Protecting the safety net

A look at what we have learned one year on from the WannaCry attacks, and what universities can do to prevent a major cyber attack today

The WannaCry attack last year is estimated to have affected more than 200,000 computers across 150 countries. Shortly after that, several universities in the UK, including UCL and Ulster, reported that they were victims of a ‘zero-day’ ransomware attack that left users locked out of their files. Nicola Yeeles reports on what has happened since.

There is no doubt that the threat of cyber attacks on universities is ever-increasing. Educational institutions are a particularly attractive target for cyber criminals and are well aware of the valuable data they hold. “While most ransomware attacks are relatively unsophisticated, there is always the potential that the next will be a zero-day attack exploiting a previously unknown security vulnerability,” said Alex Fagioli, CEO of Tectrade. In February a joint study (Brundage, Avin et al, 2018) by the Universities of Oxford and Cambridge identified growing threats from the use of artificial intelligence as it becomes more powerful and widespread – for example through automated hacking, or use of synthesised voices to impersonate people.

The technology body Jisc recently surveyed members on their cyber security positions and ransomware/malware was identified as one of the top three threats for universities and colleges. Dr John Chapman, head of security operations centre at Jisc, explained: “Given the headlines from WannaCry and other high-profile malware attacks such as the malvertising campaign that affected UCL, this isn’t a surprise, and it has helped to focus organisations in ensuring appropriate controls are in place to prevent attacks from spreading and respond to them when outbreaks occur.” Bournemouth University, which boasts a cybersecurity centre, was hit 21 times in the 12 months leading up to August 2016.

Chapman acknowledges that recovering from a malware or ransomware outbreak can be time consuming, expensive and also damage reputation. He said: “Even if the malware doesn’t cause much direct damage, having to turn off devices and disconnect systems to prevent malware spreading will impact daily operations, teaching and learning, which is disruptive for staff and students.” See the box for Jisc’s advice on what to do in the event of an attack.

He warns that another example of disruptive malware is crypto currency malware for mining Monero. This is increasing in prominence and affects Windows, Linux and Mac systems. “The solution to preventing this, again, comes down to vulnerability scanning and patch management,” he explained. It seems planning ahead is key to responsiveness.

Chapman has one last word of warning: “We have also seen scammers emailing institutions to say their systems have been infected with WannaCry (when they haven’t been) and that unless a ransom is paid by a certain date then their files will be encrypted. These hoaxes play on fear.” He said that if any institutions receive these demands, they should contact the Janet Network incident response team for advice.

So what else are universities doing to stay safe? James Lyne, Head of Research and Development at SANS Institute, explained: “One important and often overlooked tactic in the fight against cyber crime is user education. This is obviously more difficult with an amorphous and often transient population but it is important that anyone with access to the university’s network is made aware of the dangers of phishing emails, social engineering and suspicious websites, as well as the importance of safe password use and not sharing sensitive personal data.” Like many universities, Exeter requires that “all devices connected to the University network (including ResNet) must have a working anti-virus program”. Many including Exeter and Nottingham provide anti-virus software free to all staff and students to download onto their personal devices.

Fagioli acknowledged that some may see the struggle as overwhelming: “With such threats rising from one per week in 2015 to an estimated one per day by 2021, it remains virtually impossible to defend yourself or your organisation against the unknown. For this reason, organisations need to focus on the last line of defence – recovery. By putting more emphasis on data recovery, zero-day cyber-attacks and ransomware become far less of a threat.”

Fagioli gave the example of “a prominent research” university he has worked with that holds large quantities of valuable intellectual property. He explains how they were well aware that they could be the target of a cyber-attack and understood that even with the most sophisticated cyber defence capabilities on the market it is impossible to detect and defeat a zero-day cyber-attack. “For that very reason, they put significant value in implementing a rapid disaster recovery capability as their true last line of defence.”

The university worked with TecTrade to help audit, test and refine their IT infrastructure and policies to make sure their backup and recovery processes were cost-effective and fit for purpose. By doing so, they got the peace of mind that should the worst happen and they were hit by ransomware, they can be back up and running within a matter of hours. Fagioli said: “Furthermore, the project paid for itself as the resulting optimisation of their infrastructure enabled them to defer the purchase of new storage hardware by nine months.”

Lyne said: “The other piece of the puzzle is ensuring the university has the right security solutions in place and the right people to define, manage and maintain the organisation’s security strategy. A huge challenge for many organisations when hiring security practitioners is identifying the relevant skills for their organisation’s needs (there are many different types of security professional), and then getting access to the right talent pool.”  The latest Global Information Security Workforce Survey has predicted that we could have a shortfall of 1.8 million cyber security professionals worldwide by 2022, with 350,000 of those jobs in Europe.

Colin Lobley, CEO of Cyber Security Challenge UK, agreed.  He said that to even begin to tackle the challenge that cyber criminals present, it is vital that young people are aware of, and encouraged to take, opportunities in the sector. He said: “While many think of cyber security as deeply technical, needing extensive hacking abilities, the truth is that we need a highly diverse range of skills.”

Fagioli sees a role for universities in this and many are already encouraging students to get involved. For younger pupils, there is the Cyber Discovery scheme (joincyberdiscovery.com/)which started last year as a partnership between government and industry. This uses a strong element of teaching through gamification to identify naturally talented young people who will go on to become future generations of cyber security practitioners. Cyber Discovery saw over 23,500 14–18-year-olds taking part during its first year.

A separate scheme, Cyber Security Challenge UK, will be hosting the first European Cyber Careers Fair, Cyber Re:coded in October this year. Lobley said: “Highlighting the opportunities open to students from all backgrounds will not only work towards solving the skills gap, but also boost the industry’s diversity, which, in turn, will increase the level of safety and security as individuals from different backgrounds bring different approaches and experiences to the fold.”  Visit (www.cyberrecoded.com) for more.

He concluded: “One year on from WannaCry and the University College London cyber attacks, it is key that we find both short-term solutions – which can often come in the form of new technologies and staff education – while not neglecting the need for a long-term fix of the development of a large, resilient cyber security workforce.”

How to prevent and recover from malware attacks
When the Jisc Security Operations Centre is alerted to incidents, Jisc notify infected institutions and provide guidance on how to deal with the problem, but there are a number of actions universities and colleges can take themselves to prevent and recover from malware attacks:
●  Audit your systems and remove anything that doesn’t need to be connected to your network. Old web server from a long-finished project? Remove it.
● Disable unnecessary services and use firewalls to limit the exposure of required ones.
● Segment your networks so when you are hit, the malware can’t infect your entire network.
● Routinely scan for vulnerabilities.
● Ensure you have antivirus installed and updated with the latest signatures. Even better, find an endpoint product that also monitors for anomalous system behaviour.
● Limit administrator access to those who actually require it.
● Turn on automatic updates (unless you have a good reason for not doing so).
● Patch, patch, patch!
Find out more at jisc.ac.uk