Like almost every other discipline and practice on earth, primary, secondary and higher education was thrown into chaos by the COVID-19 pandemic. Schools, colleges and universities alike had to quickly adapt to a locked down world – one which would radically affect the way in which they imparted knowledge to their students. Gone were 200-strong lecture theatres for freshers and 30+ classes for year 9 history were replaced with Zoom lectures and virtually set homework.
This new reality for millions of students was rolled out at lightning speed, as the pandemic accelerated and in many cases is unfortunately set to continue until the end of 2021. New accounts had to be created at rapid speed to facilitate this transition, and with the delay of in-person learning, the amount of these will only keep growing. Putting aside the logistical concerns associated with a remote education environment, the security concerns associated are stark, especially considering the fact that the education sector still struggles with adequate cyber security, so much so that the NCSC issued a security warning for educational institutions in the UK. Now, with schools and universities alike opting for either remote or hybrid learning models, the threat remains: these new, vulnerable accounts along with a lack of visibility provides an easy entry-point for bad actors.
How universities can facilitate blended learning through smart campus infrastructure
Every single one of these students’ accounts needs to be authenticated, whether they complete their studies remotely or in-person. In the majority of cases, this means using a password, which human behaviour dictates does not to do the necessary work of accurately protecting an account. A 2019 study conducted by Google and The Harris Poll, for example, found that 52% reuse the same password for multiple (but not all) accounts, only 35% use a different password for all accounts, and most shockingly, 13% reuse the same password for all their accounts.
While the security person in me thinks this is an unacceptable personal security standard, the Internet user in me sympathises. A Digital Guardian study suggested in 2019 the average Internet user has 90 online accounts which require authenticating. The reality of remembering a unique password for each of these accounts is not just an overwhelming prospect, but a totally unrealistic one. Digital Guardian also found that younger people were the worst culprits for password misuse, with 76% of 18-24 year olds reusing them.
What this means practically is that schools, universities, and colleges are left vulnerable, not just by a compromise happening within the accounts in their ecosystem itself, but also via a compromise at an account one of their students holds separately. For instance, if an account not associated with the institution is compromised, but the user uses the same password for an account that is associated, the network could be vulnerable to malicious activity regardless. In fact, a recent study conducted by the UK department for digital, culture media and sport (DCMS) revealed that an especially common issue for colleges this year was account compromise, with 21% of colleges being breached using this vector.
This should be of particular concern to educational organisations for a plethora of reasons. Firstly, they hold a significant amount of PII (personally identifiable information). A school, for example, is likely to hold addresses, email addresses, work addresses and other information regarding parents as well as the applicable information regarding students. This information can be used not just for traditional cyber crime, but also in the most sinister examples represent a child protection issue. To put into perspective how valuable a target schools pose, in 2020 alone 58% of secondary schools across the UK fell victim to a cyber attack. 2021 wasn’t much different, with various schools targeted by cyber criminals. One of these incidents was felt by 15 schools in the Nova Education Trust, which had to shut down their IT operations and disrupt remote learning processes.
For higher education organisations, the problem is further confounded by the likely presence of payment information for students (or parents) who may have paid fees in advance, or paid for halls of residence, sports societies or other goods or services, which means an even higher motivation for the malicious actors to gain a foothold in the network.
Furthermore, the research components of a university can also make them a ‘crown jewels’ target for cyber criminals. This research could pertain to extremely high value activity: COVID-19 vaccinations, and groundbreaking medical or nuclear research, to name but a few. Not only would this cutting edge research be of extreme interest to a cyber criminal gang who could auction it off to the highest bidder, but it could also be of interest to a hostile nation-state who could slide this research into their own national programmes. This thesis is supported by the NCSC, who released a 2019 paper which stated that: “The threat posed to the university sector sits within the broader context of the threat to the UK as a whole. Over the past two years, the UK government has attributed state-sponsored malicious cyber activity against the UK to Russia, China, North Korea and Iran. There is also a serious and sustained threat to the UK from organised cyber crime.”
The next wave of cyber adversaries, and how to protect against them
While criminals which target PII will always attempt to access high-value targets such as schools and universities, there are some basic standards and best practices which organisations can deploy in order to ensure that their authentication methods don’t provide a gateway. One such method is replacing passwords with a pattern-based method of authentication, which is much harder to replicate and produces a unique pattern to the individual and individual account, removing the temptation to reuse a password.
Another method is to deploy a password security management system, which can ensure that your passwords are safe, secure and compliant with the most up to date regulations. A system such as this could help not only to secure passwords, but to reduce the associated woes of helpdesk staff and IT teams at educational institutions, many of whom would have been inundated with access issues as the pandemic rumbled onwards.
One educational institution that made some drastic changes to its cyber security over the past year the King Fahd University of Petroleum & Minerals (KFUPM) in Dhahran. With the rise of phishing attacks and other dangerous cyberthreats, the University wanted to protect itself from breach – especially as it is home to over 800 members of academic staff and just under 10,000 students, making it a great target for threat actors looking to perform password spraying or credential stuffing attacks. Along with the large number of staff and students increasing the likelihood of breach, KFUPM is one of the leading world-class educational organisations that specialises in scientific research. The university stores treasure troves of information, both when it comes to individual data and important information regarding two of the most valuable natural resources: minerals and petroleum. As such, KFUPM wanted to ensure the safety of their resources and protect themselves from any other looming cyber security threats. The university invested in a multi-factor authentication (MFA) solution, removing the need for the weak link in security measures: passwords. The MFA solution incorporated PINgrid and PINpass technologies, which generate a secure one-time-pattern (OTP). Rather than needing to memorise a word or phrase, this type of technology generates a pin grid, as described above for a pattern-based authentication approach, providing a security barrier that is easy to use and much stronger than the traditional password. As a result, staff and students were able to more easily access their accounts without the need to remember another password, all while knowing their information was safe from breach.
Ultimately, a system where academic institutions can do away with passwords entirely and replace them with a comprehensive and secure programme of MFA would be the gold standard for authenticating safely, but the best practices outlined above are a solid first step on this journey. It is of crucial importance that these are implemented quickly however: with many universities continuing with online and hybrid lectures during the Autumn term, the opportunities for hackers are as fruitful as ever. IT and security teams at educational institutions need to implement policies which can stop bad actors in their tracks.