Today, the NCSC has issued an alert on ransomware attacks against the UK education sector. Cybersecurity experts reacted below.
Today, the NCSC has issued an alert on ransomware attacks against the UK education sector. Cybersecurity experts reacted below.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
The past few months have seen an array of organisations come under some high profile cyberattacks – malicious actors know the public and private sector alike is more reliant on digital capabilities than ever before, and so they’re taking full advantage to profit wherever they can. What’s more, a malicious insider would also recognise that their organisation is being presented with challenges in securing a now remote workforce. As many students begin what is expected to be an almost entirely virtual university year, there has never been a more important time for educational institutions of all kinds to take their cloud security seriously – especially when there is such a particular duty of care to their students and staff.
Effective cloud security, along with other measures to protect and backup data, can stop threats like ransomware in their tracks, as no organisation should be forced into the position of handling over money to cybercriminals. Everything from student exam results and other personal data, right up to valuable proprietary research, is increasingly stored in an array of locations, cloud services and IT devices. Cybersecurity provisions need to be able to accommodate this new reality.
The traditional rules-based approach to security is far too reactive and slow to respond to changes in this kind of environment. Malicious actors are constantly searching for vulnerabilities and ways into networks, and it only takes one opportunity to give them a way in. A paradigm shift in security is needed towards behaviour-centric systems, rather than those focused solely on threats. It’s only by doing this is the signal able to be separated from the vast amounts of noise.
The challenge with educational institutions is they operate with a high retention – meaning that students come and go – so maintaining cybersecurity is a huge challenge and means that these establishments must adopt a strong identity and access management with a solid privilege access management solution. Many students connect their personal devices to the education’s networks and, with almost no security controls applied, this leaves networks wide open to abuse. We need to ensure our future generations have sufficient cybersecurity awareness training and security solutions that protect their devices.
Not only do educational institutions have to deal with a high rotation of students but they also engage in a significant amount of research which is a valuable target for cybercriminals both for Ransomware targets but also for IP theft which they could sell on the dark net. Cybersecurity practices at educational institutions are far from the best practices meaning they are at a higher risk of becoming an easy target and victim of lucrative ransomware cybercriminals.
Over the past 5 years or so since the inception of CBEST, which served as a catalyst for industries and sectors looking to subject themselves to resilience assurance activities, F-Secure’s Red Team has been able to successfully realise CNE (Computer Network Exploitation), facilitating recon and espionage, as well as CNA (Computer Network Attack). This allowed us to cause damage, destroy, or disrupt computer networks; as part of our contracted breach and attack simulation services.
The reality is though, that they haven\’t quite kept pace with the TTPs employed by all threat actors. In some cases, as there is a reliance on MSSP / 3rd parties, their contracts have been restrictive. But the needle has shifted and progress made in their resilience.
However, there is no need to panic, the cyber security landscape 5 years ago was more dire than it is today. We\’re not impenetrable but we can put up a fight against China, Russia, Iran etc. It is not that case that we are sitting around and doing nothing.
It\’s not surprising that the NCSC is trying to raise awareness around security in education. Cybercriminals are opportunists and they will target any industry they sense is distracted by other obligations. In May 2020, Microsoft Security Intelligence found that 61 percent of nearly 7.7 million enterprise malware encounters came from those in the education sector, making it the industry most affected by the increase in breaches during the lockdown. But long before COVID, education has been one of the most vulnerable industries. The shift to online and distance learning and the vast amount of personal data held by schools, coupled with a lack of IT resources for protection has meant that the education sector is ripe for attack. Last year, a hacker-simulation test proved 100% successful in breaching 50 universities across the country to access student and staff personal data, financial systems, and valuable research networks.
It\’s no surprise that this year the UK government made Cyber Essentials, its security certification scheme that covers the fundamentals of cyber hygiene, a requirement for state funding for educational institutions working with the Educational and Skills Funding Agency. Following the fundamental rules of cyber hygiene like strong password protection, up-to-date software, and enabled firewalls can go a long way in preventing breaches.
The education sector is no different from any other industry, COVID-19 has accelerated its digital transformation programs. Accompanying this is a rise in ransomware attacks as we’ve seen in recent headlines. Fortunately, securing such institutions from an attack largely comes down to cyber hygiene – steps that have been laid out by the NCSC. Chief among them is the implementation of multi-factor authentication. This reduces the risk of attack by increasing the complexity of the exploit for the malicious attacker, as they must gain access to multiple authentication factors such as password, one-time token, and/or certificates. Generally speaking, they have a short period of time to do this prior to the authentication attempt expiring. Security awareness training is also key in preventing employees and students from falling for phishing attacks, a common attack vector. While the NCSC’s guide is helpful, it is irrelevant if educational institutions do not take action to apply the necessary measures.