The NCSC have announced extra support for academic institutions across the UK, in the form of additional guidance, in response to ransomware attacks on networks within the education sector.
According to the report, common ransomware infection vectors have included remote desktop protocol (RDP), vulnerable software or hardware, and phishing emails.
BYOPC security to transform work in next five years — Gartner
Paul Chichester, director of operations at the NCSC, said: “This criminal targeting of the education sector, particularly at such a challenging time, is utterly reprehensible.
“While these have been isolated incidents, I would strongly urge all academic institutions to take heed of our alert and put in place the steps we suggest, to help ensure young people are able to return to education undisrupted.
“We are absolutely committed to ensuring UK academia is as safe as possible from cyber threats, and will not hesitate to act when that threat evolves.”
Half of UK universities affected
An FOI campaign from Redscan to the Information Commissioner’s Office (ICO) revealed that half of UK universities reported a data breach within the last 12 months. Recently affected bodies include Newcastle University and Northumbria University.
“UK universities are among the most well-respected learning and research centres globally, yet our analysis highlights inconsistencies in the approach institutions are taking to protect their staff, students and intellectual property against the latest cyber threats,” said Mark Nicholls, CTO of Redscan.
“The fact that such a large number of universities don’t deliver cyber security training to staff and students, nor commission independent penetration testing, is concerning. These are foundational elements of every security program and key to helping prevent data breaches.
Accelerating digital skills training during the Covid-19 crisis
“Even at this time of intense budgetary pressure, institutions need to ensure that their cyber security teams receive the support they need to defend against sophisticated adversaries. Breaches have the potential to seriously impact organisations’ reputation and funding.”
“The threat posed to universities by nation state attackers makes the need for improvements even more critical. The cost of failing to protect scientific research is immeasurable.”
Insufficient DMARC policies
Research from Tessian into the top 20 UK universities revealed that 30% do not have Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies in place, while 60% haven’t had policies set up to prevent mimicking or impersonation of email domains.
“It’s important to remember that ransomware attacks are often delivered via phishing emails, so it’s concerning to see that nearly all of the top 20 UK universities do not have DMARC policies in place to protect their domains from being spoofed by scammers,” said Tim Sadler, CEO of Tessian. “We have seen hackers capitalise on key moments throughout the pandemic using phishing attacks, so it’s likely they will use this ‘back to school’ momentum to their advantage too, impersonating trusted universities to try and steal valuable personal and financial information.
“The problem is that without DMARC records in place, or without having DMARC policies set up to ‘reject’, hackers can easily impersonate a university’s email domain in phishing campaigns, convincing their targets that they are opening a legitimate email from a colleague, fellow student, professor or administrator at their university. If you receive an email from your university asking for urgent action, question the legitimacy of the request and if you’re not sure, contact the university directly to verify.
“It’s also important to note that while DMARC is a necessary first step to preventing domain impersonation, it has its downfalls and hackers will find ways around it. For example, DMARC won’t stop lookalike domains, and hackers can register domains that look similar to an organisation’s domain, betting on the fact that people won’t notice the slight change. Given that DMARC records are also inherently public, an attacker can use this information to select their targets and attack method simply by identifying institutions without an effective DMARC record.
“So as universities start to welcome students back – and inundate inboxes with updates about online learning and social distancing — it’s critical that they take action to build robust security measures that can protect their staff and students against email scams.”
Phishing email scam exploits HMRC job retention scheme
Personal data
Academic institution networks are full of personal data, which adds to the importance of keeping them protected.
“Education institutions hold masses of highly sensitive data on individuals, perhaps more so than any industry outside healthcare,” said Adenike Cosgrove, director of international product marketing at Proofpoint. “Along with personal information such as name, address and date of birth, there’s also the potential to hold payment details, ID, health records, and much more.
“This trove of information puts a target on the back of every good-sized school, college, or university. Also, like medical institutions, education centres must maintain short- and long-term continuity.
“Cancelling exams, writing off grades, and cutting off services is not an option, and cyber criminals know this, which also makes the sector one of the most targeted by ransomware attacks. Recent incidents such as those at Newcastle and Northumbria Universities are just the latest of many in a sector increasingly under attack, and the only defence is one that places the very people under attack at its heart.
“Almost 100% of cyber attacks require human interaction to be successful, and that same human interaction can also bring about failure. Universities should ensure that all staff and students are aware of basic security hygiene and the mechanics of common threats. This awareness training must be in context, and all users must know how they are likely to encounter an attack and the role they play in defending against it.”
