The latest roundtable discussion from Security on Screen analyses the recent cyber attack against the University of Hertfordshire as well as the education sector becoming increasingly vulnerable during the pandemic.
The University of Hertfordshire has been targeted by cyber attackers this week, resulting in the entire IT network being taken down and subsequently, all online classes being cancelled.
Starting on Wednesday (14th April) at 22:00, the attack has resulted in students unable to access Office 365 services, such as Teams, as well as other university paid for services such as Canvas and Zoom.
In a statement, the Univeristy said: “Please be reassured that our IT colleagues are working hard to rectify the situation as soon as possible. Any in-person, on-campus teaching may still continue today, if computer access is not required, but students will have no onsite or remote access to computer facilities in the LRC’s, labs or the University Wi-Fi.
“We apologise for the inconvenience this situation has caused and will continue to keep you updated. You can check the status of all our systems by visiting status.herts.ac.uk.”
“The Education Sector is a soft underbelly for cyber crime groups, largely because it is unregulated in comparison to other sectors…”
Andy Norton, European Cyber Risk Officer, Armis
Education posing high risks
According Jamie Akhtar, CEO and Co-Founder of CyberSmart, education is one of the most vulnerable and least protected industries. He continues: “In May 2020, Microsoft Security Intelligence found that 61% of nearly 7.7 million enterprise malware encounters came from those in the education sector, making it the most affected industry for cyber-attack.
“It’s no surprise that the UK government made Cyber Essentials, its security certification scheme that covers the fundamentals of cyber hygiene, a requirement for educational institutions working with the Educational and Skills Funding Agency. Following the fundamental rules of cyber hygiene like strong password protection, up-to-date software, and enabled firewalls can go a long way in preventing incidents like these.”
Mitch Mellard, Principal Threat Intelligence Analyst at Talion agrees: “After the catastrophic Blackbaud breach, which was extremely far reaching because of the number of instituting using the platform, ransomware attacks have plagues higher learning.
“The nature of a university, requiring a network which is open to people of every level of technical literacy, has a large diverse user base, and due to the collaborative nature of the teaching and research which is taking place, has a great deal of widely accessed file shares, provides ideal conditions for ransomware to take root and spread.”
Andy Norton, Euopean Cyber Risk Officer at Armis, also adds: “The Education Sector is a soft underbelly for cyber crime groups, largely because it is unregulated in comparison to other sectors. The consequence of that is a lack of funding in cyber resilience programs. There isn’t a single UK education establishment that knows with any level of confidence what devices are on its networks. How do you expect to secure the organisation when you don’t know what it is you have to secure in the first place?
“This lack of knowledge about what systems are actually doing in your network makes back-up and recovery processes more prone to failure, and when that happens there is more likelihood of paying a ransom, and that explains why the Education sector is a target for cyber criminals.”
“When a sector or community is so obviously under pressure this can only help attackers to leverage capitulation far more effectively as the victims are already in difficult circumstances.”
Brian Higgins, Security Specialist, Comparitech
Pandemic pressure
Phishing remains a popular method of stealing credentials, but since the start of the pandemic, threat actors have been finding easier ways to hide amongst the uncertainty. Brian Higgins, Security Specialist at Comparitech, adds: “Given the immense pressure caused by COVID-19 lockdown restrictions and a total shift in learning delivery, it is no surprise that criminals would choose to exploit these circumstances to extort money and otherwise cause harm.
“Criminals use fear, uncertainty, and doubt (FUD) to manipulate their victims into paying ransoms and/or giving up personal information that can be used or sold to make money. When a sector or community is so obviously under pressure this can only help attackers to leverage capitulation far more effectively as the victims are already in difficult circumstances.”
“While the cause of the cyberattack is yet to be disclosed, both staff and pupils must remain on high alert for common threats like phishing,” says Burak Agca, Security Engineer at Lookout. “On modern devices like smartphones, tablets, and laptops, phishing presents an entirely different challenge from phishing on traditional endpoints.
“We’ve even seen a 37% increase in the rate at users on mobile faced phishing attacks, due mainly to the pandemic. Threat actors have more ways of hiding the true intent of a phishing attack on mobile, and for that reason use it as the primary way to kick off bigger infrastructure attacks.”
“With an ever-growing attack surface, building just another wall around the institution’s network or a segment of sensitive data is not the best way forward…”
Trevor Morgan, Product Manager, Comforte AG
NCSC’s alert
In September 2020, the National Cyber Security Centre (NCSC) issued warnings to UK Universities that they would remain vulnerable targets and ultimately provided institutions with a set of alerts to keep criminals out of their network. Since then, the National Cyber Security Centre has encouraged UK institutions to ensure that all their data are backed up and copies are stocked offline to prevent data loss in case of any cyberattack.
The authority said that it is ready to support institutions as well as offering guidance for them to better understand the cybersecurity sector. “The NCSC recommends that organisations implement a ‘defence in depth’ strategy to defend against malware and ransomware attacks. Your organisation should also have an incident response plan, which includes a scenario for a ransomware attack.”
“One can only hope that, after seeing the warnings from the National Cyber Security Centre, Hertfordshire have an appropriate Incident Response Plan in place to mitigate this attack and restore their networks safely and securely,” Higgins adds. “The fact that Hertfordshire have students resident on campus and dependent on their network for domestic internet access, as well as academic, will only add to the pressure to resolve the situation.”
Security professionals have argued that it is down to the University to gain proper knowledge and training to assure the highest protection. “With an ever-growing attack surface, building just another wall around the institution’s network or a segment of sensitive data is not the best way forward, especially when it comes to phyishing attacks that are likely to generate some hits,” says Trevor Morgan, Product Manager at Comforte AG.
He continues: “In the end, if you’re an educational institute, the most important thing to do is to protect your students’ and employees’ data, as well as your precious and highly valuable research, rather than the borders around that information. With modern solutions such as format-preserving encryption or tokenisation, you can render useless to hackers any PII (including names, addresses, and IDs) or other data you deem sensitive, even if they manage to penetrate your strengthened perimeters and actually get their hands on it.”
“Universities should engage in user education, both for students and faculty, to educate users as to the risks of opening unsolicited links or attachments in emails and text messages…”
Chris Hauk, Consumer Privacy Champion, Pixel Privacy
Precautions for staff and students
Pointing out the steps users can take to prevent further attacks, Chris Hauk, Consumer Privacy Champion at Pixel Privacy says: “Universities and other educational institutions should make sure all systems have been updated to the latest versions if possible.
“They should also engage in user education, both for students and faculty, to educate users as to the risks of opening unsolicited links or attachments in emails and text messages. Users should also never share personal information, particularly university network login information.”
Higgins also adds: “It is vital that anyone affected by the breach be incredibly vigilant over the coming days and weeks as criminals will already be contacting them to try and exploit the situation for their own gain. Under no circumstances should they engage with any unsolicited communication.
“Forward any emails to report@phishing.gov.uk and don’t share any personal credentials, login and passwords, or other data however scared they might be or convinced that they may be helping to protect themselves. It’s extremely frustrating but they will only be making matters worse. If the University hasn’t issue guidance for those affected, they should contact them directly and ask them to do just that.”
The University of Hertfordshire’s attack has been compared to another recent cyber attack against the University of Northampton; highlighting how vulnerable educational industries are at this current time and what needs to be done to prevent such attacks from happening again.
Dean Ferrando, Systems Engineering Manager (EMEA) at Tripwire suggests: “While adopting new solutions can help organisations protect their assets, it is by creating a solid cybersecurity foundation that educational organisations can truly minimise the risk of a breach.
“This includes thorough training of students and staff about the threats that can come through their inbox, as phishing campaigns still manage to get around email filtering systems and unfortunately continue to be successful attack vectors.”
He concludes: “By getting the basics right, universities and other higher education institutions will be making it harder and costlier for attackers to be effective with their threats. Most times, a hacker’s function is to cause as much disruption as possible, so finding and patching known vulnerabilities, making sure critical systems are securely configured and monitoring your systems for abnormal changes, can go a long way to increasing your barrier of defence, especially as the threat of an attack from nation-states increases.”