- Security TWENTY
- Women in Security
The paper proposes that universities seek adoption of a new British Standard on cyber risk and resilience, BS31111:2018. It warns that malware can block researchers from their files and demand a ransom; or a Distributed Denial of Service (DDoS) can stop exam time revision. Jisc’s Security Operations Centre handles more than 6,000 incidents or queries a year. Not all of them are related to data breaches, but some are and higher education institutions need to plan how to react when a breach does occur, the paper says.
Dr John Chapman, head of Jisc’s security operations centre and the author of the report, said: “Cyber attacks are becoming more sophisticated and prevalent and universities can’t afford to stand still in the face of this constantly evolving threat.
“While the majority of higher education providers take this problem seriously, we are not confident that all UK universities are equipped with adequate cyber security knowledge, skills and investment. To avert a potentially disastrous data breach, or network outage, it is critical that all university leaders know what action to take to build robust defences.”
In 2018, more than 1,000 DDoS attacks were detected against 241 UK education and research institutions. Analysing the timings of these attacks has led Jisc to surmise that many of them are ‘insider’ attacks launched by disgruntled students, or staff.
There are reported cases of criminal or state-sponsored cyber attacks. Jisc’s own chief executive and finance department have been targeted by spear-phishing emails, or ‘CEO fraud’, whereby genuinely-looking emails use social engineering methods, impersonating senior members of staff, with the aim of deceiving accounts staff into sending funds to the fraudsters.
Oxford-based HEPI says it’s seeing cyber risk being managed solely by the information technology function, ‘but this approach is a big mistake as cyber risks affect all operations’, and cyber needs the wider governance and management, it’s claimed. The paper ends by proposing a role for regulators, as the ‘arms race;’ between attackers and defenders continues.
Nick Hillman, director of HEPI, said: “Universities hold masses of data on sensitive research, on the inventions of the future and on their staff and students, but some of it is not properly secured.
“The two main functions of universities are to teach and to research. Students like having their personal data used to improve teaching and learning. But this support is conditional and is unlikely to survive a really serious data breach. Meanwhile, future UK economic growth is highly dependent on university research. This provides valuable information that a few unscrupulous foreign governments are keen to access.
“Despite the challenges, cyber security is an area where we know how to make a difference, especially when there is leadership from the top. University managers and governors need to address cyber security issues, including through the new British Standard on cyber risk and resilience. Meanwhile, regulators need to consider imposing minimum cyber security and network requirements to keep students and staff safe.”
Laurie Mercer, a security engineer at HackerOne, said: “Many hackers start hacking during or even before university. Universities may think that they lack security knowledge and skills, when actually they are sitting on a gold mine of hidden talent. One great way to mine for this talent is a ‘students only’ bug bounty programme, where students are encouraged to help universities find security vulnerabilities, and in return, the universities reward them with bounties and even course credits!”
And Dean Ferrando, senior systems engineer at Tripwire, said: “University are appealing targets for cyber criminals. Aside from the obvious value of intellectual property, university servers store an incredible amount of personal identifiable data of its students and staff, which criminals can use for all sorts of purposes, from credential stuffing attacks, to more sophisticate identity theft scams. While adopting new solutions can help organisations protect their assets, it is by creating a solid cybersecurity foundation that Universities can truly minimise the risk of a breach. This includes thorough training of students and staff about the threats that can come through their inbox, as phishing campaigns still manage to get around email filtering systems and unfortunately continue to be successful attack vectors.”
Picture by Mark Rowe; main building, Aston University.