A pair of recent high-profile university breaches may have confirmed that cybercriminals aren’t only interested in compromising money-rich corporations, but a security expert has warned that other institutions are likely to follow suit unless higher education can dramatically change its perspective on cybersecurity defences.
A breach of Australian Catholic University (ACU) systems was reported in June and attributed to a successful phishing attack that tricked users into entering their credentials on a fake ACU login page. Attackers gained access to a range of administrator and other credentials, making off with contact details and other information from those systems.
That same month, Australian National University (ANU) reported that it had, in May, detected a data breach that saw the exfiltration of 19 years’ worth of personal data belonging to staff, visitors, and students.
“We have invested heavily in IT security in the past 12 months and that investment has been successful in the sense that it reduced the risk presented by many attackers,” the university said in explaining the incident, “and it helped us detect this sophisticated intrusion.”
Yet while the university’s investment in cybersecurity tools is commendable – and reflects overall healthy growth in information-security investment in Australia – the ongoing incidence of breaches tells one security expert that many universities are still taking an incomplete approach to defending themselves.
“Many people believe they can buy some tools and they will solve the cybersecurity problem by helping them detect things,” Ashish Thapar, managing principal of Verizon’s Threat Research Advisory Center, told CSO Australia.
“But most of these tools are signature-based or indicator of compromised based, and they focus more on data-centre security or infrastructure security – but not necessarily data-centric security. While they should continue to look at those, they should also be looking at indicators of an attack” so that attacks can be stopped before their instigators get free rein inside the networks.
Even “very basic controls” like microsegmentation can stop threat actors from moving laterally within compromised organisations, Thapar advised. “There are a lot of things you can do without investing in heavy duty security tools.”
Verizon’s Data Breach Investigations Report (DBIR) 2019 confirmed that cybercriminals were targeting educational institutions in a markedly different way than organisations in other institutions.
Fully 86.1 percent of analysed breaches in the education sector were propagated through web channels – such as the fake ACU login page – which was well ahead of industries such as healthcare (21.0 percent), retail and wholesale (17.1 percent), accommodation (16.7 percent) and public sector (15.1 percent).
Verizon attributed this to the frequent targeting of university users with fake login pages for university services or cloud-based email services, which have been particularly adopted in the education sector because of their scalability and central manageability.
By contrast, just 61.4 percent of attacks on education targets used email delivery – still a high percentage, but well off of the 95 percent-plus figure for nearly every other industry sector.
Around 79 percent of attacks had financial motivations, with a “smattering” of state-affiliated or cyber-espionage cases rounding out the figures – compared with a near balance between the two categories just two years ago.
This suggested increasing resale value for credentials and information stolen from universities – and underscored the importance of detecting and stopping attacks before those credentials are stolen.
To do this, “you must know your infrastructure, the data you have, and your baseline,” Thapar said. “Only then will you be able to find anomalies and hunt for attackers.”