With the NHS and UCL coming under cyber attacks in recent months, the threat of similar security compromise is a constant concern for universities. As when avoiding disease, prevention is better than cure, and being a step ahead of any potential incident is vital. It is important to inform, but not alarm, staff and students, and gaining preparedness can even be enjoyable.
“Cyber attacks are a significant risk for our university and we know the risk doesn’t stop when we step off campus into our everyday lives,” said Tracy Willis, CIO and Director of Information Technology Services at the University of the West of England (UWE Bristol).
Technologies like social media and online shopping mean security threats are far more pervasive, so today security really is an issue for all of us, not just the IT team. UWE Bristol’s Cyber Security Week offers a fresh take on security awareness. It draws on the ingenuity of our students, academic experts and technologists, who devise security-themed events everyone can take part in.
Tracy added: “We show films, run online games for students and staff to compete in and host real-world activities. For example, last year we ran a security escape room. There are also surveys and drop-in advice sessions. We know security training can be dry and a little daunting so we’re trying to make it fun without diminishing the message it’s a serious topic affecting us all.”
The University is also always on guard. To help everyone stay security conscious throughout the year UWE offer continuous online courses illustrating some of the devious tactics, like phishing emails and fake online profiles, criminals use to access confidential information. “You need to almost think like a criminal – it takes a thief to catch a thief and lots of security breaches involve social engineering so you have to focus on the psychology as well as the technology,” added Tracy.
According to Henry Seddon, Duo Security Vice President of EMEA, based in London, “Universities have a large and diverse group of IT users, including faculty, students and employees, making them a prime target for hackers as it is easier for them to pick and choose who they target. These institutions also hold a great deal of publicly identifiable and sensitive information about faculty and students, as well as valuable grant-funded research that can be sold.
This issue has affected a number of educational institutions. According to a Freedom of Information (FoI) request submitted to UK universities by Duo Security in November 2016, 70% of 51 respondents confirmed they have fallen victim to a phishing attack in which an individual had been tricked into disclosing personal details via an email purporting to be from a trusted source. To protect their users and data, universities must ensure they practice basic security fundamentals before they spend a pound on other security products. This includes data encryption and back-up, timely patching of software, utilising password managers, multi-factor authentication and overall device hygiene such as ensuring browsers and operating systems are up-to-date. Think of it like washing your hands to prevent the spread of disease rather than needing a hazmat suit.”
The advice from 2CQR Library self-service, stock management and security is any software applications or indeed any devices connected to the internet should be treated as potential attack vectors and secured appropriately, preferably also completely isolated from the internal networks when possible. Even on devices specifically intended for browsing, browser add-ons such as Flash should be strictly controlled; these are among the favourite tools for attackers to abuse, as they contain numerous problems and are very powerful tools when they are compromised. 2CQR software solutions on self-service units and sorters do not require browser access or any sort of connection to the internet, specifically for this reason, making them easy to secure from the outside world.
Data back-ups need to be taken further than just making back-ups: proper recovery plans should be in place and actively rehearsed. Universities should also know where their data is; which systems contain data needing to be controlled more strictly, and which systems can be ‘zeroed’, or started over, if disaster strikes.
“As a specialist online institution, we place a much greater emphasis on protecting our online presence,” says Dr Ben Silverstone, course leader for computing and quantitative business at Arden University. “With courses delivered using a virtual learning environment (VLE) it is essential this is accessible – and protected – at all times as an integral part of the business. An external provider is used to achieve this, which enables the IT function to maintain a much more strategic view of the threat situation, looking to respond as appropriate. There is still some concern over the integrity of the internal systems underpinning the work the University does; measures are in place to limit the potential damage users within the organisation could cause, as well as looking to respond to any external incursions. In addition, robust user policies are in place to help ensure the staff align to the University’s security agenda.”
Steve Robinson, Arcserve Territory Director – UKI South & Netherlands has the following advice for universities looking to safeguard against future cyber attacks. “There are some simple steps you can take to mitigate the risk of an attack in the first place, and ensuring your critical data is protected and recoverable if the worst should happen. Protect the source machine by taking precautions to prevent ransomware infection in the first instance by training users to not click on links within emails or download attachments from unknown sources. Use a mainstream antivirus and security package and update virus definitions and patch software on a timely basis.”
It could pay to be flexible. “Perform regular back-ups, which may include rethinking your service level agreements to ensure critical business data is backed up more frequently. Follow the 3-2-1 strategy for back-up; maintain three copies – one of your copies should be offline and at least one of the copies should be offsite. Ensure your chosen back-up solution includes virtual standby for critical systems so you can get back on your feet very quickly.”
Lastline’s Senior Security Researcher, Marco Cova, believes universities face some unique challenges when it comes to computer and network security. “They must protect a wide range of data with different levels of desirability from an attacker’s perspective, ranging from basic contact information for visitors to students’ financial records to laboratory research findings to patient data for universities running hospitals. They have a varied group of users to protect, including ad-hoc visitors, students who stay a few years and faculty who may stay for decades, each with different technical skills and needs, and therefore different security and privacy requirements. Universities have traditionally favoured an open culture with a high regard for privacy that in some cases clashes with security requirements.
Marco recommends the following measures among others. “Keep all systems up-to-date with the latest software patches. As seen with WannaCry and Petya, even a few outdated systems can function as entry points for attackers. Compartmentalise networks and use different security levels for each. For example, use higher security with more restrictive access for sensitive labs as compared with visitor networks where ease of access is important.”
“Recent attacks have proven the classic ‘protect the perimeter’ and ‘hardening’ security strategies ineffective and insufficient against breaches,” says Dr Mohammad Hammoudeh, head of Manchester Metropolitan University IoT Lab.
“One myth is universities can manage only with defence mechanisms; however, proactive mechanisms such as monitoring are increasingly essential. Another myth is the increasingly rising security threats require complicated defence; however, most recent major security incidents have exploited well-known vulnerabilities in dated or unpatched systems. These could have been avoided by remaining vigilant, through security awareness training, replacing old systems or patching up-to-date ones.
“Universities need to balance preventing, detecting and responding to a security incident. Many struggle to measure the impact of risks and design adequate mitigation plans; most of the damage results from poor responses to security breaches rather than the breaches themselves. Looking forward, universities should invest more in advanced threat protection solutions rather than introducing more cybersecurity controls limiting the ability of employees to collaborate and work painlessly.”
Unfortunately, threats to universities’ computer systems from cyber criminals will never go away, but robust defences and eternal preparedness equips universities to best fend off attacks. Vigilance must be constant, and complacency must be avoided at all costs.