Oct 06 2020

Securing Higher Ed's Growing Number of Remote Devices

Remote learning and work have raised the stakes when it comes to protecting college and university networks.

The attacks come at all hours of the day and night, seemingly at random, but with similar victims in their sights.

One by one, starting in April, colleges and universities around the nation fell victim to ransomware that infiltrated their servers and wreaked havoc on their systems and websites. In each of the attacks, the perpetrators relied on the same breed of malware. NetWalker, also known as Mailto, had been in circulation since August 2019 but flew mostly under the radar of investigators. It was only when the COVID-19 pandemic hit that online criminals saw an opportunity to pounce en masse. “Cyber actors using Netwalker,” noted a July FBI news alert, “have since taken advantage of the COVID-19 pandemic to compromise an increasing number of unsuspecting victims.”

The attackers’ preferred mode of exploitation involves COVID-19-related phishing emails, the FBI noted. In a typical scenario, a student might receive a message claiming to provide an update on his or her school’s response to the outbreak. (Healthcare providers, state agencies and numerous other organizations have been targeted as well.) When a student clicks on the email’s attachment, the malware encrypts “all connected Windows-based devices and data, rendering critical files, databases and applications inaccessible to users,” according to the FBI alert. The attackers also include a ransom note in their correspondence: Pay up, or the stolen information — Social Security numbers, passport scans, financial documents — will be released on the dark web.

LEARN MORE: Get the Defense-in-Depth strategy checklist.

To Improve Security, Watch Everything

The risks posed to higher education by malware and other cyberthreats are certainly nothing new. The difference now is in the sheer volume of attacks taking advantage of the growing number of threat vectors cybercriminals have at their disposal.

The current glaring weak point for colleges and universities is the vast array of endpoints now connected to their systems following the pivot to remote learning.

The more time students, faculty and staff members spend online, and the more devices they use to communicate and work, the greater the access would-be hackers have to their campus networks. “I worry about the risks every day,” says Bill Fisher, associate director of technical services in the IT department at Grand Valley State University. Since COVID-19 arrived, Fisher notes, GVSU has managed to keep its network safe. “But we’ve had to deal with ransomware a couple of times in the past, so we get the danger. It’s a real threat.”

Also on Fisher’s list of top concerns are other forms of pandemic-inspired cyberthreats, from denial of service attacks to videoconference intruders. In the early months of the COVID-19 crisis, the FBI’s Internet Crime Complaint Center noted it was fielding around 4,000 cybercrime reports per day, four times the average number of cases. Again, Fisher says, GVSU has been fortunate. “I don’t want to jinx myself, but we’re doing OK. Our approach has been to watch everything very closely and, if we find a vulnerability, we just try to take care of it.”

MORE ON EDTECH: Learn these defense-in-depth (DiD) strategies.

Some schools haven’t been so lucky. Last semester, for example, three universities reported videoconferencing attacks that disrupted remote classes in progress. At another, an April virtual event for the school’s African American student association was crashed by white supremacists who displayed racist imagery on participants’ screens. Still another school weathered a similar attack in June: During a videoconference meeting for around 500 people, hackers broke in with racist and anti-Semitic commentary the school’s president later described as “vile, violent and threatening.”

When it comes to the reported NetWalker attacks, on the other hand,their impact on school communities hasn’t always been as clear. Some schools have paid hackers the ransom required to recover stolen data, but others have refused.

Cybersecurity Best Practices for Higher Education

What should higher education IT leaders keep in mind as they guide their schools toward further remote work and learning? Brian Kelly, director of the cybersecurity program at EDUCAUSE, suggests leaning heavily on the information security professionals who already understand the IT systems on your campus. “I think most institutions already have the foundation they need to respond to these threats,” he says. “If there’s a lesson to be learned from the COVID-19 crisis, it’s that your cybersecurity and privacy folks are there to help you. They can be your enablers.”

Collaborate with your IT team to ­provide educational resources to your campus community that spell out cybersecurity best practices, Kelly says. Cybercriminals tend to infiltrate networks by capitalizing on end users’ mistakes. Teaching students, faculty and staff what to do and what to avoid goes a long way toward ensuring network safety.

For videoconferencing specifically, GVSU’s Fisher also recommends focusing resources on end users. His department, like many others, has posted security tips on the school’s website, offering advice on everything from how to lock a meeting to how to change Zoom’s settings so only the host can share the screen. (Zoom has published guidance on this subject as well.)

“You have to trust your students not to share the links to meetings, so there’s no foolproof way” to use Zoom or any other videoconferencing application, Fisher notes. But “assuming your invited participants are reasonable,” it’s a relatively safe tool to use.

LEARN MORE: How to keep cyber shenanigans out of the digital classroom.

On the topic of ransomware, Fisher says his department favors zero trust and least privilege, where network users are granted access only to what they need. With such protocols in place, he says, most hacks can either be thwarted or contained. If the breach were to occur through a computer used by someone in human resources, for example, hackers “might get access to the folders used by HR, but that’s it. They won’t see anything else.”

If data is stolen, Fisher says, his team has confidence that its backup systems will allow it to recover anything critical. (GVSU uses Microsoft Defender Advanced Threat Protection, he says.) And for faculty and staff members who need to work remotely? “Normally, we tell them to either take their Grand Valley–issued computer home or to use a virtual machine that’s protected.”

The FBI, in its alert about NetWalker, provided institutions with its own list of “recommended mitigations.” Among them: Critical data should be backed up to the cloud or to an external storage device, and any devices with access to a network should be regularly updated with anti-virus or anti-malware software. Strong passwords are key, the agency noted, as is two-factor authentication.

In the end, Fisher says, risk mitigation for any campus network looks basically the same, no matter how many devices are connected. Remote work and online learning may have upped the ante, “but we’re just doing what we’ve always done: trying to do the best we can.”

SensorSpot/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT