In 2019 university cyber attacks have been making headlines. Many colleges and universities, mainly those in the U.S. and other NATO countries, have become targets for cyber criminals and nation-state actors.
In the ever-evolving cyber ecosystem, security professionals and their adversaries engage in continuous virtual combat. Cyber criminals have historically been more focused on targeting banks and credit unions to steal money and divert funds. Credit card companies and retail providers have also been one of the biggest targets because stolen personally identifiable information (PII) can be traded or monetized on underground forums and websites.
In response to these threats, the banking and retail sectors have invested significant resources in strengthening their cyber security operations. So, not surprisingly, the adversaries have shifted some of their attention to organizations with fewer resources that aren’t as well defended.
Who Are Cyber Criminals Targeting?
Cyber criminals and nation-state actors are going after both institutions and individuals.
Colleges and universities with large research and development projects funded by the U.S. Department of Defense (DOD) are high on the list for adversarial nation-state actors. They’re also increasingly the target of terrorist groups, as well as activists and criminal organizations.
Other high-profile university attacks have targeted individuals for financial gain. In these attacks, cyber criminals used ransomware to go after their victims. Using this common attack method, they encrypted the personal information of students who had applied to a small number of highly-ranked liberal arts colleges. The individual applicants themselves, and not the universities, received ransom notes demanding thousands of dollars, and/or in bitcoin, to release this personal information.
This represents a new challenge for campus security professionals: protecting the personal information of applicants in addition to current students, faculty, and administrators. Encrypting applicant information could prevent universities from evaluating potential students for admission, though, or at least slow down the process. This could have stark impacts – operationally, financially, and reputationally – on both universities and applicants. Developing systems and online web portals that allow for the secure exchange of confidential information, as some large banks have for loan applicants, for example, could be one possible solution. However, this is out of the immediate reach of many institutions for higher learning.
Why Are Cyber Criminals Targeting Universities?
Many of the projects sponsored by the DOD are run by top university experts and scientists. Those projects develop cutting-edge military technologies and weapons systems used by the U.S. military and its allies.
Colleges and universities working on these projects encourage the open exchange of ideas and peer review, which has led to many technological breakthroughs. One of the drawbacks of an open environment, though, is that it tends to be less secure. The research assistants working on these projects often don't have the right training or experience to take additional measures to protect their personal security and accounts.
How Many Universities Have Been Attacked?
In recent weeks, open source reporting has identified more than 20 universities in the U.S. and Canada that were victims of sophisticated spear phishing attacks. One of them was the prestigious Massachusetts Institute of Technology (MIT). The spear phishing attacks triggered a malicious software that allowed credentials to be compromised.
These credentials were then used to exfiltrate critical military secrets, most likely to organizations linked to nation-state actors who want to offset the U.S. military’s advantage in future weapons systems. The full impact of these attacks has yet to be determined, but national security professionals are very concerned about the scale and success rate.
Security professionals are facing new challenges as cyber criminals target colleges and universities and other organizations that don't have a large amount of resources dedicated to fighting cyber crime.
What Can Universities Do?
On the professional services side, Delta Risk delivers both technical and non-technical assessments to assess risks to security architecture and processes. Our services include penetration testing and controls assessments that make use of NIST, RMF, and FISMA frameworks. These are just some of the services colleges and universities can use to identify and remediate critical vulnerabilities to their systems, and protect valuable personal information.
More sophisticated services include phishing assessments and red team exercises to gauge the effectiveness of training programs and technical controls. If a university or college is using the cloud to run critical software applications like Office 365, or using cloud infrastructure like Amazon Web Services (AWS), Delta Risk’s ActiveEye managed security platform can provide continuous 24x7 monitoring of a cloud activity, as well as networks and endpoints. For those universities that do suffer a breach, Delta Risk can deploy incident response professionals to diagnose the cause, mitigate the consequences, and recommend future actions to enhance security.