ake1150 - Fotolia
As global centres of learning, research and innovation, and key contributors to the economy, UK universities hold a treasure trove of personal and research data, intellectual property and other data assets that make them a tempting target for attacks by cyber criminals and state-sponsored actors, according to the National Cyber Security Centre (NCSC), which has just published an assessment of the cyber security threat to academia.
The NCSC’s report sets out to raise awareness of the threat environment faced by universities and some of the measures they can put in place in response. Working alongside the Campaign for the Protection of National Infrastructure (CPNI), the NCSC has also produced Trusted Research, a paper detailing how universities can protect themselves and their research, which forms part of its ongoing work with the academic sector.
The NCSC warned that while the academic sector is, by necessity, one of the most open, forward- and outward-looking sectors, this makes the task facing an attacker far easier. As a result, it is estimated that UK universities lost £145m from cyber crime in the first six months of 2018.
“The UK’s universities are rightly celebrated for their thriving role in international research and innovation collaborations,” said Sarah Lyons, deputy director for economy and society at the NCSC.
“The NCSC’s assessment helps universities better understand the cyber threats they may face as part of the global and open nature of research and what they can do about it using a Trusted Research approach.
“NCSC is working closely with the academic sector to ensure that, wherever the threat comes from, they are able to protect their research and their universities in cyber space,” she said.
Sarah Lyons, NCSC
The report states that the most immediate and potentially disruptive threat to universities is from cyber criminals using phishing attacks – often targeting student .ac.uk email addresses – but the longer-term threat comes from nation states looking to steal crucial research for their own ends.
It cited a campaign run out of Iran between 2013 and 2017, in which the accounts of more than 100,000 professors worldwide were targeted, and over 30TB of academic data and intellectual property stolen.
Critical steps to plug security holes
The assessment urged university IT departments to take three critical steps to address the holes in their system.
First, since phishing attacks exploit human tendencies, it recommended increasing awareness of these attacks among staff and students as a priority.
Second, while a frequently changing student population makes it a challenge to ensure network access is only provided where appropriate or necessary, the report advised implementing stricter access controls and partitioning high-value research to throw obstacles in the way of attackers.
Finally, it said steps should be taken to redesign university networks so that the smaller, private networks, often maintained by faculties or laboratories, are brought under centralised oversight and policy.
Matt Lock, Varonis
Commenting on the NCSC’s assessment, Varonis technical director Matt Lock said: “The recommendations from the NCSC are spot on, but some universities will struggle to change outdated systems, gain control of digital files that are everywhere and open to everyone, and update information access to a least-privilege model.
“Funding is one factor, but so is managing data in a collaborative academic environment in which information must be shared, turnover is steady, and attackers have countless tools and tricks up their sleeves to compromise systems. Attackers will continue to win until UK universities make data protection a priority,” he said.
Education a top target for hackers
Meanwhile, research from domain name system (DNS) security specialist EfficientIP, conducted alongside analyst house IDC, found that globally, the education sector is now one of the most heavily targeted verticals for attack.
Based on its study of 900 security experts from nine countries in Asia, Europe and North America, EfficientIP found that 86% of education sector respondents had been on the receiving end of under-the-radar DNS attacks.
Organisations suffered an average of 11 attacks per annum, around half of them phishing-based. Impacts included in-house application downtime, which affected 66%, and compromised websites, which affected 55% – 10% higher than the global average.
IT and security teams within universities were also failing to properly protect themselves, claimed EfficientIP, which said over half of those surveyed currently tried to mitigate attacks by shutting down services, servers, processes and connections, which might help stop an in-progress attack but does little to increase overall protection.
“Hackers are always looking for an easy way in, so it is disappointing the education sector is failing to invest in security despite universities and education facilities being a clear priority for hackers,” said EfficientIP CEO David Williamson.
“When students and professors trust their institutions with sensitive personal information and intellectual property, this paints a big target on universities’ backs and makes them responsible for safeguarding it,” he added.
“We live in an era of governments declaring a state of emergency and officially involving themselves with cyber attacks on schools. Reaching this point means the education sector’s problems are escalating. Education organisations need to be more proactive, fully embracing DNS security. Otherwise, application downtime and the loss of sensitive and confidential data will keep damaging their reputations, alienating prospective students.”
Read more about IT for universities
- The University of Liverpool has been running a hybrid HPC environment since 2017, which uses PowerEdge nodes and AWS public cloud services.
- The University of Bristol gets trouble-free hybrid flash performance from Nimble and stores 600TB of data at two colocation sites to which it is transitioning from on-campus.
- UK university cyber security is once again under the spotlight after Lancaster University reveals that it has been targeted by a phishing attack used to send fake invoices.