Following the news around hackers stealing more than $800,000 from Cape Cod Community College last week through an email phishing scam Matt Radolec, Security Architect Manager at Varonis offers the following comment.
Matt Radolec, Security Architect Manager at Varonis:
“There has been another hack where the human element was exploited. When will people learn we must not provide access to computers to anyone, especially if it’s a large university or other public organization, where security minded individuals are often the minority? All jokes aside, humans are the weakest element of any security program and there is no shortage of people at a university. Students, Faculty, and Staff of these large institutions are working around the clock making there be a huge priority for 24/7 convenient access to technology. This constant easy access opens many avenues of attack or threat vectors for these public institutions. Often security controls which would be found in similarly sized private organisations don’t exist in the public sector, whether due to complexity or lack of funding. This creates gaps in defensive posture which attackers know to exploit.
All though the exact details of this attack aren’t clear a few likely pitfalls in this space come to mind:
- Lack of security/control on the compromised endpoint. If a student, faculty or staff of the university was using their own machine, they may not have the same security controls, like anti-malware which may be on a university provided computer.
- Lack of security awareness by the compromised user. There is so much education going on at institutions there may not be enough of a focus on how to avoid social engineering scams, especially those well-crafted phishing emails.
- Lack of security controls to protect the money. If institutions treated their information systems like they would a bank vault, surely $800,000 wouldn’t have walked out the door. Most public organizations have a near wide-open access model to ensure all users can access and share information rapidly to drive innovation. This comes at the price of overlooking the least privilege model completely and perhaps forgetting to secure internal systems while still allowing for easy collaboration between students and teachers.
Organisations should treat their computer systems like they are physical assets which need protecting, make sure all the right security controls are in place all the time, educate all users or how attackers are after their information, and provide a defence-in-depth program built on the concept of least privilege and limiting who can access what when.”