On the 17th September 2020, the National Cyber Security Centre (NCSC) issued an alert to Universities and the education sector after seeing a rapid rise in cyber-attacks throughout August. In the run up to student registration which involves new students arriving on campus and moving into halls, the goal of the cyber-attacks is to cause maximum disruption financially and to reputation.
The NCSC stated that a recent spike in ransomware attacks specifically aimed at Schools, Colleges and Universities student intakes has led to issuing this alert.
“The NCSC dealt with several ransomware attacks against education establishments in August, which caused varying levels of disruption, depending on the level of security establishments had in place.”
A ransomware attack will usually involve the cyber criminals targeting your most valuable data, encrypting the data (it has been known for whole virtual servers to be encrypted), and holding your data hostage while they attempt to extort money or information.
So, what can you do?
As an industry, we have moved on from treating ‘security’ as a single item or product. We must continue to critically examine our security capabilities end to end – all the way through to the human being at the keyboard. We must evaluate each component of our technology services:
Internet Edge
Perimeter
Campus LAN
Datacentre services – Production Data
Datacentre services – Backup, Recovery
Processes – Disaster Recovery, Business Continuity and Breach Response
Identity
End-User Device
Human Behaviour
What can you do today?
There are many small tasks that you can do today that will start ensuring you reduce the attack space and minimise risk:
- Patching of all devices, end-user devices, network devices, servers, host servers.
- Review all servers running RDP protocols.
- Review all AD accounts with privileges, should the privileges be granted, are there accounts that are old, unused or unknown.
- Review ANY local accounts on servers.
- Review firewall rules and disable old and unknown rules.
- Check your backups, test the backups and check the permissions/accessibility of the backup data and any accounts with access to the backup.
Consider releasing staff and student communications through email, social media and electronic message boards / VLE as a reminder to:
- Alert IT Support to all suspicious emails. If in doubt – get it checked out.
- Do not download any software not explicitly requested from a known source.
- Recommendation for BYOD students to download an approved AV/AM tool.
Andrew Nickson, Solution Architect at XMA specialising in Hyper-converged infrastructure and back up technology had this advice:
“To reduce the impact of a successful attack, in my experience you need to implement a range of strategies. Backing up regularly, use the same categories as your main production, for instance critical applications need backing up more regularly than appliances that don’t change from day to day. Restore, this is often forgotten if you have been running your backups for a year do you know if you can recover from a day, week month ago? Test your backups does the application still work? Document the steps required to remediate, what steps were required to get the application to run correctly.
To provide a resilient backup solution don’t just rely on a single location replicate it to another site creating a secondary copy with different retention policies and if possible to a third the cloud is really an excellent location for long term archives and backups.
Recovery from cyber-attacks and ransomware is time consuming and fraught with obstacles. Once having been attacked have your backups been compromised? To mitigate these potential attacks always keep an offline copy, only expose the backup location to your live systems when absolutely necessary and rotate the backup location if possible, you will always have a backup to go to. Use immutable file systems such a S3 object storage, WORM (Write Once Read Many) drives, Tape will provide a complete air gap between your live data and your backups for a retro solution.
Utilising an air gap will provide protection you can utilise pre and post scripts to enable ports on the firewalls or enable NICs on the servers or backup locations. The cloud can provide an additional physical separation from your live environment and your backup data.
We are always aware that keeping the number of users with access to your live data to a minimum, is the first line of defence, and the same is true about backup keep your systems patched perform an audit of your environment regularly not just the operating systems but appliances and switches as well, as all have had security breaches in the past. Remove any unauthorised devices from the network.”
With such a focus on the need to deliver digital services and online lectures and content in these evolving times, we spoke to Craig Bramley – Lead Educational Technologist for Citrix:
“The consequences can range from losing student coursework, to research and IP data theft, large scale incident investigations, financial and reputational damage. So, it’s really important, probably more important now than ever to place security in the top of an institution’s priorities – if not the top. Especially with users connecting over unknown wi-fi using untrusted devices, the attack vector has dramatically increased, and you can imagine it only takes a single user to open a phishing email remotely, a VPN becomes compromised and that could trigger a substantial cyber-attack.
Moving to a centralised application delivery model significantly reduces the attack surface. Security patching and image management is simplified. With this comes the added benefit of being able to swiftly roll back to earlier image versions in the event of a Ransomware or other type of Malware attack, which if successful can cost a university hundreds of thousands of pounds to remediate. This means that the university has the ability to restore services in a matter of hours, rather than weeks or months, as is the case with a traditional delivery model.
Another advantage of a centralised application delivery model is that all University data is secure in their data repositories, whether on-premises or in the cloud, meaning if a device happens to get lost or is stolen, no data resides on the endpoint device. Universities can also customise university applications and data on mobile devices, even personal devices in the case of BYOD, meaning that the risk of data leakage is also restricted.
Finally, Institutions need to move away from the old-fashioned perimeter-based security model as mentioned above, to a modern multi levelled Zero-Trust security model where absolutely nothing is automatically trusted until verified. Citrix’s approach to security is unique. We address the what, the who, the how and the why of securing all of those resources.
• First, the what. We know what device you’re using. We have endpoint management capabilities and integrations for things like EMS. We understand what the device is, and if it is in compliance or not.
• We also know who is using that device. We broker the identity to a number of identity providers, we give users a single, secure sign-on experience, and we provide multi-factor authentication where it’s appropriate — which is pretty much all the time.
• Then we can see how users are accessing their applications as well. Through the workspace, we can see what virtual app they’re using. We give you control over the environment that is used to access that application.
• Finally, the why. Using our Analytics platform – Why are they accessing that data in the first place? What information are they after? Are they authorised to use it? Is it within their normal behaviour profile to be accessing it? If not, then let’s take automated mitigating actions.
This framework provides institutions with the basis for applying many different types of security policies at many different levels.”
So to summarise:
- Backup Regularly
- Restore regularly; a backup is no good it you can’t restore
- Keep an offline backup
- Patch and update all of your systems
- Review all accounts and privileges
- Lastly, consider security tools for the network. Many organisations will protect the perimeter, the servers, the data permissions, and the endpoints. This may be sufficient, but do you need to consider tools that look at network behaviour across your LAN as well as at the perimeter?
Written by Jennifer Norman, Infrastructure Solutions Director @ XMA
References:
News update:
https://www.ncsc.gov.uk/news/alert-issued-following-rising-attacks-on-uk-academia
NCSC Guidance:
https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector
