This blog post aims to provide an overview of cyber security in universities and other higher education organisations. Security has been a challenge for a long time at schools, colleges and universities. Aligning ourselves with the glass-half-full attitude, these organisations and institutions have shown good progress with basic security controls.
Information security is a prerequisite for various business dealings in the public sector, grant funding and procurement processes. GDPR has further pushed the boundaries of ensuring the security and privacy of data. Given the type of jobs we do, it is imperative to cite facts with sources to find weaknesses.
This information is based on our experience, understanding, knowledge and expertise in the education sector.
What interests attackers to universities?
The following types of data are of most interest to attackers:
- Databases containing thousands of records on personal and financial information
- Research and intellectual property (IP)
- Emails and contact data
Sensitive research is targeted for obvious reasons; its value for future or defence purposes.
A successful Business email compromise (BEC) attack led one American university to lose $1.9 million. This payment was made in response to an invoice from an attacker posing as a construction contractor company. FBI reported $3.5billion in losses in 2019 alone.
Threat actors targeting Universities
Universities are not just opportunity providers for graduates and careers; they are a great source of research and innovation for the economy. Given the thousands of students who are active citizens and youth, the responsible country responsible for making is highly sought by multiple entities.
Based on the research and data breach investigations, threat actors targeting universities are mainly organised, crime groups and state-sponsored actors.
Universities are targeted by cybercrime in two ways:
1. Targeted attacks
These attacks utilise social engineering techniques such as phishing, vishing (voice-based), smishing (text-based) and active attacks on infrastructure. Utilising compromised email accounts has led to increased cyber-attacks within an institution due to the already established trust. This allows further infiltration into the university networks and systems, allowing more accessible routes toward sensitive data. Another technique often used in phishing campaigns is spoofed emails that could lead to harvesting sensitive information or even the transfer of funds in some instances. Criminals target universities to steal information that can be further sold or used to commit frauds or monetise in an alternative manner.
2. Untargeted attacks
Untargeted attacks involve users being part of a more extensive campaign, such as ransomware targeting wider audiences. Ransomware targets vulnerable systems by exploiting specific weaknesses and encrypting user data until a ransom is paid. Ransomware in modern days is more advanced where the victim contacts are also contacted for ransomware or used as a launchpad to conduct further ransomware attacks.
In 2020, responses to an FOI request revealed that out of all the responders (105), 33% admitted to ransomware attacks in the past and 45% refused to answer.
The financial goal isn’t the only goal in cyber attacks. State-sponsored actors target higher education institutions to target data for strategic gains such as innovation or research-related data. State-sponsored espionage is considered long-term damage due to losing the competitive edge in research and topics of national interest.
Compared to traditional methods, cyber is considered a faster, reliable and more accessible route towards gaining access to valuable data held by universities. This highlights the importance of user education, secure hardening baselines and cyber security culture change throughout the university environment.
In this report, a phishing campaign was uncovered where attackers masqueraded as university staff to gain victims’ trust that would help open attachments(executing malicious files). Although the conversation took place on LinkedIn, the initial conversation is often the ground to gain trust and then move channels by sending a test email or a related way to perform malicious actions via email account.
Top threats affecting universities
JISC, a not-for-profit organisation, survey in the education and research sector highlighted improved cyber security measures. Phishing, ransomware/malware and unpatched security vulnerabilities remain the top three threats impacting the sector.
Phishing attacks are a popular form of attack vector, adding to the success of cybercriminals. This includes Business email compromise (BEC) attacks, spear-phishing attacks, and voice and text-based attacks. The economics of phishing attacks make it a cost-effective and highly successful vector for criminals.
Phishing campaigns are set up with automated methods and sent to hundreds of recipients. It’s easy to enumerate information from university websites, student groups and social media-based publicly accessible pages. This list is then used to enumerate more information about targets and fed to phishing campaigns.
Where the targeted approach is required, attackers first establish a credible context needed to convince the recipients. Once it convinces the victim, then after establishing initial trust, it asks the victim to act quicker, mainly working on the urgency, sympathy or causing fear and doubt.
Attacks find it lucrative to harvest credentials and steal financial or personal information for immediate monetary gains because sensitive information is further traded in underground markets. In specific scenarios, this attack chain can also be used to spread malware across university networks.
Malware is the silent killer as it does not have any characteristics that alert users immediately. It is designed to stay in the victim’s system for the long term providing access or required information back to the attacker-controlled systems.
Ransomware is a more targeted approach that aims to compromise systems after phishing or exploiting security vulnerabilities and then encrypting the data. To get back access to your data, the ransom attacker asks for payment. A unique key (known as a decryption key) is provided to release the data after the ransom is paid.
When a person’s email address is hacked, the hackers will likely use it to send more ransom links to other addresses in a person’s contact list. We have covered a detailed topic around malware/ransomware protections and removals.
Insider threats are threats that originate from the inside. These can be caused by current or former employees who have the credentials to assets that hold sensitive data related to the business and its employees. Insider threats are of three types: unintentional (someone who unintentionally puts networks under fire), negligent (someone who ignored or did not put the education and training into use) and problematic (someone intended to cause harm) insiders.
Based on one survey report by Infoblox, 48% of all participants believed insider threats are the biggest threat to their organisations across the education sector. This is due to the lack of restrictive measures within cyber security in universities and other educational organisations.
Defending against attacks
Protecting what you have
Your employees could be your strongest or weakest link in cybersecurity. It all depends upon your cybersecurity strategy. Ensure that regular user education and training are delivered through different channels to ensure a baseline of knowledge. Ensure that staff do not browse the internet or download any content from servers, or use their administrative privileges on assets not meant for browsing. This will reduce the impact of attacks in case of credential theft.
Cyber security testing
A proactive cyber security approach demands security testing to input risks based on likelihood and impact into the internal vulnerability management process. This assures customers and supply chains that the organisation assesses and mitigates cyber risk.
Multiple tactics, techniques and procedures (TTP) are used during testing to check the effectiveness of an organisation’s defensive controls. Security assessment and testing aim to identify include techniques to identify weaknesses that, when addressed, help develop and maintain the cyber readiness of an organisation.
Maintaining PCI DSS compliance by education providers adds confidence and positive culture across IT and security teams. Loss of compliance can have repercussions. PCI penetration testing assessments are performed to identify vulnerabilities and assess network segmentation controls and weaknesses around the security controls in action. This validation exercise helps organisations plug gaps and improve security measures in line with the PCI DSS compliance and its 12 requirements.
Data privacy needs no introduction in this day and age. With DPA (Data Protection Act), GDPR, CCPA and many more privacy regulations – data privacy is a critical element for most businesses and organisations. Educational organisations or institutions must adhere to data privacy regulations and protect personal information from cyber-attacks.
Our data privacy assessments are functional and technical, offering you the broad scope of how information is gathered, processed, stored and transmitted.
Protecting what you know
Penetration testing is a security assurance aimed at finding and safely exploiting security vulnerabilities in a company’s internal and external networks, applications or systems. By utilising penetration testing services to identify security vulnerabilities, businesses can determine the extent to which their assets (people, processes and technology) are exploitable and take the necessary steps to reduce the risk.
This type of security testing, also known as ethical hacking or VAPT, is more about the focused approach to identify and demonstrate exploitation as an attacker would do in real-world situations.
The most common security vulnerabilities linked with a penetration test assessment are:
- Secure hardening issues
- Encryption misconfiguration
- Insecure patch management
- Active directory security flaws
- Insecure logging and monitoring controls
- Password cracking based analysis
- Authentication vulnerabilities
- Sensitive information storage practices
- Programming errors
- OWASP top 10 application risks
- OWASP top 10 API flaws
Measure your attack surface
Due to ever-expanding attack surfaces, it is essential to watch whether external footprints are shrinking or expanding. Digital attack surface assessment provides a snapshot of security risks that threat actors could exploit.
It helps businesses identify high-risk areas and blind spots, including streamlining the security team’s efforts and lowering the risks of data breaches.
Continuous security validation
In-house security teams have to prioritise their efforts due to constant pressures of Business As Usual (BAU) security requirements, internal process monitoring, day to day tasks and other responsibilities. It is a genuine challenge that has forced most organisations to rely on specialist security partner services that remotely provide continuous security validation exercises.
The sourcing of managed security services provides a constant update on the infrastructure’s threats, whether internal, external networks or applications. It is different from a vulnerability assessment exercise, usually an ad-hoc exercise.
Demonstrating your protections
IT security compliance
IT Security Compliance is more than just a stamp. Several business benefits of successful compliance include avoiding fines and penalties, demonstrating cyber security commitment to your partners and supply chain and protecting your business reputation while enhancing data management abilities.
GDPR and ISO 27001 assessments are part of our offerings that help businesses achieve certifications to demonstrate security and privacy compliance.
The Cyber Essentials scheme is a certification scheme to help businesses demonstrate cyber hygiene to customers and stakeholders. This scheme covers security control areas that, when implemented, would help prevent the most common cyber attacks.
Universities will continue to add research and generate intellectual property in the future. It makes these constant institutions targets for various types of cyberattacks.
Methods like spear-phishing and other social engineering-based techniques will evolve with time, though they remain the top attack vectors. The improvements in technology and processes may force attackers to improve their practices.
Cyber security is an ongoing fight against cybercrime and other threat actors, and universities must assess, analyse and mitigate the security risks on an ongoing basis.
Get in touch to discuss your primary security concerns.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.