Advertisement / Google
Advertisement
Advertisement / Google
Advertisement / Google
COVID-19 shut down universities across the world, locking millions of students out of their lecture halls indefinitely. Fortunately, instead of degree courses grinding to a halt, most lectures and seminars continued in virtual classrooms with the help of cloud-based technologies.
However, with the move to remote learning, universities immediately exposed themselves to the threat of cybercrime.
Universities are already an attractive prospect for attackers looking to extort them for millions, steal sensitive student data or exfiltrate valuable research. Remote learning made them even more of a target.
Since COVID-19, ransomware attacks on universities have spiked, and even now, two years on from the jump to hybrid working and learning, universities are ill-prepared.
A recent report found that 97% of top 10 universities in the US, the UK and Australia are still leaving staff and students vulnerable because their systems lack basic security.
The speed with which universities moved their staff to remote working was admirable, allowing teachers and academics to set projects, mark work and interface with students from the safety of their homes.
Students were given remote access to academic materials, lectures and seminars in ways never before thought possible. But as a result of WFH and remote learning employees and students are no longer protected by the security umbrella of their university IT system.
Unfortunately, in certain situations, corners were cut and shortcuts were taken in the rush to transfer education from physical spaces to the cloud.
Understandably, the priority for universities was to continue educating with as little disruption as possible. But this meant that some important security steps were missed, and staff often lacked sufficient experience in the new technologies they were utilizing.
This opens an organisation up to social engineering, the psychological manipulation of staff into inadvertently sharing confidential information or giving bad actors access to their network.
All it takes is one student or staff member being tricked into clicking on a phishing email and a ransomware attack could be set in motion.
Because data is less likely to be backed up when working from home, post-remote learning universities are more often forced to pay ransoms to release operationally critical information.
Hacking groups quickly realised that educational institutions are overwhelmingly focused on educating their students, not on mitigating increased cybersecurity risks.
As universities rushed to increase remote access for staff administering their IT networks, the amount of access point opportunities rocketed, and criminals lost no time in exploiting this.
University attack surfaces ballooned still further because all their staff and students were suddenly accessing services and information from their home devices and networks which are inherently more vulnerable.
Most breaches occur due to human error. Working from the cloud, all it takes is one simple misconfiguration from a newly remote employee and next thing you know, access is open to anyone and everyone with an internet connection.
By comparison, internal data centres are more difficult to breach because they a require a chain of security failures: the hackers must first gain access, then find the vulnerability, and finally remove the information from the university network, all while avoiding detection.
As they move more operations to the cloud, the industry is more vulnerable than most, but it’s not necessarily a disaster across the board, and it certainly doesn’t have to be going forward.
Some universities do recognise cyber hygiene as a focus. They are plugged into the global cybersecurity community, and they have increasingly advanced cybersecurity capabilities. They have chief information security officers (CISOs) who are aware of the adversarial tactics, techniques and common knowledge, created by Mitre (MITRE ATT&CK) and the best practice coming out of the not-for-profit MITRE Engenuity Center for Threat-Informed Defense.
The MITRE ATT&CK framework collects information on the changing tactics and techniques that hackers are using so CISOs can continuously test their security controls.
To make certain that these controls are holding up, this evidence-based, data-driven approach should become common practice across the university sector.
Continuous security controls validation allows universities to understand where the gaps in their defence are so they can patch them before a hacker exploits them. Traditionally, penetration testing has consisted of two siloed groups.
Blue teams are tasked with defending key systems while red teams take on the role of hackers, seeking to find vulnerabilities in a network’s defences.
However, the MITRE ATT&CK framework allows these two groups to communicate and cooperate to understand where the greatest threats to a university’s IT infrastructure lie – a process known as purple teaming.
This is the best way to ensure that if an attacker does gain access, they aren’t able to steal research data or students’ personal or financial information.
According to the Joint Information Security Committee’s 2022 Cyber Impact report, dozens of UK universities have been hit with ransomware attacks since 2020, causing disruption, putting sensitive personal and financial student data at risk, and costing millions.
Universities owe it to their students and staff to do everything in their power to ensure that their cybersecurity protocols are sufficient and stem the current flood of damaging cyber-attacks.
Luckily, with the MITRE ATT&CK framework and purple teaming there is a revolution going on in cybersecurity strategy alongside the revolution in remote learning, and the most progressive universities are already using it to stay a step ahead of attackers.
Read more: Almost 12,000 schools could fall victim to cybercrime
Advertisement / Google
You must be logged in to post a comment.
The government has confirmed an investment of £82 million to “level up” access to broadband…
The UK’s tech skills gap can be vastly reduced via the widespread adoption of microcredentials,…