Students today are increasingly dependent on their devices and other IT sources to help them succeed in their academic studies; lectures and course notes are available via portals, whilst many universities and colleges now insist on online submission of assignments. As a result, these establishments must ensure the security of the various systems they run, protecting students’ ability to access the resources they need, as well as their intellectual property and sensitive data.
Universities continue to be a target for hackers, be they external actors or malicious insiders; a recent analysis of cyber attacks against universities and colleges discovered that staff or students could often be responsible, rather than organised crime and hacking groups. The report stated that attacks seem to increase when students are more active on the university networks during term time and the working day.
However, although some of these attacks may have originated from students, it may not always be the case; the data could simply mean that many students are logging on with their own devices which have been compromised. Similarly, the fact that the attacks are focused on temporary disruption – such as Distributed Denial of Service (DdoS) – rather than exploitation of destructive malware and ransomware, does suggest the motivations are more likely to be for entertainment, or perhaps fraud, rather than direct damage or extortion. Lastly, it could even be third parties using compromised university resources as a cover to launch attacks against somebody else. This would not only disrupt IT systems and cause problems for anyone trying to log in, but would also reflect badly on the university.
A widespread problem
These issues are not just restricted to the UK. Universities and educational establishments worldwide are implementing a range of solutions to ensure students can access their resources. In the UK, constant access to resources is expected, as students become increasingly aware of the cost of university education and want to make the most of their time there. An interruption in service at a critical time – just before exams, for example – will not be welcome.
This always-online culture has created new security challenges for universities, schools and colleges, requiring innovative strategies based on a perimeter-less, zero-trust approach. This security model moves on from the old school of thought that only devices or users connecting on-campus, or within the university network, should be trusted. Given that the threat can often come from ‘within’, we can no longer rely on the idea of defined network perimeter and virtual private networks (VPNs) to keep data safe.
It needs to be made known that the efforts are purely intended to secure students, rather than letting it be misconstrued as monitoring their activities
A central tenet of zero-trust security is that only trusted users and devices can access sensitive and restricted files and applications, irrespective of where the access request is coming from. So, authenticated students logging in remotely would be treated the same as a member of staff logging in from their office.
In this era of zero-trust and remote connections, it shouldn’t matter if the attacks are coming from internal users or external actors, from the perspective of defending systems. That said, if the attacks are from internal networks, the IT organisations have a responsibility to track the offenders down. Vigilant monitoring of anomalous volumes of traffic should allow the IT administrators to easily find the source of an attack and remind them of the institution’s policies. If it’s an external attacker, it would provide the evidence for forensic investigation to discover the likely point of vulnerability and entry into the network.
Protection from the inside out
Students going to university will be familiar with using their phones and devices not only for communication but also as a means of authentication to access applications. So, verifying who they are before accessing university services and systems would not only be second nature, it would be expected.
It therefore wouldn’t be a great leap for students to authenticate their identities using multi-factor authentication (MFA) on their phones, for example; they are probably doing this on all sorts of applications already, such as banking or email. The use of MFA requires a user to actively authenticate when logging on, and will not only limit the opportunities for criminals, but also provide helpful data for forensics teams in the event of a breach. It will also highlight to users their responsibility at the point of logging in. If they decide to launch their own nefarious activities to the detriment of their fellow students, they will be much more easily identified.
In the UK, constant access to resources is expected, as students become increasingly aware of the cost of university education and want to make the most of their time there.
Whilst the technical implementation of MFA is relatively simple, offering high levels in terms of reward and security, there can be some issues as to how it is communicated in a student organisation. It needs to be made known that the efforts are purely intended to secure students, rather than letting it be misconstrued as monitoring their activities. It’s about protecting them, so they can access their resources when they need them, rather than being held back from their studies because of a hacking event.
Lastly, the universities should require that all devices reach a specified level of security, and that they are patched to an agreed specification. A system of identifying the vulnerable devices and educating the user through the process of updating will improve security through persuasion and education, rather than compulsion and enforcement. This will be far more appropriate in the educational world, and ensure all systems and services are protected for those who need them.
Richard Archdeacon is Advisory CISO – EMEA at Duo Security