How universities can keep cybercriminals at bay
Educational institutions are under increasing attack from cybercriminals looking to exploit open networks. Jesper Johannson, security group leader at Yubico, looks at how to keep hackers out
There were 1,152 successful cyber attacks on UK universities recorded in 2016-17. “Tempting and easily accessible” open networks, sensitive information such as research and medical records, and personal and payment information entered on shared computers and networks, mean hackers see universities as tantalising targets. As a result, students take on more risk than they realise when they go online on campus.
Students aged 18-25 face a dual threat. According to the UK government’s Cyber Aware campaign, they are the most likely to reuse passwords for multiple online services.
So let’s uncover some of the most common techniques for stealing internet credentials, proven methods of defending against attacks, and best practices to keep data safe:
Attackers can be surprisingly successful at accessing accounts across many sites by guessing passwords with specific or common usernames. Most people struggle with creating or remembering strong passwords, so it’s common for them to choose weak ones for convenience, or use variants of same across multiple sites.
This problem is exacerbated by the large volume of stolen credentials for sale on the dark web. Attackers have also reportedly targeted weaker sites to gain an individual’s credentials. If successful, they’ll use those same credentials on sites they’re actually interested in.
Getting the job done, whatever the cost
With tight deadlines and busy schedules, security is often one of the first areas to take a hit. Students may borrow or share account credentials, leave shared devices unattended or unlocked, or click on malicious links.
Students have work to do, and if security hinders rather than helps them, they will work around controls they don’t understand. Another common pitfall is accessing important accounts and data via unsecured networks, such as public wifi.
Sometimes, unsecured networks allow attackers access to the network path and place a fake site between their victim’s computer and the site they are accessing; this is known as a ‘Man in the Middle’ (MitM) attack. This can enable the attacker to steal login credentials and data if the connection is not encrypted, or the victim believes the attacker’s system is legitimate.
Phishing attacks are becoming more sophisticated and targeted, and even the most tech- or security-savvy students can become a victim. 91% of cyber attacks start with a phishing email. While some are obvious, the successful subject lines don’t arouse suspicion.
Many phishing emails appear to have been sent legitimately by people known to the user. ‘Account action required’, ‘Important student loan information’, or ‘library loan return due’ can all be ploys to weaken the email recipient’s defences through seemingly ordinary alerts.
The body of the email can hold a new set of clues, including misspelled words and confusing context. Hackers can also use current or popular events to their advantage. Holiday seasons, trending causes and natural disaster or tragedy relief efforts are all used to sneak phishing email into the inboxes of thousands of targets.
Hackers are increasingly sophisticated
Hackers want to stay one step ahead of organisations’ security protocols. PCs connected to the internet have large attack surfaces, making them vulnerable to attacks from many fronts.
Attacker objectives, victims, and techniques vary significantly. That said, we do know that internet credential theft and misuse is involved in nearly 81% of hacker-related breaches. Since stealing someone’s password is relatively easy to do from afar,with little risk of being caught, it’s become one of the most common attacks.
Having strong usernames and passwords isn’t failsafe. If compromised, a hacker can easily access accounts. Phishing/malicious emails can often look like credible emails, and may even come a known contacts. Thankfully, universities have begun to recognise that strong authentication provides security countering the fallout from password breaches.
Prevention is the best protection
Universities should ensure that security policies and procedures are communicated to all students and staff. They should take time to educate students not just on their chosen subject, but about the negative impact a data breach could have on the university’s revenue, safety, and overall reputation. Regular communication with students is key to reinforcing what should be done to prevent breaches, and how to respond in the event of one.
All students would be best advised to follow basic best practice to protect their accounts, such as never opening a suspicious attachment or link. They should be reminded of good habits while using shared computers, and cyber security awareness campaigns should be encouraged.
Fail to plan? Plan to fail
While no university wants to deal with a data breach, those that prepare weather the storm better. After you being compromised is a terrible time to draft the notification to staff and students, and is just as bad for figuring out how to determine/stop what happened. A clear, tested response plan helps all parties know what to do.
Prioritising the protection of data and systems starts at the top. Building out a senior position with responsibility for cyber security and data privacy will ensure that there is a holistic approach, and it will also help leadership buy-in by giving security a seat at the executive decision-making process.
Some attacks are so sophisticated that they can bypass the savviest of users. Technology can help, and we strongly recommend two-factor authentication (2FA). Many services enable the use of 2FA, which can help students protect their online world while helping universities protect their most sensitive data.
Physical hardware, such as 2FA tokens, are considered more effective than methods such as SMS or software tokens. These involve staff or students logging in using both their password and the physical hardware token. Even if credentials were to become compromised, the hacker would still need the user’s physical token to gain access to accounts.
While there’s no simple fix to prevent cyber criminals from attempting to plunder the university’s most precious resources, by following the steps above it is possible to keep them from the data they want.