- Security TWENTY
- Women in Security
Are cyber-attackers against universities and colleges students or staff, or others familiar with the academic cycle? Or perhaps the bad guys simply take holidays at the same time as the education sector? Because the troughs, when the number of attacks falls dramatically, always appear during holiday times, says JISC, which provides digital infrastructure and networks services to the UK higher education sector.
John Chapman, Head of JISC’s security operations centre, notes that there’s no point sending a DDoS attack to an organisation if there’s no one there to suffer the consequences. JISC has collected over the past few years and has released a picture of who may be launching attacks on the UK’s colleges and universities based on when they do it. Chapman blogged that the usual dip in attacks during summer 2018 started earlier than the same time last year.
He said: “The heat wave weather this year could have been a factor, but it’s more likely due to international law enforcement activity – Operation Power Off took down a ‘stresser’ website at the end of April. Stresser sites basically sell DDoS packages to customers who want to attack internet services under the pretence of “testing” them to see how well they would cope with a DDoS attack. Operation Power Off also targeted owners and customers of the stresser service, leading to other similar illicit businesses going offline as well.”
Over a 24-hour day, it’s quieter at night, while the number of attacks start to ramp up at 8am, peak between 9am and early afternoon, and then die off again. Is that staff or students? Chapman concluded that evidence, circumstantial and from the justice system, suggested that students and staff may well be responsible for many of the DDoS attacks JISC sees on the Janet Network. He said: “We can only speculate on the reasons why students or staff attack their college or university – for the “fun” of disruption and kudos among peers of launching an attack that stops internet access and causes chaos, or because they bear a grudge for a poor grade or failure to secure a pay rise.
“Unfortunately, there are far more serious criminal players at work that organisations ignore at their peril. It’s likely that some of these more sophisticated attacks are designed to steal intellectual property, targeting sensitive and valuable information held at universities and research centres.
“The blame could lie with criminals intent on selling information to the highest bidder, a business wanting to uncover a competitor’s secrets, or a foreign power trying to gain political leverage. Security agencies, including the National Cyber Security Centre and the FBI, have already warned of state-sponsored attacks by countries including Russia, and the education sector is just as much at risk as any other in the UK.
“However, despite these very real and serious threats, our 2018 security posture survey among members showed such cyber attacks were not considered a priority by our members, and they should be.”
In cyber security, complacency is dangerous, he concluded.
Nick Murison, managing consultant at Synopsys, said “Some of this will come down to educating staff and students. Campus networks can feel like safe places for students to try their hand at hacking, with some of the activity being down to curiosity as opposed to any intentional malice. Staff may feel that their data doesn’t warrant much protection as it’s “just research data” that holds little commercial value, and so may not take appropriate steps to secure their systems. University IT departments are constantly battling “shadow IT”, with students and staff connecting various systems to the network that are not centrally managed, and are often not secured. Universities should ensure that everyone understands the impact of lax security and “messing around”, both through education campaigns and making it clear that there are real-world consequences for violating IT security policies, not to mention the law.
“Any threats are likely to be a combination of internal threats as well as external threats, where external attackers have managed to install malware on internal systems, and pivoting their attacks from the outside through internal systems. For example, if a Denial of Service attack seems to start and stop based on office hours, this could be down to a member of staff or a student turning their laptop or desktop computer on and off. The user of the computer may be entirely unaware of what is happening.
“Much like dealing with any other threat actor, it comes down to minimising risk through keeping systems up to date, enforcing strong security controls for both internal and external systems, and enforcing principles of least privilege. You cannot simply rely on a strong external perimeter; you have to harden all systems in anticipation of attacks from both the outside and the inside.”