The education sector has long been a favourite target for cyber attacks. Schools, colleges and universities are often considered soft targets for hackers because they commonly have not budgeted for comprehensive security strategies. Hitting higher education can also potentially enable criminals to access students and their loans.
The stakes for a data breach are high. Any establishment which collects personal information could be at risk of incurring large fines for any significant incident resulting in loss of data, under the requirements of the General Data Protection Regulation (GDPR).
Despite this, breaches are on the rise. A recent freedom of information request revealed that the number of data breaches in the education sector, reported to the Information Commissioner’s Office (ICO), has increased by almost 25 percent in just two years. Current data from the ICO shows that, in Q2 of 2018, there were 353 reports of data breaches disclosed, and 151 security incidents.
By locking down access to sensitive files and equipping themselves with the ability to spot signs of malicious activity on the network, universities can greatly reduce the level of cyber threat they face
Universities are commonly targeted by cyber criminals seeking personal information from current faculty members, staff and students, as well as alumni. Physical and email addresses, telephone numbers and other personal information are the most common types of data stolen. Attackers will either sell the data on to other criminals, or use it themselves to facilitate further targeted attacks on the victims. Several leading universities around the world have also been hit by ransomware attacks, with some resorting to paying ransoms of thousands of pounds to restore their systems.
However, while the education sector is a prime target for cyber attacks, evidence reveals they are not always the work of organised cyber criminal gangs operating from thousands of miles away. In fact, many of the incidents may be the work of people within the organisations themselves. A Government-funded report into cyber attacks against universities, published in September, revealed that many incidents appeared to originate from disgruntled staff and students, rather than external criminals.
The analysis of 850 incidents in 2017-18 revealed a clear pattern of attacks increasing during the working day and term time, before sharply decreasing out of university hours. This means that many security incidents could be caused by staff with a grudge against their employers, or students who want to disrupt their educators out of malice, boredom, or, perhaps, in an attempt to buy themselves more time to prepare for exams.
Identifying hidden insider threats
Serious insider security incidents, such as sabotage and data theft, can easily result in huge financial and reputational damage. However, physically identifying a malicious insider in advance is extremely difficult, unless they happen to be openly discussing their dissatisfaction or desire to damage the university. Likewise, it can be all-but impossible to pre-emptively identify external cybercriminals with stolen login credentials that enable them to act as insiders.
Fortunately, if an organisation is equipped with the tools and knowledge to discover them, there are digital clues that will identify a rogue insider. Here are four of the most important warning signs that there may be a rogue insider at work:
Network ghosts One of the easiest routes into a network is to commandeer an old, unused user account. Organisations often overlook deleting old accounts or changing their credentials, and these ‘ghosts’ can then be used by former employees or students, or criminals
Shifting network access times Working hours have become increasingly flexible, and universities in particular are home to many users who will be active at unusual hours. However, a user’s activity patterns suddenly changing can be an indication of either attempts to hide activity or an external criminal with stolen login information
Unusual file access Users searching for, accessing and editing or copying data outside of their role should be taken as an immediate red flag for potential malicious behaviour. While it may simply indicate a nosy user poking around the network, it can also be a signal of attempted theft or sabotage
Taking large volumes of data from the system An even clearer indication of suspicious activity is a user who is attempting to move a very large amount of data, either by saving it externally or printing it. In particular, this is likely to be a sign that a university employee is taking confidential files to sell to – or share with – a third party, or for use in securing another job
Shutting down the rogues
If a university is able to identify these four key signs of malicious insider activity in advance, it will have a much greater chance of stopping the rogues and criminals before they can cause serious harm. However, many organisations still lack the crucial account monitoring and access management capabilities required to do so.
Once the university is able to monitor how users are accessing and using files on the network, behavioural analytics can be used to automatically identify users acting suspiciously. Implementing stronger controls around how files are accessed will also help to mitigate the damage that can be inflicted. Users are often given far more network access than they require for their role, and many organisations habitually leave sensitive files open to all users. Instead, all users should operate under a ‘least privilege’ model and only be granted the access rights required for their normal activity.
By locking down access to sensitive files and equipping themselves with the ability to spot signs of malicious activity on the network, universities can greatly reduce the level of cyber threat they face from both criminal intruders and malicious employees and students.
Andy Richmond is UK VP and country manager at Varonis