U.S.-based education institutions continue to grapple with major challenges brought by the pandemic: the largest enrollment decline seen in a decade, swirling controversy over reopening physical classrooms, outmoded IT infrastructure that’s sagging under the pressure of digital teaching and learning, and near-crippling financial constraints. As the new school year begins, cyber attackers are expected to take advantage of the confusion and highly vulnerable state of the industry.
Ransomware is hitting the education sector particularly hard. Consider these recent statistics:
- The Sophos State of Ransomware 2021 report found the education sector was the industry hardest hit by ransomware in 2020.
- Last year, ransomware was responsible for 80% of malware-related incidents in the education services sector, according to the latest Verizon Data Breach Investigations Report.
- A Check Point study found that the global education sector is the most targeted industry for malware and ransomware attacks in 2021 thus far. In July 2021 alone, researchers recorded an average of 1,739 attacks per organization per week.
Michigan State University was just one of the many institutions targeted recently, yet it’s one of the few that have come forward publicly about the attack that hit its department of physics and astronomy. The school did not pay the $6 million ransom demanded by the attackers but ran up more than $1 million in costs repairing and remediating its IT system. The university has been widely applauded for its transparency and is credited for educating the broader community about ransomware and other cybersecurity threats.
In our latest CyberTalk with CyberArk podcast, Matt Kenslea, director, State, Local and Education (SLED), CyberArk, talks about higher education’s unique cybersecurity conundrum.
Universities’ “needs are different and unusual compared to commercial entities and government agencies,” he noted. Unlike other organizations, they have the autonomy to research and govern independently, but this also means that they shoulder the burden of securing massive troves of sensitive research data. The irony is that in many cases, these research and technology pioneers have limited means to implement effective cybersecurity for themselves, Kenslea said. “We need to focus and meet them where they are.”
“I saw a report recently where the FBI ranked higher ed as the number one target industry with ransomware, higher than financial services, which has historically been the market leader,” he noted. “This is a prize you don’t want to win.”
The FBI has also indicated that U.S. college campuses’ “open environments” make them especially vulnerable to cyber attackers using various methods to “steal information or products, bypass expensive research and development, recruit individuals for espionage, exploit the student visa program for improper purposes and spread false information for political or other purposes.”
Perimeter Evolves and Dissolves, Security Doesn’t Always Keep Up
Colleges are inherently collegial. They thrive on in-person contact in the office among administrators, faculty and students. When COVID -19 hit, colleges had to shift quickly to convert from an office-/classroom-driven operation to remote learning/remote work.
As a result, college IT departments “ran out and bought laptops for the first time. They installed anti-virus (AV) software and some form of multi-factor authentication (MFA),” Kenslea observed. But there was the sense that in the rush, they did not get security down right or did not implement it thoroughly as they would have had the process been more deliberate, thorough and comprehensive.
“Most colleges have not had a remote workforce before,” Kenslea said. “Increased reliance on cloud services and numerous personal networks and devices used beyond the physical campus definitely expand their perimeter and increase risk.”
This is very much on the front burner of concern among college IT leaders. In a Horizon Report® surveying the near future of college IT, information clearinghouse Educause found that fewer than half (47%) agreed their cybersecurity team is prepared to protect their evolving security perimeter.
This dissolving perimeter offers a target-rich environment for attackers. Start with the people working in higher ed: “Deans, the president, the CFO, the bursar, the provost… there are a lot of people with privileged access to a lot sensitive data and systems,” Kenslea said. “What’s more, there are faculty who pursue and win grants and set up separate environments for their research completely outside of IT and security’s control.”
Such a roster is ideal for spear-phishing campaigns designed to steal or compromise an identity, or trigger a ransomware attack. Sometimes attackers will email students to reveal they’ve obtained their personal data, instructing them to contact administrators and urge them to pay the ransom, Kenslea explained. This puts the school in an impossible situation: pay and take a financial hit, or don’t pay and suffer reputation loss, which often leads to decreased enrollment and financial hardship.
Another point of vulnerability is the visiting professor. “They get provisioned with privileges to access sensitive resources on the network. Who knows how long they are going to be there?” Kenslea said. “Someone has to remember to de-provision them when they leave.” If the account is left dormant, it could become another avenue of attack.
The culture of openness that defines a college must be tempered with Zero Trust. “What we talk about is controlling, through least privilege, what a user can do on the machine, and how long they can do it without rechecking their access rights.” Kenslea said. The right approach must not break user workflows or generate tech support tickets; otherwise, users can’t accomplish anything because security is too onerous.
“There has to be a balance between security and usability,” Kenslea said. “You want systems that are adaptive, are protecting your endpoints, are managing your privilege, and are isolating users and sessions so that they can’t go out and cause problems.”
The Blueprint Drives the Playbook
So how can higher education institutions more effectively secure their campus IT systems? Kenslea offers some prescriptive steps in our podcast, based on the CyberArk Blueprint for Identity Security Success.
First, he noted, you must “assume breach” and shift your attention to stopping credential theft and subsequent movement throughout the environment.
Then, place emphasis on securing high-value targets, such as domain administrators and cloud administrators, via Privileged Access Management controls like password vaulting and rotation. “Session isolation and ephemeral access can also be used to narrow the scope of the breach, limiting the time an attacker has to move through the system, laterally and vertically,” he noted.
From there, lock down all the common platforms and systems, whether it’s the active directory, server accounts or workstations to “really get across the entire environment,” Kenslea said.
“Finally, make sure least privilege is enforced across all servers, workstations and users — paying special attention to removing local admin rights and implementing adaptive multi-factor authentication and layered endpoint protection,” he added.
“It’s a scary world out there. You don’t want to face it alone.”
Check out the entire CyberTalk with CyberArk episode to hear why now is the time for higher education to get with the (cybersecurity) program.