Lincoln College (a private IL college named for Abraham Lincoln) announced that it is closing as a result of the financial burdens of the pandemic and a devastating December 2021 cyberattack “that thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections. All systems required for recruitment, retention, and fundraising efforts were inoperable.” Lincoln is a historically black college (HBCU) that’s previously survived a major fire, the Civil War, WWI, WWII, and recent US turmoil and wars. Five top cybersecurity experts offer thoughts for consideration.
The education sector continues to make for attractive targets as it’s very rare that a university focuses on its cyber security stack as its #1 priority. As the majority of colleges in the US, especially ones who are not focused on protecting the intellectual property of their research institutes, have neither the staff nor the budget to implement next generation cyber tools to combat next generation cyber attacks, the effort to payoff is several tiers lower than any other industry as a whole. With little defense, but high payout monetarily and a huge database of personnel and student personal data, if an attacker is unable to receive payment, the immense amount of human intelligence that can be gathered, especially targeting soon-to-be-workforces, is often enough to satiate the hunger of an attacker. As such, it’s a civic duty for institutes to enforce a strict cyber security process to protect the nation’s next generation of brain trusts.
Recent studies have shown that the education sector tied retail for highest level of ransomware attacks, with more than 40 percent saying they were hit by ransomware, 58% had their data encrypted by criminals, 35% paid an average ransom of $112,435, and those who paid were only returned 68% of their data. These staggering statistics paint a picture of educational institutions struggling to float above water as ransomware attack tools become more accessible for criminals. Ultimately, the industry of education as a whole embodies the principle that security and convenience are inversely related.
With a broad range of technology skills, new security measures will naturally be uncomfortable at first, but a zero-trust approach costs next to nothing to the organization and is proven to save companies almost half of data breach costs. Regardless of the size of an endowment, the priority of governing boards across all universities should first identify cyber security as a priority, followed by an analysis of what zero-trust might look like in the existing stack, short of purchasing any new tools. The most important step, however, is once a new policy, config, stack, etc., is implemented, to verify from the attacker’s perspective that the solution actually works as intended.
Identities are the \”gift that keeps on giving\” to hackers. And schools (like hospitals, governments, retailers) have lot of identities. These are all a very attractive target for attackers. Once the identity trove is stolen, the identity information can be used to attack other resources, sold online, or often, because enough data is obtained, create credit cards and other credit vehicles in the name of the identity.
All resources – but especially those w/ identities, need to protect their data. As the TL Storm 2.0 attack on network switches showed – there is no moat around the enterprise. The best defense is a defense around and for the protection of identities. Credential attacks are over 65% of the attacks. Identity knowledge of who has what and what changed is paramount to cyber security.
Like small businesses, educational institutions are increasingly victims of ransomware attacks with devastating consequences. A \”perfect storm\” of negative factors has converged and includes, 1) the automation of attack methods allowing hackers to efficiently attack small targets, 2) the rise of Ransomware-as-a-service allowing individual bad actors with limited skills to attack small targets, and 3) the limited IT security experience and budgets prevalent at these small targets. Consider that 60% of small businesses fail within six months of a successful ransomware attack and you understand why we likely see a lot more of this in the future.
Education institutions are attractive targets for ransomware and other data breaches as they typically under invest in cybersecurity due to budgetary considerations and any disruption causes widespread alarm within the community. Further, the decentralized and remote nature of the student population, combined with loosely managed open access lab environments, is the perfect combination to manifest several vulnerabilities and internal and external attack vectors.
Education institutions should consider a converged Zero Trust SD-WAN and VPN approach that protects critical assets and resources with a series of layered defenses. Sensitive targets such as management networks, databases, internal applications as well as IoT devices can be obfuscated making them invisible to threat actors. Eliminating inbound Internet ports by using private IP connections can eliminate Firewall rule complexity as well as the creation of perimeter holes. The converged approach can protect all endpoints and locations with microsegmention and user level access control.
Attacks such as these tend to be of the disruptive type. There are generally one of three motivations to any attack, Money, Information, or Disruption. In most case when there is an attack on a public institution similar to this, it is either accidental (not targeted) or meant to disrupt the institution from providing services. The most productive way for organizations like Lincoln College to prevent this sort of attack is to properly institute a more effective endpoint protection product.
The number of users on a campus for a college makes training of the user population difficult at best and proves to be such a large surface area it is almost impossible to insure complete coverage. Segmenting networks to prevent lateral movement from systems which do not need access, and proper preventative policy in place on especially the most critical systems, are going to be the balance between cost and effectiveness. Not every device on a campus needs to have the best prevention software, but the main systems and servers which allow the campus to function should at the very least be covered.