To Improve Security, Watch Everything
The risks posed to higher education by malware and other cyberthreats are certainly nothing new. The difference now is in the sheer volume of attacks taking advantage of the growing number of threat vectors cybercriminals have at their disposal.
The current glaring weak point for colleges and universities is the vast array of endpoints now connected to their systems following the pivot to remote learning.
The more time students, faculty and staff members spend online, and the more devices they use to communicate and work, the greater the access would-be hackers have to their campus networks. “I worry about the risks every day,” says Bill Fisher, associate director of technical services in the IT department at Grand Valley State University. Since COVID-19 arrived, Fisher notes, GVSU has managed to keep its network safe. “But we’ve had to deal with ransomware a couple of times in the past, so we get the danger. It’s a real threat.”
Also on Fisher’s list of top concerns are other forms of pandemic-inspired cyberthreats, from denial of service attacks to videoconference intruders. In the early months of the COVID-19 crisis, the FBI’s Internet Crime Complaint Center noted it was fielding around 4,000 cybercrime reports per day, four times the average number of cases. Again, Fisher says, GVSU has been fortunate. “I don’t want to jinx myself, but we’re doing OK. Our approach has been to watch everything very closely and, if we find a vulnerability, we just try to take care of it.”
Some schools haven’t been so lucky. Last semester, for example, three universities reported videoconferencing attacks that disrupted remote classes in progress. At another, an April virtual event for the school’s African American student association was crashed by white supremacists who displayed racist imagery on participants’ screens. Still another school weathered a similar attack in June: During a videoconference meeting for around 500 people, hackers broke in with racist and anti-Semitic commentary the school’s president later described as “vile, violent and threatening.”
When it comes to the reported NetWalker attacks, on the other hand,their impact on school communities hasn’t always been as clear. Some schools have paid hackers the ransom required to recover stolen data, but others have refused.
Cybersecurity Best Practices for Higher Education
What should higher education IT leaders keep in mind as they guide their schools toward further remote work and learning? Brian Kelly, director of the cybersecurity program at EDUCAUSE, suggests leaning heavily on the information security professionals who already understand the IT systems on your campus. “I think most institutions already have the foundation they need to respond to these threats,” he says. “If there’s a lesson to be learned from the COVID-19 crisis, it’s that your cybersecurity and privacy folks are there to help you. They can be your enablers.”
Collaborate with your IT team to provide educational resources to your campus community that spell out cybersecurity best practices, Kelly says. Cybercriminals tend to infiltrate networks by capitalizing on end users’ mistakes. Teaching students, faculty and staff what to do and what to avoid goes a long way toward ensuring network safety.
For videoconferencing specifically, GVSU’s Fisher also recommends focusing resources on end users. His department, like many others, has posted security tips on the school’s website, offering advice on everything from how to lock a meeting to how to change Zoom’s settings so only the host can share the screen. (Zoom has published guidance on this subject as well.)
“You have to trust your students not to share the links to meetings, so there’s no foolproof way” to use Zoom or any other videoconferencing application, Fisher notes. But “assuming your invited participants are reasonable,” it’s a relatively safe tool to use.
On the topic of ransomware, Fisher says his department favors zero trust and least privilege, where network users are granted access only to what they need. With such protocols in place, he says, most hacks can either be thwarted or contained. If the breach were to occur through a computer used by someone in human resources, for example, hackers “might get access to the folders used by HR, but that’s it. They won’t see anything else.”
If data is stolen, Fisher says, his team has confidence that its backup systems will allow it to recover anything critical. (GVSU uses Microsoft Defender Advanced Threat Protection, he says.) And for faculty and staff members who need to work remotely? “Normally, we tell them to either take their Grand Valley–issued computer home or to use a virtual machine that’s protected.”
The FBI, in its alert about NetWalker, provided institutions with its own list of “recommended mitigations.” Among them: Critical data should be backed up to the cloud or to an external storage device, and any devices with access to a network should be regularly updated with anti-virus or anti-malware software. Strong passwords are key, the agency noted, as is two-factor authentication.
In the end, Fisher says, risk mitigation for any campus network looks basically the same, no matter how many devices are connected. Remote work and online learning may have upped the ante, “but we’re just doing what we’ve always done: trying to do the best we can.”