How international educators can identify internal cyber threats

“Universities are commonly targeted as a rich source of valuable personal information including addresses and telephone numbers”

With reports of major data breaches appearing seemingly every week, cybercrime has been one of the major news stories of the last few years.

However, while the perception is often that perpetrators are shadowy expert hackers, most cybercriminals are, in fact, opportunists who target victims that will return the highest profits for the least effort and risk. Unfortunately for educational institutions, this means they are one of the preferred targets for attack.

Universities, in particular, are commonly targeted as a rich source of valuable personal information including physical and email addresses and telephone numbers. A breach can enable attackers to access the data of faculty members, staff, students and alumni, which can then be sold on the black market or used to facilitate more targeted attacks.

At the same time, it is well known that budget constraints mean many universities do not have strong security and have older infrastructures and systems making them a comparatively soft target.

While the sector is commonly targeted by cybercriminals seeking an easy payday, a big growing problem involves cyber threats coming from within. A recent government-funded report into cyber attacks against university found that many attacks appeared to be the work of staff and students. Analysis of 850 incidents in 2017-18 revealed that the volume of attacks increased during the working day and term time and then decreased sharply out of university hours. These signs point towards the fact that disgruntled students – or even staff – with a grudge against their organisation, so-called ‘malicious insiders’ could be behind the attacks.

How dangerous are malicious insiders?

Malicious insiders can cause serious harm to an organisation by destroying or editing essential data or even installing ransomware and other malware into their systems. The stakes have also increased with the introduction of the General Data Protection Regulation (GDPR) which may lead to large fines if an organisation is found to have been negligent following a security incident.

“Budget constraints mean many universities do not have strong security… making them a comparatively soft target”

However, successfully spotting a rogue insider before they strike can be extremely difficult. One of the most common cybercriminal tactics, using stolen login credentials to pose as legitimate users, is also very challenging to identify before it’s too late.

The situation is not hopeless though, as there are several clues that can help to identify a malicious insider at work:

Abruptly changing access times:  A user that suddenly begins showing an entirely different pattern of activity may indicate attempts to hide malicious actions, or that an imposter has stolen credentials.

Strange file access: If a user begins accessing, editing and copying files that are outside of their role, there is a good chance they are attempting to steal or sabotage confidential data.

Moving large quantities of data: Attempts to copy a large amount of data externally via email, removable storage, or via printing, is a strong sign of attempts to steal data in order to sell it.

“Ghost” users: It’s common to find that old, forgotten user accounts are not deleted or amended when staff leave or change roles. This leaves the door open for former users to easily sign back into these accounts and steal data.

Stopping malicious insiders before it’s too late

Identifying these four key signs of suspicious activity requires the ability to monitor how users are accessing and using files on the network. Without this capability, organisations will be blind to malicious insiders until the damage has been done.

Educators can also pre-emptively reduce the threat of insiders by implementing tight controls on how systems are accessed with a “least privilege” approach. Implementing strong controls around how files are accessed will mitigate the damage that can be inflicted by insiders and intruders; all users should only be given as much file access as they require for their role – greatly minimising the number of accounts that can access sensitive and essential data.

Educators that are able to limit how their networks are accessed and identify suspicious behaviour will have a much greater chance of protecting their data from attack, whether the source is opportunistic external criminals or rogue elements from within.

About the author: Andy Richmond, UK VP and Country Manager, Varonis, is an expert in data protection and cybersecurity, having worked in the industry for more than 15 years. He is currently UK VP and Country Manager for Varonis, a pioneer in data security and analytics.