Are our colleges and universities getting passing grades in cybersecurity?

Nov. 14, 2019
Having the right mix of visibility, prevention, and in-network detection tools will provide an active cyber defense

Neither private or public colleges and universities are immune to cybercriminal attacks. 2018 was a particularly brutal year, with some of the most respected schools in the nation falling prey to these attacks. Unfortunately, the motivation behind these breaches may not be as obvious as one would think.

The theft of student or faculty data for financial gain typically comes to mind first. Ransomware is also commonly cited as an attack increasingly seen in our collegiate system. But one less obvious target is the wealth of data that these universities hold related to research and development projects. Many are funded by the U.S. Department of Defense (DOD) as the government looks to tap into the innovative minds of top scientists and academic experts. Others are a target for their research related to health and well-being. The 2019 Verizon Data Breach Investigations Report indicated that around 11 percent of attacks on education institutions were espionage-related.

Why Cybersecurity Fails

Given the criticality of the massive amounts of personal information and data, it is reasonable to ask why their security systems appear to be failing against these attacks. The desire for open communications and collaboration is a fundamental contributor to the situation, and this level of openness often comes at the expense of stringent security measures. In other cases, it boils down to the parties responsible for securing information simply not understanding what adequate measures are or the level of security truly required to maintain them. There are also a wide variety of systems being used by the university population and for university infrastructure. Finding all endpoints, keeping them patched, and applying basic hygiene can be a feat in itself.

The situation gets even more complicated when adding connected devices that may not have adequate security built-in, such as IoT devices, laboratory equipment, medical devices, or industrial control systems. Factor in students accessing the networks with personal laptops, phones, tablets, public computers, game consoles, smartwatches, and many other connected devices, and the potential attack surface becomes extremely large. For example, Ohio State University has 46,000 current undergraduate students, coupled with over 30,000 non-student employees across the college’s various initiatives, meaning that over 75,000 people likely require regular access to the university’s network—and that’s before taking into account the nearly 500,000 alumni that are permitted continued access.

With the breadth and depth of coverage required, it can be extremely challenging for security teams at these institutions to gain the funding and resources needed to maintain them. Obtaining additional funding is also challenging as universities don’t typically have cybersecurity experts on their boards who fully understand the magnitude of cyberthreats. Correspondingly, institutions will be under-funded and under-resourced to fight off the ongoing barrage of attacks, especially those that may come from sophisticated nation-states. 

Even some of the most respected universities for cyber and technology have fallen prey. Georgia Tech, a well-respected technology-focused college, found themselves vulnerable and the victim of an attack, as did the Massachusetts Institute of Technology (MIT), which had credentials compromised from a phishing attack that disclosed military secrets. They are not alone in this global issue, joining the more than 50 United Kingdom universities that experienced breaches in 2018.

How To Meet The New Threats

Universities must now prepare for an onslaught of new attacks, which will only get more advanced, thanks to the use of artificial intelligence and the adoption of 5G networks. Preventing attackers from penetrating their perimeter defenses will, at best, start to feel like “whack-a-mole.”  This situation will drive a shift in how security is assessed and introduce new lines of thinking around identifying vulnerabilities and detecting the presence of in-network threats, as well as ways to automate processes so that security teams can spend less time on minor incidents and apply their attention towards addressing advanced attacks. There are security frameworks such as NIST and FISMA that are valuable in assessing and scoring readiness. There is also the MITRE ATT&CK framework, which helps organizations understand how attackers attack and how equipped they are for these actions.

With averages of 75,000-90,000 security alerts each day, institutions must become more proactive in their defenses. This necessitates moving beyond reliance on prevention tools and shifting to security controls that provide the ability to detect threats comprehensively throughout their networks. They will also find benefits in tools that can provide specific threat intelligence about their adversaries and their particular environments. For example, many universities use Active Directory and adding controls for early detection of these attacks as well as network reconnaissance, credential theft, and services exploitation defeats a threat actor’s attempt at lateral movement. Various forms of detection can be achieved through database lookup and behavioral or log analysis. The downside, however, is the false positives that these methods generate and their resource intensiveness.

Others will turn to tactics such as deception technology, which involves setting lures and traps throughout a network to derail any attempts at lateral movement. Commercial-grade platforms have replaced earlier uses of deception honeypots for comprehensive detection and visibility into vulnerable attack paths. Designed for early detection of attacks as they attempt to break out from an endpoint or move laterally through the network, a modern deception platform adds high-fidelity alerting for network discovery, Active Directory reconnaissance, credential theft, Man-in-the-Middle attacks, as well as services exploitations. According to EMA research, those that are highly familiar with deception technologies were able to reduce their average dwell times – the time an attack remains undetected – to an average of 5.5 days. This duration compares favorably to the 61 days for organizations not actively using deception technology.

Security teams will also appreciate the automation found in these modernized systems that employ automated machine-learning for deception management, attack data correlation, and incident response handling. The collection of attacker tools, techniques, procedures, and intent also provides invaluable information on threat intelligence specific to their environments and school. The phrase “not your father’s Oldsmobile” may come to mind when comparing the evolution of this technology and the utility that it provides for early and accurate detection.

It is unlikely that attacks on universities will subside any time soon. If anything, they may get worse as larger corporations and government agencies more tightly button up their security, leaving cybercriminals to operate in what they believe to be more fruitful hunting grounds. Despite limited resources, academia does not need to relegate itself to being reactive to an attack. Instead, having the right mix of visibility, prevention, and in-network detection tools will provide an active cyber defense that reduces the risk of a successful attack and helps secure the desired A grade in cybersecurity.

About the Author:

Carolyn Crandall is the Chief Deception Officer at Attivo Networks. She is responsible for deception technology category creation, Attivo Networks overall marketing strategy, and high-impact program execution. Crandall’s focus is on achieving company brand leadership, technology evangelism, multi-channel programs to create demand and customer engagement, enabling reseller and technology partnerships, and building a world-class marketing team.