Dec 15 2021

What One University Learned After a Ransomware Attack

IT leaders from California State University San Marcos shared lessons learned to help prevent future attacks at other higher ed institutions.

What happens when the largest four-year public university system in the country faces a ransomware attack?

In September 2020, hackers entered the network of California State University San Marcos (CSUSM) and stole encrypted passwords. Although the IT security department was able to contain the unauthorized access, unbeknownst to the university, the cybercriminals continued to use stolen credentials to access campus resources until November.

CSUM CIO Kevin Morningstar, Information Security Officer John Humes and CSU CISO Ed Hudson sat down with EDUCAUSE on Oct. 27 to share the lessons they learned in hopes of helping prevent future attacks on other universities.

Click the banner below for access to exclusive security content and a customized reading experience.

How Hackers Evaded Detection at CSUSM

According to Morningstar and Hudson, the threat actors gained access to CSUSM’s network via outdated student and staff credentials, some dating back to 2015. The credentials belonged to alumni, former students and privileged domain-level service accounts.

The old passwords were weaker than the university’s current standard, which now requires 15 characters for passwords. As Morningstar explained, these kinds of accounts are often created with a “set it and forget it” mentality, making them easy targets for hackers.

Additionally, the threat actors managed to move between accounts. The team would block one avenue, and the attackers would move to another, Morningstar said. The ability to jump between outdated student and service accounts with weak passwords allowed these actors to operate quickly and effectively.

MORE ON EDTECH: To prevent ransomware attacks, understand the zero-trust model.

Critical Steps After a Ransomware Attack

Following the breach and detection, CSUSM deployed a series of changes to enhance its security posture. Morningstar and Hudson explained that one of the first measures was a campuswide password change and multifactor authentication implementation. In fact, “prior to this event, all the students that had financial aid had already completed MFA setup,” said Morningstar, so the transition to campuswide MFA was fairly seamless.

Beyond this measure, Hudson said, the larger CSU system partnered with Secureworks to enact a cyber hygiene plan that prioritizes endpoint detection response (EDR) and extended detection response (XDR). The plan also includes re-evaluating how long to keep former student accounts active and ensuring domain users have unique credentials for each account they might access.

These efforts were successful, ejecting the threat actors and improving network security.

FIND OUT: How SASE can provide unified protection against ransomware.

Cybersecurity Strategies to Consider Moving Forward

The university system learned several lessons from this event. A crucial first step for campuses everywhere is to increase their network visibility. CSU worked closely with Microsoft and Secureworks to implement an incident response plan that broadened visibility and created a tiered security model.

As CSU’s leaders explained, the separation of a Tier 0 network and a Tier 1 network offers better protection for students and system admins. Even if a threat actor were to attain credentials, the siloed environment would prevent lateral movement.

Finally, CSU leaders encouraged other campuses to reconsider the level of access alumni accounts should have. They also emphasized incorporating EDR and XDR into campus’s incident response plans to enable earlier detection and quicker action. The combination of these efforts and measures can greatly improve a campus’s security posture and protect future users.

filistimlyanin/ iStock / Getty Images Plus

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.