As universities and colleges across the UK return for a new academic year, the National Cyber Security Centre (NCSC) has warned IT security teams to be on their guard against cyber-attacks, particularly ransomware.
There is a very good reason for this. The last few months have seen several major UK universities hit by cyber-attacks, including ransomware. Some of these attacks have been devastating in their impact and recovery time. Elsewhere, UK universities in the race to find a vaccine for COVID-19 have found themselves the target of hostile state hackers.
Universities are a tempting target for adversaries, ranging from nation-state threat actors in search of intellectual property to common cyber thieves looking to make some easy money.
Security challenges facing universities
The features that help universities to collaborate and thrive, such as open, information-rich websites, ubiquitous connectivity and collaborative platforms for students and staff - also leave them particularly vulnerable to cyber-threats.
Add to this the impact of the pandemic, which saw millions of students and staff migrate to remote learning in the space of a few weeks. Laptops and other devices will have been bought and configured in a rush; cloud services rapidly scaled up; and security will have come second to the sheer urgency of getting stuff up and running.
Many of these platforms remain in place for the new academic year. It’s no surprise the NCSC worries that the cyber-vultures are gathering. Attackers are quick to exploit any gaps in defences, whether they are technical or human. Where are these gaps most likely to be found in universities and what does that mean for the IT security teams trying to defend the network and data?
The security risks – from tech to people
At any university, thousands of people are likely to be using personal, often unsecured or unpatched devices such as laptops and smartphones to connect to university networks either direct or via VPN, and using them to access and store university data.
Among them will be countless students with limited security training and awareness, easy prey for attackers looking to exploit human inexperience through social engineering tactics.
There will also be university staff, some with access to strategic, confidential or sensitive research, whose contact details and research interests are easy to find on the university website, providing malicious actors with everything they need to craft a highly tailored phishing attack.
All it takes is one small crack: one key security feature turned off, one undetected open port, one insecure password, one malware-infected personal device or removable media, one unwary click on a malicious link or convincing phishing email and the attackers are through.
Most security incidents are the result of unintentional error. This is not always the case. Academic institutions can also be subject to malicious – or even just mischievous – insider attacks from disgruntled students or staff, for example. For defenders this means that data needs to be protected not just from outsiders at the perimeter, but everywhere inside the network too.
Revisit and strengthen defences
Sophos recommends that as soon as practicably possible, university IT teams or their outsourced partners review the configuration and software update status of infrastructure and devices put in place at the start of lockdown – and correct anything that they missed before.
Then focus on implementing best security practice for the new learning landscape. Here’s a short checklist that might help:
- Have an intelligent, layered security solution in place. Ideally a security solution that has proactive and reactive protection and detection capabilities; where different parts can communicate with each other to provide your team with greater visibility into the security posture of the network at any time; and which offer an automated response to threats rather than just sharing a mountain of event logs for the IT security team to wade through
- Ensure that all data travelling from server to server (east-west traffic) across the network is protected
- Patch early. Patch often
- Remember that responsibility for the security of data and infrastructure in the cloud is a shared one, treat anything in the cloud as if it was in the room next to you
- Have robust access controls for anyone connecting to the network. Apply the principle of least privilege required so that stolen credentials cannot be used to move around the network
- Consider working towards a ‘zero-trust’ model. The principle of zero trust is exactly what it says: nothing is assumed, every access, transaction or device is required to validate itself, upon every interaction
- Educate staff and students as to how they can keep themselves and the data they hold secure. This should include phishing simulation tests to show them what a phishing email looks like
- Test your defences regularly
The targeting of the education sector, students and staff by cyber-attackers is reprehensible at the best of times, to exploit the impact of the pandemic for criminal advantage is even more inexcusable. Fortunately, there are practical things that IT security teams can do to strengthen or recover their defences, and many organisations able and willing to help. The important thing is to do it now.