Following the news around hackers stealing more than $800,000 from Cape Cod Community College last week through an email phishing scam Matt Radolec, Security Architect Manager at Varonis offers the following comment.
Matt Radolec, Security Architect Manager at Varonis:
All though the exact details of this attack aren’t clear a few likely pitfalls in this space come to mind:
- Lack of security/control on the compromised endpoint. If a student, faculty or staff of the university was using their own machine, they may not have the same security controls, like anti-malware which may be on a university provided computer.
- Lack of security awareness by the compromised user. There is so much education going on at institutions there may not be enough of a focus on how to avoid social engineering scams, especially those well-crafted phishing emails.
- Lack of security controls to protect the money. If institutions treated their information systems like they would a bank vault, surely $800,000 wouldn’t have walked out the door. Most public organizations have a near wide-open access model to ensure all users can access and share information rapidly to drive innovation. This comes at the price of overlooking the least privilege model completely and perhaps forgetting to secure internal systems while still allowing for easy collaboration between students and teachers.
Organisations should treat their computer systems like they are physical assets which need protecting, make sure all the right security controls are in place all the time, educate all users or how attackers are after their information, and provide a defence-in-depth program built on the concept of least privilege and limiting who can access what when.”