The results of a report about IT risks during the pandemic found that of all the industries it surveyed, IT professionals working for educational organisations felt their institutions were at the greatest risk from cyber threats.
Almost nine out of 10 believed they might have security gaps as the result of the rapid move to remote working.
For many educational organisations, attempted hacks are a fact of life. Half said they had been the victim of phishing scams during Covid-19, although 75% said they detected attacks within minutes or hours.
Following a rise in attacks in August on universities, the UK’s National Cyber Security Centre released a warning suggesting steps institutions could take to “ensure y oung people are able to return to education undisrupted”.
The attacks the NCSC were seeing involved hackers encrypting data and demanding money to unlock it. But it’s not the only threat.
“Universities provide really rich pickings across quite a wide range of actors,” explained Andrew Hollister, head of LogRhythm Labs, an international cybersecurity company which specialises in protection against cyberthreats and breaches.
“They’re valuable for three reasons. One is they hold an enormous amount of personal data. Secondly, universities are open by their very nature.
“And finally, universities are heavily engaged in research. This make universities a target for both cyber criminals doing extortion, as well as state espionage,” he added.
“We’re in the middle of a pandemic. There have been a number of stories floating around about state actors trying to steal vaccine research.”
Blackbaud
One of the biggest hacking stories of 2020 centres around a company named Blackbaud. With its headquarters located in Charleston on the coast of South Carolina, Blackbaud provides cloud services to “social good” providers like NGOs, medical organisations and universities.
“On 16 July we were contacted by a third-party service provider, Blackbaud,” recalled a statement from the University of York.
“They informed us that they had been the victim of a ransomware attack in May 2020. The cybercriminal was able to remove a copy of a subset of data from a number of their clients. This included a subset of University of York data.
“Blackbaud have confirmed that the investigation found that no encrypted information, such as bank account details or passwords, was accessible.”
It wasn’t until September that the more than 20 universities and charities across the UK, US and Canada found out that wasn’t completely true. Some of Blackbaud’s customers did have their personal financial data compromised.
“The types of data that have been stolen in the Blackbaud attack include everything from name and address through to the courses that someone’s taken, the qualifications that they’ve attained,” said Hollister.
“With that wealth of data, an attacker can craft quite a believable and difficult to detect spear phishing e-mail.”
Unlike traditional phishing techniques of sending out masses of emails and hoping someone who will click a link, spear phishing targets a certain person or group of people.
“If we get an e-mail from a Nigerian prince offering us tens of thousands of pounds, we know it’s a scam”
“If we get an e-mail from a Nigerian prince offering us tens of thousands of pounds, we know it’s a scam,” Hollister said.
“But if I get an email that appears to be a reply or a forward of an earlier conversation, my defences are lower.”
This is where having data on the person comes in. It allows a hacker can build up a picture of an individual and tailor their attack.
“Someone’s much more likely to be deceived by this because you’re talking about things that the victim already has a relationship to,” he added.
Awareness
“We’re in the middle of National Cyber Security Awareness Month here in the US,” explained Tim Mackey, principal security strategist at Synopsys, a tech company with a particular interest in smart technology as well as security.
“Awareness campaigns are going out and certain directives that are potentially challenging for university environments. The most important was an advisory from the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) that effectively said do not pay the ransom due to the monies being used to fund future criminal activities.”
The US government has warned that anti-money laundering and sanctions regulations “may have implications for persons involved in facilitating ransomware payments”, suggesting it could be punishable.
“While true, I honestly don’t know if that’s productive advice or not,” Mackey admitted.
“Instead we should be focusing on reducing the total exposure to ransomware as opposed to simply paying the ransom after the fact. But unfortunately, the average person is probably rather susceptible, more so if they aren’t running anti-malware software or haven’t received training on how to detect cyber scams.”
For Mackey, the first thing he advises people is to be on the look out for unusual activity: strange email addresses, spelling mistakes, anything that feels off. Unusual activity by users, such as someone logging into systems they’ve never used before, are also warning signs.
While technology can play a role in keeping university systems safe however, educating staff and students on the safe use of cyber resources remains important. People can often prove to be the weakest link.
But there are ways university IT departments try to educate staff and students about the risks, although 78% worry community members don’t correctly follow guidance.
In October, chief information security officer Brian Hall of the University of California Santa Cruz launched a simulated phishing campaign to keep the campus up-to-date on tactics.
“Beginning this month through the 2020-21 academic year, you will receive multiple simulated phishing emails”
“Beginning this month through the 2020-21 academic year, you will receive multiple simulated phishing emails per standard industry best practices,” he said.
“If you click on a link in the simulated phishing email, you won’t experience any negative consequences. You will be directed to an educational web page designed to help you recognise and respond appropriately to email phishing.”
Zoombombing
“By now, most people have heard of Zoombombing, or visits from unwanted guests disrupting virtual meetings and classes,” noted the Rutgers Office of Information Technology in New Jersey.
“Some security issues stem from cybercriminals making attempts to steal passwords or data. You can take proactive steps to avoid disruptions in your meetings and classes.”
The measures they suggest are basic but often overlooked: adding a passcode, using a waiting room and knowing how to remove unwanted participants.
But as the Blackbaud attack proves, in today’s digitised world, in-house security isn’t enough.
Online learning has brought with it more opportunities for people to access systems just by virtue of the number of people currently sat at home glued to their computers, which can mean having to look at things like wifi in student accommodation.
“With Wifirst “Room Area Network”, students can securely connect and enable their devices to communicate with one another within their room, safe in the knowledge that everything is totally secure from all other students.” said Vince Jouan, technical sales director of the UK branch of Wifirst, which among other things operates wifi services in student accommodation.
“This is because we create this “bubble” per student per room, that students can then connect all of their devices in a secured way.
“The simplest way to be hacked is for somebody to see your mac address on your computer. From this they can just pretend to be you, go into your network and gather data. We call it sniffing.”
Jouan also points to the increased use of Chromecasts and Alexas as a potential risk.
“If someone hacks your Chromecast, it’s easy for them to push content”
“If someone hacks your Chromecast, it’s easy for them to push content that you don’t want to see,” he said.
And why would anyone want to hack a Chromecast? Well, sometimes the reasons are bizarre.
Last year thousands of Chromecasts were hacked simply to play videos by renowned YouTuber PewDiePie.
It was part of an ultimately unsuccessful attempt to help the Swedish internet star keep his spot as the most subscribed to YouTube channel after an Indian music video company threatened to surpass him.
Managing risks
“History shows very few of these ransomware operators are caught. It’s generally accepted that you shouldn’t pay them. But if your business is at stake, that’s a very difficult choice to make,” Hollister concluded.
“From Blackbaud’s own testimony, they paid the attacker to destroy that information. But obviously you’re dealing with a cyber criminal, right?
“You’ve got no assurance beyond the word of a criminal that that data has actually been destroyed.”
Universities around the world are paying more attention to cyber risks than ever before. Prince Mohammad Bin Fahd University in Saudi Arabia, for example, recently launched a brand new Cybersecurity Centre, which will offer training to staff and students to secure their virtual networks.
“The global pandemic… has also highlighted the importance of a secure digital presence”
“The global pandemic may have put some plans on hold, but has also highlighted the importance of a secure digital presence.
“Universities contribute in terms of training the cybersecurity workforce and researching new security-related areas, concepts, and technologies,” said the university’s president Issa Al-Ansari.
Yet less than half of IT professionals in educational organisations say that they report to senior management on cybersecurity, with the most common thing they discuss being spending totals.
And a lack of awareness concerning what’s going on could prove costly.