Why universities are being told to improve their cyber resilience by Jack Porter, Public Sector Specialist, Logpoint
Warnings issued by the Joint Information Systems Committee (Jisc), Universities (UUK) and the National Cyber Security Sector (NCSC) in a joint report were realised last month when multiple UK universities were affected by a distributed denial of service (DDoS) attack against the Janet network. The attack, said to be politically motivated with the pro-Palestinian Anonymous Sudan group taking responsibility, lends weight to the assertion in the Cyber Security and Universities – Managing the Risk report that the sector needs to prepare for targeted attacks in addition to opportunistic attacks.
Updated at the tail end of last year, the report calls for institutions to improve their cyber resilience due to such growing threats. In addition to nation state attacks, it also warns of extortion attacks (i.e. ransomware), the theft of research data and intellectual property such as research data, the use of infrastructure to monetise (i.e. cryptomining) and sabotage. It acknowledges that universities have made good progress in managing cyber risk but the exponential rise in the type of threats now facing the sector warrants further initiatives.
Securing these institutions is a dichotomous problem, however, due to the need to maintain open access while securing systems and services. This equates to a large attack surface that is unusually exposed due to the need to maintain flexible and remote access and national and international collaboration. Consequently, there’s a need to maintain secure access while ensuring the integrity of data.
To achieve this, the report makes three recommendations to strengthen the security posture, implement defence in depth (DiD), and maintain momentum through shared intelligence.
Resilience recommendations
Improving the security posture requires a multi-faceted approach and improving governance, assurance, technology and culture. All of these can be assessed to identify areas for improvement by answering Jisc’s 16 questions to assess security posture. In terms of assurance, compliance frameworks like ISO27001 and the NCSC’s Cyber Assessment Framework (CAF) are effective ways to demonstrate due diligence. And when it comes to establishing an effective cyber security culture, the report recommends following the NCSC’s guide to maintaining a sustainable, strengthened cyber security posture to build security awareness and avoid security staff burnout.
The DiD approach sees security mechanisms and processes layered to provide multiple opportunities to stymy an attack. For example, in the event of a phishing attack, the first layer could make it difficult for attackers to reach users with phishing emails while a second layer could help users identify potential phishing emails through security awareness. Should the attack persist, a third layer might protect against the effects of undetected messages and if that fails a final layer could ensure effective response to incidents and reporting to mitigate the risk.
DiD should include preventative, detective, corrective, compensating and deterrent controls which should be interrelated, managed, and resourced appropriately. If we look at the detection level, for instance, universities should be able to monitor and sound alerts about incidents by scanning for vulnerabilities and unpatched systems, utilise a Security and Incident Event Management (SIEM) to monitor logs and provide threat detection and response, and audit administrative permissions and firewall rules, according to the report. But how are universities interpreting this best practice to improve their security posture in the real world?
Real world applications
At the University of Bedfordshire, it found its open source solution for detecting and responding to threats was overwhelming leading to alert fatigue. Monitoring its network was made more difficult due to the fact it runs ethical hacking courses which could result in benign internal data breaches as opposed to malicious attacks and so it needed to be able to accurately assess incidents and reduce the mean time to detect (MTTD).
Bedfordshire decided to implement a SIEM in order to look for indicators of compromise (IoCs), attacks and patterns of threatening behaviour. It enabled the security team to qualify and focus on high-risk alerts which were mapped against the MITRE ATT&CK framework. This tracks the tactics and techniques used by adversaries helping analysts keep one step ahead.
Checking authentication was also vital to ensure access was maintained but not abused. The team were able to use the SIEM to monitor failed bad username/passwords at log-in, concurrency, user access time limits and instances where there were too many failed password attempts to see if systems are being subjected to enumeration attacks, for instance.
At Lancaster University, incidents were challenging to deal with because data logs were siloed in various systems and different formats so had to be converted and correlated in order to carry out investigations. It’s since used advanced analytics and correlation tools within a SIEM to spot privilege misuse (i.e. where users abused login enabling them to see restricted data), observe network trends and investigate issues pre-emptively to stop them from escalating.
Yet now more than ever universities are seeing diminishing budgetary returns so any technology investment needs to be carefully evaluated. The report mentions that universities need to balance the costs of implementing security controls against the potential costs of a risk being realised and its impact, for instance, but they also need to be able to forecast how costs might rise.
All too often the licensing terms of security solutions make them cost prohibitive because they are based on the data volume throughput rather than on seats or nodes. This was a major issue for Lancaster University who wanted the predictability to be able to budget for their network monitoring and not be forced to exclude logs in the future to keep costs down and it illustrates the importance of evaluating the suitability of solutions in an HE context.
Share and tell
Finally, the report advises maintaining momentum by continuously improving and reviewing due to the dynamic security landscape. That means adapting when circumstances change so it’s important that institutions keep abreast of the evolving threat spectrum and that their tools can deal with new attacks. One technology that can assist here is Security Orchestration Automation and Response (SOAR) which builds playbooks based on current and emerging threats that provide a process for responding to specific incidents. As these automate response, they also help improve response times and significantly lighten the load of the security team.
An effective security ecosystem ultimately depends on sharing information about risks, threats, remediation, and experiences. By centralising log management for threat detection and response, case summaries can be created which universities can use to create reports on security cases to share, making it easier to inform others on threat developments and trends. It’s this ability to tap into and share threat intelligence that promises to help deliver on the ultimate aim of the report: defending as one.
As we saw with the compromise of the Janet network, universities are interconnected and therefore interdependent so there’s a need to raise the bar when it comes to the security posture across the sector as a whole. If universities do not secure data appropriately, it can have financial, reputational, and personal consequences. Cyberattacks can disrupt the teaching environment, resulting in fines, loss of control of digital estate, students losing coursework, and many other significant implications.
Universities have become a prime target for cybercriminals because of their societal impact. It’s therefore essential that the sector now reviews its security posture, its ability to maintain ‘business as usual’ in respect to business continuity planning and seeks to share and collaborate so that it has a unified and concerted approach to cybersecurity preparedness and response. Only then can we expect to see the sector become more resilient to such attacks.