How can universities protect themselves from cyber attacks?
“One of the reasons why HE could be targeted by cyber criminals is that it holds lots of personal data and intellectual property that can be sold to information brokers”
As details of a recent ransomware attack on a top UK university unfold this week, Andrew Blyth, director of the Cyber Defence Centre at the University of South Wales, reflects on the lessons learned from the Wannacry cyber attack on the NUS and how the higher education sector can arm itself against cybercrime.
How did the NHS Wannacry attack happen and why?
There are two major lessons that we can learn from the Wannacry ransomware outbreak of May 2017. The first is the need to practice basic cyber security hygiene in terms of patch management, antivirus and firewall management. The reason for this is that the Wannacry ransomware used the MS17-010 vulnerability to attack unprotected computer systems. Microsoft had, in the weeks before the Wannacry outbreak, published a patch which was developed in response to the MS17-010 vulnerability. You may say that if all systems had been patched then the outbreak on the NHS systems would not have happened.
However, such a simple assertion ignores the second lesson.
The second lesson is that we are becoming increasingly dependent on embedded systems and that these systems run the embedded version of the Microsoft operating system. The problem is that we cannot just automatically patch an embedded system as it may then stop working, and that some embedded systems are expected to run for twenty years. If you take the NHS as an example, it depends on these type of systems to enable heart monitors, x-ray machines and CT scanners to function. Before these types of systems are patched they have to be tested to ensure that the patch does not adversely affect the system being targeted.
So what lessons can higher education draw from the Wannacry ransomware outbreak, and how can it prepare for a cyber attack in the future? Firstly, higher education needs to recognise the need for basic cyber security hygiene. The truth is that most of the computer systems in higher education are laptops, servers and workstations and that standard well documented tools and techniques exist to help the system owners in basic hygiene. The other way that higher education can prepare for a cyber attack is by understanding the need for patch management when procuring and deploying embedded systems. As one of the major weaknesses that exists within systems like the NHS is the number of embedded devices and their inability to be patched, one way that higher education can address this is by requiring companies that supply embedded devices to ensure that they can be patched and managed easily and in real-time.
One of the reasons why higher education could be targeted by cyber criminals is that it holds lots of personal data and intellectual property that can be sold to information brokers. One way that we protect against the loss of such information is via the use and deployment of encryption. This can take the form of self-encrypting hard drives, where the user has to enter a four-digit pin, or the use of software-based encryption products such as Pretty Good Privacy (PGP) to encrypt emails, files and/or directories. The use of open source encryption solutions can provide us with a cheap and robust solution to the problem of encryption.
Higher education already has a CERT that engages in information sharing in a proactive manner and JANET produces some guidelines to help universities in everything from system configuration management to regulatory compliance. Higher education institutions can help protect themselves from a cyber attack by using certified people to perform penetration tests. The role and function of a penetration test is to identify the vulnerabilities that exist on a system/network, and to propose remedial action. Schemes such as the Tiger Scheme certify penetration testers in accordance with GCHQ guidelines and provide a level of assurance that the people performing a penetration test are competent and capable.
One final way that higher education institutions can help protect themselves from cyber attack is by realising that total security is a myth and that when a security breach happens, they need to respond to it. To help in this there are various international standards such as ISO 27035. These standards can help an organisation develop an incident management, and business continuity, capability that can respond to a cyber attack. They also help organisations understand the need for education and awareness across their user community.
Cyber Security is an area South Wales has invested in heavily and from our experience, the truth is that most security breaches are not detected by system administrators or intrusion detection systems, but rather by users. Therefore, the need for education and awareness is critical along with an easy incident reporting mechanism.