What universities must do to make the grade in cyber security

In 1983, a school district’s computer system had been broken into. A bright but unmotivated student was using a combination of “war-dialling” and social engineering techniques to successfully improve his grades, as well as that of another student.

While this is a scene from the classic sci-fi movie ‘WarGames’, the incident we are describing is no longer reel world imagination.

Just last November, in Singapore, a scholarship holder hacked into his university professor's account and made changes to his own grades, as well as that of other students.

Cyber-attacks on educational institutions have grown in number and severity.

In the first six months of 2017, globally, there was a 164 per cent increase in stolen, lost or compromised digital records compared to the last six months of 2016.

During this period, the education sector witnessed a 103 per cent increase in breaches – one of the highest jumps among all industries.

Today’s threat actors extend beyond disgruntled students.

The abovementioned statistics, along with reports that staff accounts at four Singapore universities were breached by Iranian hackers, mean it is crucial for us to understand why institutions of higher learning are now prime targets.

The Iranians allegedly responsible for the attacks on Singapore universities have been charged in the United States  for attempting to hack into 144 US and 176 foreign universities across 21 countries.

The goal of this cyber-assault was to steal research, including journals and dissertations.

Globally, more than 31 terabytes of academic data and intellectual property were pilfered.

Their motives were either reconnaissance or profit, or both. Here’s why.

Institutions of higher learning typically conduct research on behalf of governments. In Singapore, for example, the universities are involved in defence, foreign affairs and transport projects.

Instead of attempting to knock down the front door – directly targeting government agencies that have high-level security infrastructure, the bad guys pick the path of least resistance.

Universities’ IT networks are primarily designed to encourage collaboration and the open sharing of ideas.

Security policies may therefore be less robust than that of government agencies, making varsities a ‘softer’ target for those looking to acquire classified government plans and information.

Universities are also entrusted with a wealth of personally identifiable information.

Each academic year welcomes a new batch of students and graduates a class of alumni. Staff are regularly shuffled into new roles across faculties and departments.

Network vulnerabilities present hackers with potential access to NRIC numbers, bank account and credit card details, and health information of thousands of individuals, including that of students’ parents – all of which can be sold or used in fraudulent activities.

The role of universities in society makes them a logical and lucrative target. They host many kinds of data that hackers love – all in one entity.

Here’s the next question: what can we do about this situation?

Breaches are not just damaging for those with information on the network, but also for the institutions themselves.

Apart from reputational damage, there will be financial repercussions from hacker ransoms, restitution settlements and fines.

When beaches happen, it is almost first nature to pin the blame on IT security staff at universities, but we shouldn’t.

Managing a university’s IT infrastructure almost resembles a nightmare, due to the following reasons:

·     Ever-growing volume of personal records increases the complexity of maintaining data integrity.

·     The presence of multiple IT systems that vary in maturity and compatibility and are therefore difficult to integrate. For example, an engineering faculty may have its own system, which is separate from the business faculty, which is separate from the graduate school.

·     Heavy reliance on connectivity – teachers incorporating rich media into curriculum; assessments and tests increasingly being conducted online; students using their own devices to tap into the network for learning and other school-related activities.

·     Additional connections to third-parties, from partner universities overseas to vendors delivering access to cloud-based education software and applications.

Simply put, a university is an IT environment that combines a large amount of high-value information with a wide attack surface. Security is a unique and inherent challenge.

The good news is universities have been stepping up and improving their overall security posture.

Many are evaluating existing IT infrastructure and processes and implementing a layered approach to security.

A layered approach to security – in which a combination of relevant tools is selected and integrated – is essential for protecting networks without disrupting learning experiences and school operations.

Commonly adopted tools include next-generation firewalls, systems that identify behavioural anomalies, mobile device management and advanced data encryption.

The security challenge must also be tackled collectively – by management, IT staff, academic staff and students.

The universities themselves must facilitate awareness and behavioural change through education and training programmes.

Given that the Iranian attackers used a spearphishing campaign to steal credentials from professors and high-level employees, sharing best practices on simple but significant actions like hovering your cursor over a link to check a URL before clicking, or looking out for “https” in a URL, would go a long way.

Students, for example, must be taught to recognise that a university tenure is the bridge that connects their youth to the rest of their lives.

It is therefore also the responsibility of students themselves to ensure their data does not fall into the hands of someone who could commit crimes in their names in due time. This means they should think twice before sharing passwords or leaving them out in the open.

“Hey, I don’t believe that any system is totally secure,” is a classic line from WarGames that rings true more than ever before.

This year, as WarGames undergoes a contemporary reboot, it serves as an uneasy but timely reminder that a university’s open, collaborative and digitally-dependent operations means it cannot be fully fortified.

What we need to proactively establish is preparedness – a combination of the right people, processes and technology - and capabilities for effective response and mitigation when something bad inevitably happens. 

ABOUT THE AUTHOR:

Leonard Kleinman is Chief Cyber Security Advisor for APJ (Asia Pacific and Japan) at RSA, a cyber security firm. It is organising RSA Conference 2018 APJ, an international cyber security conference, here in July.