landscape is constantly changing. Users need to be aware of these changes if they are to avoid them.
What’s more, it’s vital that cyber security is no longer considered just an IT issue, but is holistically approached throughout the organisation. The wide-ranging implications of an attack will affect every user. Responsible for the safety and wellbeing of the staff and students across its campus, a university’s Chancellor, Vice-Chancellor and Heads of Department must lead by example, and be seen to promote and practice a security-first approach. Incoming students should experience security training during their orientation in addition to receiving notifications of any pertinent threats and instructions on how to protect against them on an ongoing basis, and all staff should be in compliance with campus security policies.
Criminals are continually developing new ways and means of stealing, exploiting, and holding to ransom the most prized and valuable asset of any organisation – its data. Universities are now viewed as soft targets due to their limited resources, finding themselves under constant attack. Protection is paramount. Adopting a layered approach to security, and ensuring all users have adequate training should be mandatory. Understanding how attacks work in order to prepare for what to do when – not if – an attack takes place will help to minimise the damage such an attack could cause. The threat of cyber crime may be a hard lesson, but universities must pay attention.