Oct 24 2019

Hackers Evolve Attack Methods in Higher Education Breaches

Malicious actors target institutional data because it pays off.

Campuses are struggling with effective cybersecurity. While education lags behind industries such as finance, healthcare and public administration in total breach volume, Verizon’s “2019 Data Breach Investigations Report” notes an uptick in both the volume of confirmed data disclosure attacks in education — 99 of 382 incidents — and in the variety of threats. 

With National Cybersecurity Awareness Month highlighting the need for institutions to develop comprehensive strategies that drive widespread ownership of responsibility, it’s the ideal time for colleges to analyze current breach patterns and develop cybersecurity best practices that are both theoretically sound and realistic.

Hackers Expand Target Areas to Entire Campus Networks

There’s no shortage of cybersecurity threats for post-secondary schools. 

According to ZDNet, one university recently disclosed a data breach that saw the personally identifiable information (PII) of both students and families compromised after an incident in May, and similar incidents were reported earlier this year by other institutions. 

To develop best practices capable of meeting cyber threats head-on, IT leaders must first identify common threat vectors: How are malicious attackers gaining network access?

According to Kim Milford, executive director of the Research and Education Networks Information Sharing and Analysis Center (REN-ISAC), “there’s nothing new” about the most popular attack strategies. In higher education, phishing emails and ransomware remain the top threats.

In 2016, Milford says, ransomware was “a huge moneymaker” for threat actors using a one-to-one attack vector; single workstations were frozen, and payouts typically hovered around $250

Today, she says, “we see malicious actors doubling down and making models better,” with attackers developing ways to infect and compromise entire networks. 

She also highlights the alarming trend of old attack patterns causing problems for campuses, noting that REN-ISAC regularly sees reports on the fast-spreading worm Conficker — raising questions about why university IT infrastructure remains vulnerable to a virus first identified in 2008.

Understand the Variety, Volume and Velocity of Campus Attacks

This trio of attack vectors — ransomware, phishing emails and existing vulnerabilities — leverage a worrisome take on the “three Vs” of Big Data:

  • Variety: The continuing use of common vulnerabilities to compromise university systems speaks to the variety of hacker efforts. Put simply, malicious actors will use whatever works to gain network access. Legacy systems and unpatched software provide the perfect proving ground for old-school threats.
  • Volume: Phishing attacks make it up on volume. As noted by Mimecast’s “The State of Email Security Report 2019,” 94 percent of organizations have experienced phishing attacks, and 64 percent of respondents believe it’s “inevitable that their organizations will suffer a negative business impact from an email-borne attack.” While original phishing hooks were riddled with poor spelling and filled with obvious grammatical errors, they’re now far more sophisticated, Milford says. Today’s hooks are capable of replicating common sign-on processes and spoofing common university email addresses to fool students and staff.
  • Velocity: Ransomware attacks come hard and fast. As Milford points out, attackers are “modifying their code to make jumping easier.” This empowers them to quickly infect entire networks in minutes and creates a “much more dangerous cycle,” forcing more universities to consider paying up.

MORE ON CYBERSECURITY: Check out why K–12 schools should choose to upgrade to a next-generation firewall.

Five Ways to Strengthen Cybersecurity for Higher Ed Users

Universities and colleges hit by cyberattacks don’t just suffer immediate damages. The long-term impact of data breaches affects staff, students and IT infrastructure. 

For example, a recent survey found that after a successful attack, students’ risk perception temporarily increased — even as their overall attitude toward cybersecurity remained indifferent. 

In addition, a new public service announcement from IC3 and the FBI recommends against paying any ransom because there’s no guarantee attackers will provide valid decryption keys. 

Even if they do, “paying ransoms emboldens criminals to target other organizations” and may make blackmailed organizations more likely to be targeted again. 

So, what’s the solution? How do colleges convert broad threat vectors and specific attack types into real-world, relevant and reliable cybersecurity best practices?

Here, post-secondary institutions benefit from a five-factor approach:

  1. Discover where harm is coming from: Assessment is the first step in effective cybersecurity. For Milford, this means discovering specific vulnerabilities — where the harm is (or could be) coming from — and then developing incident response and backup policies designed to mitigate these risks.
  2. Evaluate user readiness: As noted above, users are often indifferent to cybersecurity risk despite the potential for compromised PII or financial data. One effective antidote is to employ regular phishing tests that evaluate staff and student readiness to respond if they encounter potential hooks. 
  3. Put it on repeat: Repetition is key to practical cybersecurity success. The Mimecast report notes that any training “must be frequent enough to stick,” but remain engaging enough to work. Milford describes it as “being heard above the din.” Universities should deploy a combination of mandatory online training and prominent signage every few months to keep cybersecurity concerns top of mind.
  4. Spend where it makes sense: Many institutions still leverage legacy hardware and purpose-built software tools, in part because they’re working as intended and they’re expensive to replace. But smart technology spending is essential to defending data assets. Here, the safest routes between staff, students and better security are identity management and authentication tools. Already a top priority for enterprises, these tools help ensure the right people have the right access to the right data, while reducing the potential impact of compromised credentials.
  5. Verify your vendors: Universities are leading the cloud charge as legacy systems and hardware reach their end of life. But, as Milford notes, cloud services “are under the same attacks as higher education,” just at greater scale. She recommends tools such as the Higher Education Community Vendor Assessment Toolkit (HECVAT) to help IT leaders evaluate potential cloud providers and ensure agreements meet security expectations.

Cybersecurity trends offer big-picture views of potential post-secondary risk. But reducing the impact of pervasive threats — phishing, ransomware and historic vulnerabilities — demands best practices capable of identifying key weaknesses, engaging network users and securing network infrastructure.

DragonImages/Getty Images

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.