NCSC warns of ransomware attacks against UK universities – experts reaction

Today, the NCSC has issued an alert on ransomware attacks against the UK education sector. Cybersecurity experts reacted below.

Experts Comments

September 18, 2020
Carl Leonard
Principal Security Analyst
Forcepoint
The past few months have seen an array of organisations come under some high profile cyberattacks – malicious actors know the public and private sector alike is more reliant on digital capabilities than ever before, and so they’re taking full advantage to profit wherever they can. What’s more, a malicious insider would also recognise that their organisation is being presented with challenges in securing a now remote workforce. As many students begin what is expected to be an almost.....Read More
The past few months have seen an array of organisations come under some high profile cyberattacks – malicious actors know the public and private sector alike is more reliant on digital capabilities than ever before, and so they’re taking full advantage to profit wherever they can. What’s more, a malicious insider would also recognise that their organisation is being presented with challenges in securing a now remote workforce. As many students begin what is expected to be an almost entirely virtual university year, there has never been a more important time for educational institutions of all kinds to take their cloud security seriously – especially when there is such a particular duty of care to their students and staff. Effective cloud security, along with other measures to protect and backup data, can stop threats like ransomware in their tracks, as no organisation should be forced into the position of handling over money to cybercriminals. Everything from student exam results and other personal data, right up to valuable proprietary research, is increasingly stored in an array of locations, cloud services and IT devices. Cybersecurity provisions need to be able to accommodate this new reality. The traditional rules-based approach to security is far too reactive and slow to respond to changes in this kind of environment. Malicious actors are constantly searching for vulnerabilities and ways into networks, and it only takes one opportunity to give them a way in. A paradigm shift in security is needed towards behaviour-centric systems, rather than those focused solely on threats. It’s only by doing this is the signal able to be separated from the vast amounts of noise.  Read Less
September 18, 2020
Joseph Carson
Chief Security Scientist & Advisory CISO
Thycotic
The challenge with educational institutions is they operate with a high retention - meaning that students come and go - so maintaining cybersecurity is a huge challenge and means that these establishments must adopt a strong identity and access management with a solid privilege access management solution. Many students connect their personal devices to the education’s networks and, with almost no security controls applied, this leaves networks wide open to abuse. We need to ensure our future.....Read More
The challenge with educational institutions is they operate with a high retention - meaning that students come and go - so maintaining cybersecurity is a huge challenge and means that these establishments must adopt a strong identity and access management with a solid privilege access management solution. Many students connect their personal devices to the education’s networks and, with almost no security controls applied, this leaves networks wide open to abuse. We need to ensure our future generations have sufficient cybersecurity awareness training and security solutions that protect their devices. Not only do educational institutions have to deal with a high rotation of students but they also engage in a significant amount of research which is a valuable target for cybercriminals both for Ransomware targets but also for IP theft which they could sell on the dark net. Cybersecurity practices at educational institutions are far from the best practices meaning they are at a higher risk of becoming an easy target and victim of lucrative ransomware cybercriminals.  Read Less
September 18, 2020
Jamie Akhtar
CEO and Co-founder
CyberSmart
It's not surprising that the NCSC is trying to raise awareness around security in education. Cybercriminals are opportunists and they will target any industry they sense is distracted by other obligations. In May 2020, Microsoft Security Intelligence found that 61 percent of nearly 7.7 million enterprise malware encounters came from those in the education sector, making it the industry most affected by the increase in breaches during the lockdown. But long before COVID, education has been one.....Read More
It's not surprising that the NCSC is trying to raise awareness around security in education. Cybercriminals are opportunists and they will target any industry they sense is distracted by other obligations. In May 2020, Microsoft Security Intelligence found that 61 percent of nearly 7.7 million enterprise malware encounters came from those in the education sector, making it the industry most affected by the increase in breaches during the lockdown. But long before COVID, education has been one of the most vulnerable industries. The shift to online and distance learning and the vast amount of personal data held by schools, coupled with a lack of IT resources for protection has meant that the education sector is ripe for attack. Last year, a hacker-simulation test proved 100% successful in breaching 50 universities across the country to access student and staff personal data, financial systems, and valuable research networks. It's no surprise that this year the UK government made Cyber Essentials, its security certification scheme that covers the fundamentals of cyber hygiene, a requirement for state funding for educational institutions working with the Educational and Skills Funding Agency. Following the fundamental rules of cyber hygiene like strong password protection, up-to-date software, and enabled firewalls can go a long way in preventing breaches.  Read Less
September 18, 2020
Tim Sadler
CEO
Tessian
It’s important to remember ransomware attacks are often delivered via phishing emails, so it’s concerning to see that nearly all of the top 20 UK universities do not have DMARC policies in place to protect their domains from being spoofed by scammers. We have seen hackers capitalise on key moments throughout the pandemic using phishing attacks, so it’s likely they will use this ‘back to school’ momentum to their advantage too, impersonating trusted universities to try and steal.....Read More
It’s important to remember ransomware attacks are often delivered via phishing emails, so it’s concerning to see that nearly all of the top 20 UK universities do not have DMARC policies in place to protect their domains from being spoofed by scammers. We have seen hackers capitalise on key moments throughout the pandemic using phishing attacks, so it’s likely they will use this ‘back to school’ momentum to their advantage too, impersonating trusted universities to try and steal valuable personal and financial information. The problem is that without DMARC records in place, or without having DMARC policies set up to ‘reject’, hackers can easily impersonate a university’s email domain in phishing campaigns, convincing their targets that they are opening a legitimate email from a colleague, fellow student, professor or administrator at their university. If you receive an email from your university asking for urgent action, question the legitimacy of the request and if you’re not sure, contact the university directly to verify. It’s also important to note that while DMARC is a necessary first step to preventing domain impersonation, it has its downfalls and hackers will find ways around it. For example, DMARC won’t stop lookalike domains, and hackers can register domains that look similar to an organisation’s domain, betting on the fact that people won’t notice the slight change. Given that DMARC records are also inherently public, an attacker can use this information to select their targets and attack method simply by identifying institutions without an effective DMARC record. So as universities start to welcome students back - and inundate inboxes with updates about online learning and social distancing — it’s critical that they take action to build robust security measures that can protect their staff and students against email scams.  Read Less
September 18, 2020
Chris Boyd
Lead Malware Intelligence Analyst
Malwarebytes
One major problem faced by universities is that while they can bolster their own defenses, it could be a bridge too far to secure all of their students studying remotely. If attackers find campus networks too difficult to breach, they'll likely turn attention to students who could still end up providing another route past security protocols. We'd urge all students to keep up to date with the latest best practice guidance issued by their university and help to keep everyone secure.
September 18, 2020
Mark Nicholls
CTO
Redsca
UK universities are among the most well-respected learning and research centers globally, yet our analysis highlights inconsistencies in the approach institutions are taking to protect their staff, students, and intellectual property against the latest cyber threats. The fact that such a large number of universities don’t deliver cybersecurity training to staff and students, nor commission independent penetration testing, is concerning. These are foundational elements of every security.....Read More
UK universities are among the most well-respected learning and research centers globally, yet our analysis highlights inconsistencies in the approach institutions are taking to protect their staff, students, and intellectual property against the latest cyber threats. The fact that such a large number of universities don’t deliver cybersecurity training to staff and students, nor commission independent penetration testing, is concerning. These are foundational elements of every security program and key to helping prevent data breaches. Even at this time of intense budgetary pressure, institutions need to ensure that their cybersecurity teams receive the support they need to defend against sophisticated adversaries. Breaches have the potential to seriously impact organisations’ reputation and funding.” The threat posed to universities by nation-state attackers makes the need for improvements even more critical. The cost of failing to protect scientific research is immeasurable.  Read Less
September 18, 2020
Andy Warren
UK&I Director
Veritas Technologies
2020 has shown us that when it comes to ransomware attacks, it is a matter of if, not when. With many students relying on virtual lectures, downtime caused by ransomware will have a massive impact on their education and on Universities ability to provide the services they charge for. And this is to say nothing about data compliance. Breaches can do some serious, long-lasting damage. The best defense against this constantly evolving threat is a comprehensive approach to data security.....Read More
2020 has shown us that when it comes to ransomware attacks, it is a matter of if, not when. With many students relying on virtual lectures, downtime caused by ransomware will have a massive impact on their education and on Universities ability to provide the services they charge for. And this is to say nothing about data compliance. Breaches can do some serious, long-lasting damage. The best defense against this constantly evolving threat is a comprehensive approach to data security involving staff and student education, intrusion security, email and spam filters, antimalware, endpoint protection software, and backups. Data is arguably the single most precious asset to a university but, to keep it safe, you need a strong foundation of management and best practice. If a robust data protection solution is in place and hackers demand ransom, universities can walk away from the criminal's threats safe in the knowledge that they have alternative copies of their data stored safely elsewhere.  Read Less
September 18, 2020
David Hartley
Technical Director
F-Secure
Over the past 5 years or so since the inception of CBEST, which served as a catalyst for industries and sectors looking to subject themselves to resilience assurance activities, F-Secure’s Red Team has been able to successfully realise CNE (Computer Network Exploitation), facilitating recon and espionage, as well as CNA (Computer Network Attack). This allowed us to cause damage, destroy, or disrupt computer networks; as part of our contracted breach and attack simulation services. The.....Read More
Over the past 5 years or so since the inception of CBEST, which served as a catalyst for industries and sectors looking to subject themselves to resilience assurance activities, F-Secure’s Red Team has been able to successfully realise CNE (Computer Network Exploitation), facilitating recon and espionage, as well as CNA (Computer Network Attack). This allowed us to cause damage, destroy, or disrupt computer networks; as part of our contracted breach and attack simulation services. The reality is though, that they haven't quite kept pace with the TTPs employed by all threat actors. In some cases, as there is a reliance on MSSP / 3rd parties, their contracts have been restrictive. But the needle has shifted and progress made in their resilience. However, there is no need to panic, the cyber security landscape 5 years ago was more dire than it is today. We're not impenetrable but we can put up a fight against China, Russia, Iran etc. It is not that case that we are sitting around and doing nothing.  Read Less
September 18, 2020
Stuart Sharp
VP of Solution Engineering
OneLogin
The education sector is no different from any other industry, COVID-19 has accelerated its digital transformation programs. Accompanying this is a rise in ransomware attacks as we’ve seen in recent headlines. Fortunately, securing such institutions from an attack largely comes down to cyber hygiene - steps that have been laid out by the NCSC. Chief among them is the implementation of multi-factor authentication. This reduces the risk of attack by increasing the complexity of the exploit for.....Read More
The education sector is no different from any other industry, COVID-19 has accelerated its digital transformation programs. Accompanying this is a rise in ransomware attacks as we’ve seen in recent headlines. Fortunately, securing such institutions from an attack largely comes down to cyber hygiene - steps that have been laid out by the NCSC. Chief among them is the implementation of multi-factor authentication. This reduces the risk of attack by increasing the complexity of the exploit for the malicious attacker, as they must gain access to multiple authentication factors such as password, one-time token, and/or certificates. Generally speaking, they have a short period of time to do this prior to the authentication attempt expiring. Security awareness training is also key in preventing employees and students from falling for phishing attacks, a common attack vector. While the NCSC’s guide is helpful, it is irrelevant if educational institutions do not take action to apply the necessary measures.  Read Less
September 18, 2020
Ashish Gupta
CEO
Bugcrowd
Vulnerabilities exist in every platform, including Learning Management Systems (LMS) used by schools to enable remote learning. However, with the speed schools have been pushed to enable widespread remote learning, there is an even greater chance that their developers inadvertently create or are completely unaware of severe flaws adversaries can exploit to launch devastating attacks. This specific news highlights the responsibility that both higher education and even K-12 schools have for.....Read More
Vulnerabilities exist in every platform, including Learning Management Systems (LMS) used by schools to enable remote learning. However, with the speed schools have been pushed to enable widespread remote learning, there is an even greater chance that their developers inadvertently create or are completely unaware of severe flaws adversaries can exploit to launch devastating attacks. This specific news highlights the responsibility that both higher education and even K-12 schools have for not only the physical safety of students, but now the digital protection of students’ data as well, especially as these education institutions implement LMS solutions on the fly. Failing to ensure security at the scale needed will grant attackers access to large quantities of student and even teacher information, as well as the ability to inject ransomware into insecure school networks. Virtual learning is uncharted territory for most schools, and there are precautionary steps they must take to ensure secure and seamless virtual learning experiences. By harnessing the power of external security researchers via bug bounty or vulnerability disclosure programs (VDPs), school IT teams can proactively be alerted of and disclose vulnerabilities before an attacker exploits them.  Read Less
September 18, 2020
Jake Moore
Cybersecurity Specialist
ESET
As increasing numbers of both staff and students log in from home, remote users must be reminded of the potentially catastrophic dangers of phishing emails. Everyone should treat attachments and links with the utmost caution, but this is especially important when out of the more secure office environment. Data security must remain the highest priority for businesses who have remote workers – or, in the case of educational institutions, remote learners – as phishing emails are constantly.....Read More
As increasing numbers of both staff and students log in from home, remote users must be reminded of the potentially catastrophic dangers of phishing emails. Everyone should treat attachments and links with the utmost caution, but this is especially important when out of the more secure office environment. Data security must remain the highest priority for businesses who have remote workers – or, in the case of educational institutions, remote learners – as phishing emails are constantly evolving to manipulate victims. Furthermore, whilst at home, those targeted often don’t have anyone to turn to for confirmation of an email’s authenticity. When receiving unsolicited emails, the best advice is to err on the side of caution and conduct verification checks where necessary, and avoid links to unknown sites and locations.  Read Less
September 17, 2020
Matt Aldridge
Principal Solutions Architect
Webroot
It’s unsurprising that education institutions continue to be targets for cybercriminals, especially considering they can be large sprawling organisations that are hard to administer and secure. Balancing resources between their mission of educating their students and the need for cybersecurity is an ongoing challenge. For cybercriminals, now is the perfect time to cause disruption as students start the term. In order to limit the impact of these attacks, the NCSC has done the right thing by .....Read More
It’s unsurprising that education institutions continue to be targets for cybercriminals, especially considering they can be large sprawling organisations that are hard to administer and secure. Balancing resources between their mission of educating their students and the need for cybersecurity is an ongoing challenge. For cybercriminals, now is the perfect time to cause disruption as students start the term. In order to limit the impact of these attacks, the NCSC has done the right thing by sending out a warning to these organisations and encouraging them to take action. As the education sector is a huge pool of sensitive data, we recommend all institutions plan for cyber resilience to protect their IT infrastructure and data regardless of the recent increase in risk. Often, precious data is sat on individual students’ laptops/desktops as well as institutional servers, so monitoring of access related to personal devices and the massive challenge of stolen credentials can pose real difficulties for IT departments, along with the backing up of this data. Cloud-hosted solutions can help greatly here if deployed in a good time. Staff training is also essential to defend against phishing attacks and business email compromise. The training materials used need to be updated continuously to reflect the latest threat trends, and regular simulations should be run to ensure that the training has the desired effect. In summary, educational institutions need to ensure they are not the low hanging fruit that makes easy pickings for cybercriminals.  Read Less
September 17, 2020
Jamie Collier
Intelligence Analyst
Mandiant Threat Intelligence
The influx of attacks against universities at the beginning of term is indicative of threat actors' ultimate aim with ransomware attacks - to maximise leverage and increase the chance of being paid. Sometimes leverage means compromising particularly sensitive data, or a particularly critical system, but sometimes it just comes down to timing. The start of term is a critical time for universities trying to onboard students and their IT infrastructure being held to ransom will cause major.....Read More
The influx of attacks against universities at the beginning of term is indicative of threat actors' ultimate aim with ransomware attacks - to maximise leverage and increase the chance of being paid. Sometimes leverage means compromising particularly sensitive data, or a particularly critical system, but sometimes it just comes down to timing. The start of term is a critical time for universities trying to onboard students and their IT infrastructure being held to ransom will cause major operational issues, especially this year. This leverage makes universities an attractive target, just as retailers are attacked more during the festive season. However, the issue for universities is compounded by the fact that they have a large and complicated network - which has to account for many departments, students using their own devices, and sophisticated computing systems for research - making it difficult to enforce blanket security controls. The attack service is large and constantly evolving, which means there are more opportunities for attackers to exploit it. Moreover, the data universities hold, including valuable or sensitive research and intellectual property, as well as thousands of students' personal information, means that there is a lot at stake. While ransomware is a complex threat, mitigation must start with the basics. Universities should ensure they are patching vulnerabilities quickly, enforcing remote desktop protocols, and putting controls in place to stop phishing attacks. These are the most common entry points for ransomware. Universities also need to use threat intelligence to identify the most likely ransomware attacks they will face so they can put the correct protection measures in place. Ransomware groups are increasing and diversifying, which is why we are seeing more attacks. Only by identifying the techniques and methods of the most likely ransomware families for their region or the types of data they hold can universities be better prepared for the attacks they may face.  Read Less
September 17, 2020
Andy Swift
Head of Offensive Security
Six Degrees
Although disappointing, cybercriminals' focus on the education sector is hardly a surprise. Many schools, colleges and universities that have pivoted from classrooms to online learning have focused on deploying supporting technologies without giving due diligence to the cyber security risks they have introduced. Cybercriminals know this, and the successful ransomware attacks they have launched to date will only continue. Schools, colleges and universities have put a lot of effort into.....Read More
Although disappointing, cybercriminals' focus on the education sector is hardly a surprise. Many schools, colleges and universities that have pivoted from classrooms to online learning have focused on deploying supporting technologies without giving due diligence to the cyber security risks they have introduced. Cybercriminals know this, and the successful ransomware attacks they have launched to date will only continue. Schools, colleges and universities have put a lot of effort into keeping staff and students safe from physical dangers. But now is the time to start thinking virtually too, and that means going on their own cyber security journeys. As a first step, by carrying out cyber security assessments these institutions can establish their risk appetites, understand the cyber security risks they face, and align their cyber security postures to ensure they continue to provide excellent learning experiences whilst protecting their staff and students in this new operating reality  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.