It is exam time and students across a university are using the Virtual Learning Environment to help with their revision. Suddenly the page they are on stops responding. They try refreshing it. The page still won’t load. They visit another web page – that doesn’t load either. The institution has just suffered a complete network outage thanks to a Distributed Denial of Service (DDoS) attack targeted at disrupting teaching and learning.
Higher education regularly experiences these kinds of scenarios. 173 different higher education providers engaged with JISC’s Computer Security Incident Response Team (the UK’s expert body for digital technology and digital resources in higher education, further education and research) in 2018 – a 12 percent increase on the previous year. Distributed Denial of Service attacks targeting higher education institutions are on the rise and successful breaches make headline news (as experienced by the University of Edinburgh last year).
Hackers gained access to all the institutions’ they tested within 2 hours
JISC’s latest report, published in April 2019 showed that when using spear phishing as part of its penetration testing service, JISC had a 100 per cent track record of gaining access to a higher education institution’s high value data within two hours. Security on JISC’s Janet Network Security Operations Centre handles more than 6,000 incidents or queries per year.
Organisations that do not adequately protect themselves not only risk the loss or exposure of personal student and staff data but also commercial, institutional and research data and other intellectual property that are valuable to cyber criminals operating internationally.
Can Your Institution or Business Answer these Questions?
It’s clear that protecting networks and data should be a high priority for all business leaders. But do Higher Education institutions’ leaders fully understand the scale of the risk? In order to assess the risks they face and to benchmark their position on security, these ten questions need to be addressed:
- Where is data stored?
- Who has access?
- Are systems patched and up to date?
- Are there regular vulnerability scans as part of a vulnerability management process?
- Are users trained in security awareness?
- Is there an incident response plan in place?
- Do users understand who should be contacted when guidance or help is needed?
- Are monitoring and mitigation systems in place?
- Are they addressing the ‘right’ kinds of risk?
- Is the network provider mitigating Denial of Service attacks which could bring down the network?
The Biggest Enemy – Complacency
High-profile data breaches and cyber-attacks make headlines, but the barrage of such news may, counter-intuitively, lead to complacency. It becomes almost background ‘noise’. Higher education institutions should consider the value of their data and their students’ data. How damaging could it be to an institution if it were to suffer an information breach?
Major data breaches in 2018 may have been on a bigger scale – the Marriott Hotels leak of 500 million customer records; the MyFitnessPal (150 million records); Quora (100 million user accounts); MyHeritage (over 90 million accounts); and Facebook (up to 90 million accounts) all made headlines for their sheer size – but the potential loss of cutting-edge research, the bad publicity and financial penalties make cyber security for universities, as all businesses, crucial.
Universities safeguard incredibly valuable and commercially-sensitive research data, of interest to organised criminals and some less than scrupulous nation-states.
State-sponsored Threats as well as Criminal Extortion Activity
There were two such large-scale incidents that affected higher education institutions in 2018. Iranian hackers (affiliated to a criminal organisation – but with an alleged tacit backing of the government – called the Mabna Institute) targeted UK universities via the ‘Silent Librarian’ campaign. In addition, from a shadowy, North Korean group, the ‘Stolen Pencil’ campaign, specifically targeted individual academics with emails designed to trick them into downloading a malicious extension to the Google Chrome web browser.
During 2018, phishing attacks became more sophisticated in their attempts to target the education sector, employing greater contextualisation and personalisation.
For example, around the beginning of term times, there has been an increase in student grant fraud. This is where students are sent phishing emails purporting to offer free grants or requesting that bank details are updated so student loans can be paid.
‘Spear phishing’ attacks, where specific individuals are targeted with requests for information, have also become increasingly common. One example includes ‘CEO fraud’ where criminals send urgent transfer requests via email to finance departments, impersonating senior members of staff in an attempt to trick them into transferring funds into the fraudster’s bank account. JISC’s own Chief Executive and Finance Department have been targeted in this way.
It’s not only in Higher Education where the risk is great.
Hackers used ransomware to encrypt files at a secondary school, causing it to lose some students’ GCSE coursework in March, according to a BBC News report, when a member of staff mistakenly opened an email containing a virus. The email claimed to be from a colleague at another Dorset school and infected the computer network.
Coursework from one subject submitted by Year 11 students, which was saved on the school’s system, was lost.
Schools, Universities and Hospitals Particularly at Risk
Unfortunately, schools and other public institutions, such as hospitals, have become regular victims because hackers think they will be less likely to be following good cyber security practices, often because of budgetary constraints.
Falling victim can be hugely damaging to reputation – and a school which has lost GCSE coursework as a result of an attack will create emotional, as well as financial damage, for pupils and their parents. School leaders were urged by the government to take action after a “significant increase” in cyber-attacks on academy trusts were recorded.
The school in Dorset said at the time of the report that specialists were working to try and rectify the issue, which also meant Year 9 and 10 reports were delayed.
A team of specialists carried out tests on cyber security in the education sector and took an average of four hours to take over a school’s IT network. What would happen if a well-meaning administrator or other member of staff, accidently emailed a sensitive file to a mailing list rather than an individual because they had not been trained on safe and secure methods of data handling? What if there were no vulnerability management policy in place so a security weakness on the institution’s website went undetected, allowing access to the network by a criminal who can then siphon off commercially sensitive research data?