Ed Hudson, CISO at California State University, says a 2020 ransomware attack helped his team make improvements to the university’s overall security infrastructure and processes.

May 10 2022

Universities Share Lessons Learned from Ransomware Attacks

Universities that faced security breaches share advice from their experiences.

Ed Hudson remembers the incident as if it were yesterday.

It was Oct. 1, 2020, recalls Hudson, the CISO at California State University. The largest four-year public university system in the country, CSU has 23 campuses, nearly half a million students, and close to 50,000 faculty and staff. That day, the IT security team at one of those campuses, CSU San Marcos, discovered that hackers had infiltrated its internal network.

The team shut down the initial attack immediately, but later learned the cybercriminals had pilfered passwords that gave them access to campus systems for another month.

“It’s the kind of thing you don’t forget,” Hudson says, explaining how an investigation revealed the hackers had intended to deploy ransomware. The incident was similar to others that had been reported by institutions across a wide range of industries.

READ MORE: What Higher Education Institutions Need to Know About Cyber Insurance

As the FBI Cyber Division noted in a subsequent FLASH alert, the attacks involved the use of a malware called PYSA that could exfiltrate data and encrypt critical systems “to use as leverage in eliciting ransom payments.”

Hudson says the incident served as a wake-up call, both for his department and for CSU. He thinks that the university overall was well prepared to deal with such an attack, “but when we looked across the breadth of the system, some campuses were a little further down the road than others,” he says.

Hudson says his team ultimately decided to see the experience as an opportunity. “We realized we could use it as a chance to make improvements, to learn from what happened and adapt.”

Click the banner below for exclusive content about data protection in higher ed.

Higher Education is a ‘Top Target’ For Cyber Crime

According to a recent Sophos poll of IT professionals, 44 percent of educational institutions suffered ransomware attacks in 2020, and 58 percent of those hit said the attackers successfully encrypted their data. Furthermore, the survey found, the average recovery cost for organizations in the sector (considering everything from downtime to ransom demands paid) came out to more than $2.7 million, which was 48 percent higher than in other industries.

“I think for higher ed in particular, one reason the sector has become a top target has to do with how decentralized a lot of organizations are,” says Frank Kim, a SANS Institute fellow and information security consultant. Especially at the largest universities, he explains, “there can be so many different divisions and systems that it’s difficult to have consistency of controls.”

Any university IT department is well versed in ransomware prevention best practices, Kim adds. “They’re patching, they’re using backups and they’re testing those backups to make sure they work.” The problem is that those cybersecurity tactics still aren’t enough.

“If you’ve got a culture like you do in higher ed, where your people and processes intersect with your technology, then you’re going to see gaps in your coverage, and that’s low-hanging fruit for attackers,” Kim says.

LEARN MORE: What is SASE and how can it protect you from ransomware?

At CSU, Hudson says, an internal review led to a focus on several key areas where the school could improve. Working with consultants, the team conducted a number of Active Directory reviews to ensure security configurations were optimized. They separated networks into tiers to prevent lateral movement in the event of a future breach. They also bolstered system logging and monitoring to improve incidence response capabilities, and they ramped up vulnerability testing of internet-facing systems and services.

His team also reviewed student accounts, closing those deemed to be dormant, and later decided to accelerate a universitywide rollout of multifactor authentication.

“Finally, one of the biggest things we did was put a lot of time and effort into user education,” he says. “Everyone should know what a phishing email looks like. Most of these threats should be easy to identify.”

emisoft.com, “The cost of ransomware in 2021: A country-by-country analysis,” April 27, 2021

Communication Between Departments Can Help Mitigate Incidents

In May 2020, Michigan State University faced a ransomware attack that cost the university more than $1 million. An external investigation determined the school’s physics department had not patched or adequately configured a VPN.

“When the attackers got in, it was easy pickings,” says Tom Siu, CISO at MSU. “They were able to exfiltrate data from a file server, and their malware spread itself throughout the department.”

Although Siu was employed at a different university when the attack took place, he talks about the incident now as if he had been there. “It was a classic example of, ‘It could happen to you,’” he says. “Someone made a mistake and we dealt with the aftermath, and now we’ve turned what we lost into lessons learned.”

A core lesson is that the physics department should not have had permission to manage its own IT operations, Siu says. “Instead of putting resources into basic cyber hygiene — on patching, credential management, things like that — they were focused on research and academics, and whenever there was a conflict, they’d choose against the security control.”

Some of the researchers in the department failed to deploy backups of any kind.

“When their machines were frozen and their servers were wiped, those individuals lost their data,” Siu says.

Headshot of Tom Siu, CISO at Michigan State University
They were able to exfiltrate data from a file server and their malware spread itself throughout the department.”

Tom Siu CISO, Michigan State University

Siu doesn’t blame the researchers for the mistakes, and instead stands by the conclusions of the investigation: There should have been better collaboration between the department and central IT.

“The department didn’t have a clear understanding of why they would need to worry about security,” he says. “That’s on us as an organization. We need to be able to communicate effectively.”

Today, the MSU information security department includes a new team focused on cyber resilience. Should the university experience another ransomware attack, it now has the systems in place to ensure no data is lost, Siu says.

What about the communication piece, and connecting the mission to the work of disparate departments? Siu says that he believes his team has made significant progress there as well.

“One thing that I’d pass on is that the way to do it is with a bit of humility, with your hat in your hand,” he says. “Tell them what you know, but also tell them what you don’t, and you can try to drive the security decision-making closer to where the information is.”

Photography by Matthew Furman

aaa 1

Register