Cash-strapped universities worldwide are struggling to defend against a surging number of cyber-attacks, according to a report that lays bare the impact of Covid-19 on the sector.
Published today (February 23), a detailed threat analysis from cybersecurity services provider BlueVoyant found that ransomware attacks against higher education institutions doubled between 2019 and 2020, as cybercriminals sensed the industry’s vulnerability.
The 2019 attack against Monroe College, which was ransomed for $2 million, was the sector’s first instance of ‘big game hunting’, say the authors, while universities have been falling prey to ‘name and shame’ extortion schemes since April 2020.
Punishing costs
The average cost of remediating ransomware infections in 2020 was $447,000, a sum universities can ill afford amid postponed enrolment applications, refund demands, and the wholesale loss of revenues from international students.
Data breaches, which accounted for half of all cybersecurity events affecting the sector in 2019, exacted even more punishing costs – averaging $3.9 million, according to a 2020 IBM study.
John Farley, managing director for AIG’s cyber practice, told BlueVoyant that “the most prudent risk managers” were protecting their bottom line by “deploying cyber risk transfer mechanisms via both contracts and cyber insurance”.
Expanding attack surface
As well as absorbing unprecedented financial losses, higher education institutions have had to reorient their business model in a way that expands an already considerable attack surface.
“Forced to abandon teaching in person,” there is “an ever-increasing reliance on mobile devices, remote learning, and third-party education partners”, says the report.
An open source analysis found that one in three data breach events over the past two years were related to remote or blended learning tools.
BlueVoyant also highlighted the serious risk posed by the widespread use on university networks of personal devices and torrenting, a large-file-sharing technique that is often abused to smuggle malware into networks.
Security researchers linked data breaches against more than 200 institutions to nation-state actors, which have also targeted universities involved in vaccine research and conducted large-scale phishing campaigns against the sector.
Credential stuffing
Universities appear to be the juiciest of credential stuffing targets, with students using university emails to log into a widening range of services, even long beyond graduation.
Students at the top 10 Ivy League schools had an average of 13 unique university credentials each, researchers found.
With student credentials “among the most voluminous and highly trafficked PII [personally identifiable information] data” on the dark web, universities were hit by an average of 10,000 brute-forcing attacks per week – far outstripping the proportion of inbound adversarial activity seen against other sectors.
Predictable passwords
Demonstrating the impact of such attacks, Boston University temporarily disabled more than 1,000 compromised student email addresses last year after the accounts were used to flood the institution’s email servers with spam.
An analysis of .edu passwords arising from a huge breach that led to those account takeovers – the 2018 attack on online textbook rental service Chegg – also suggests that cybercriminals could readily customize their password permutations to the profile of their targets.
For instance, ‘sex’ (such as ‘sexy!teacher1’), ‘professor’ (‘kill_the_Professor’), and grades (‘aplusgrades’) recurred frequently, as did ‘book’ (featuring 20,984 times), ‘smart’ (3,139), and ‘beer’ (3,408).
All too predictably, ‘password’ outnumbered them all with 65,420 instances.
An analysis of email/password ‘combolists’ leveraged for credential stuffing attacks found that nearly 9% of passwords associated with .edu domains were found among the 14 million most commonly-used passwords contained within the RockYou.txt password dictionary.
Unique risks
Stuart Panensky, partner at FisherBroyles, told BlueVoyant that “the education and learning sciences sectors face unique privacy and cyber risks due to the combination of sensitive data they traffic in, the nature of how technology is deployed throughout the sector, and the myriad of state and federal laws and regulations that govern these issues”.
Despite this, 66% of more than 2,700 universities analyzed across 43 countries lacked basic email security configurations, 38% had open or unsecured database ports, and 22% had at least one open RDP port. Some 86% showed evidence of inbound botnet targeting.
Universities at least appear to recognize the importance of bolstering their human defenses, with around three quarters of CIOs and senior campus officials surveyed in 2019 citing “hiring and retaining IT talent” as the top institutional priority.
However, around the same proportion said uncompetitive salaries and benefits were a major barrier to achieving this goal – and that was before the pandemic decimated revenues.
Recommendations
BlueVoyant does not envisage a return to the pre-Covid status quo. “The attack surface for schools has metastasized, and there is no going back,” it says.
With this in mind, the authors have urged higher education institutions to implement multi-factor authentication (MFA) across all email and sensitive accounts, mandate 15-character password minimums, and block password reuse and simple passwords.
They are also advised to monitor email accounts, networks, and cloud services for authentication anomalies and screen passwords against blacklists containing commonly used and compromised credentials.
Source: https://portswigger.net/daily-swig/bad-education-universities-struggle-to-defend-against-surging-cyber-attacks-during-coronavirus-pandemic