The Education sector was already dealing with a vast array of critical issues, including a lack of resources, a shortage in staff and training, and a scarcity of funding. Then COVID-19 hit. This forced massive upheaval and disturbance to the methods used to teach and for pupils to learn. The situation involved a speedy move to remote working and with it the re-evaluation of the systems and processes that have been in place for many years.
This sudden shift has left the industry exposed.
Overnight, and on top of the usual logistics of the academic year, the education system had to abruptly revaluate everything that it knew, in order to continue teaching the minds or our future, to safeguard students, employees, data and intellectual property.
‘Few institutions appeared to have a risk management strategy in place that would allow them to respond to a pandemic, particularly the capacity to offer online programmes and support when the crisis hit,’ Frans van Vught, joint project leader of the university ranking system U-Multirank observes.
It does not come as a shock that the majority of schooling systems, if not all, were underprepared for such a transition. If we look back from January 2020, no-one could have predicted what would evolve. In response, and in a bid to uphold some level of continuity, new rules have been implemented, new systems put in place, and new guidelines for teaching and learning have been made. But these rules differ from country to country, institution to institution, and the structure and clarity has been lost along the way. It is exactly this, the ambiguity of the entire situation, that cyber criminals are taking advantage of.
The methods used by attackers are sophisticated, and attacks against the industry are increasingly aggressive. From ransomware to malware, headlines with the latest breaches and threats (like the recent Blackbaud hack) are strewn across the news. And what is shouted about in print presents only a fraction of the real issues that this sector is facing.
According to Feras Tapuni, CEO Security HQ, “Not only have I seen the number of attacks in the education industry rise over the course of 2020 and 2021, but I have personally dealt with such an attack. The school of a family member of mine was recently hacked. The hacker got into the database of the school. This database was then ex-filtrated, and the bad actor impersonated the accounts receivable. This meant that many of those on the parents list, that the attacker now had access to, fell for the scam. This resulted in the school having to reimburse the parents, costing the school thousands of pounds. And these threats and attacks are far from rare. Many do not make it to the news. With each successful attack costing thousands of pounds in the process.”
The education sector will always be a prime target to hackers. Mainly because the attack surface is so large. The sheer size of the industry, and with it the potential of great financial gain, data theft and espionage, makes it a prime target for cyber criminals. And anyone, from students to employees, faculty members and third-party providers are a prospective target.
The larger the attack surface, the more likely the investment of time and resources into an attack will be fruitful. In the UK alone, there are over 2.3 million students in education, and just under half a million staff in higher education. With such a large attack surface, realistically there has to be a weak link somewhere.
Other industries, such as the telecommunication or Financial sector are obvious targets because of the wealth and power they hold. But take away the fact that the education industry, like many others, is large, what is the real gain behind hacking a student or employee account?
From kindergarten to postgrad, every education-based organisation holds a wealth of data. This data includes a range of private and personal information, including addresses, telephone numbers, full names, sensitive data such as medical records, personal requirements, and much more.
Once collected and pilfered, this information can be sold and used to exploit individuals or whole schools at a time. If sensitive data is acquired, it can also be used as a bargaining tool within a ransomware attack.The National Cyber Security Centre (NCSC) observes that ‘Since August 2020, the NCSC has been investigating an increased number of ransomware attacks affecting education establishments in the UK, including schools, colleges and universities.’
Not only is a successful ransomware attack financially beneficial to the attacker, but direct attacks into payment systems are also prevalent.
Student fees are a large part of university and private schooling systems. With the average student paying over £9000 a year on their education, disregarding the additional costs of living arrangements paid into a singular faculty connected account, and with over 2.3 million student in the UK alone at university, the financial gain of targeting university systems and the financial third parties associated, is fruitful.
The majority of payments are made in lump sums, via university online portals. If a bad actor can infiltrate this portal or create a phishing campaign to trick the user into sending the money to the wrong account, the benefits are huge. Forbes reports that ‘Cybercrime specialists at the FBI noted one specific campaign that stole tens of thousands of dollars from students back in 2018. Since then, they’ve reported on multiple other campaigns targeting universities and student bodies all over the country.’
Universities hold valuable and influential intellectual property. Depending on the nature of the data stolen, espionage often takes place as a result. Research within medicine and engineering, in particular, can provide valuable insights which can then be used in the following three ways.
1) To understand the developments of a certain subject/project. This data can then be sold to competitors or nation state actors to influence economic, social or political change.
2) Individuals / researchers / departments can be held to ransom in return for their valuable data. Often the process of stopping research can be more costly than the demand made.
3) Researchers can be restricted to access their own data. By making it possible to hide or restrict the users own information, development in a particular field (COVID-19 related research for instance) can be halted.
Alongside Nation State Actor and espionage attacks are Distributed Denial-of-Service (DDoS) attacks. The intention of these attacks is to infiltrate a weak network, flood this network, target a host, and cause disruption to impact productivity and, in essence, stop or crash systems. The attack is hard to contain, as it is often maid from multiple sources. The motives behind such an attack can range from a personal vendetta against a specific organisation, the means to slow down an organisation to cost them time and money, or to work as a distraction to allow for other infiltrations to be made.
As put by the African Academic Network on Internet Policy, ‘Without proper protection, it leaves the learning management systems susceptible to denial-of-service attacks. In addition, the involvement of African universities and institutions in coronavirus research makes them a target by nation state actors interested in gaining access to that information.’
How to Reduce Threats
In order to safeguard student data, research, processes and finance, schools must put in place strategies to mitigate cyber threats.
To do this, security patches must be maintained, and protocols to defend and test environments should be utilised. Visualise and understand malicious or anomalous activity and analyse, prioritise, and respond to threats in rapid time. Which means that the only way to safeguard data, students, employees, and processes is with Managed Detection & Response.
Not only should technical strategies be put in place, but internal training for all students and staff must actively be encouraged. Especially with regards to ransomware and phishing. Educating students about cyber risks, to know how to recognise threats and to safeguard devices will instil a culture of awareness.
By Eleanor Barlow,
Content Manager, SecurityHQ, an advanced Managed Security Service Provider, delivering superior engineering-led solutions to clients around the world.