Beating the odds: blocking cyberthreats in education

In late 2018 a single email led to a breach of the systems of one of Australia’s top universities in what its vice-chancellor would eventually describe as a “diamond heist”.

The Australian National University (ANU) suffered a significant cyber attack which saw the personal information of students and staff, including names, addresses, phone numbers, dates of birth, emergency contact details, tax file numbers, payroll information, bank account details and student academic records stolen. This significant incident demonstrated the effort and level of sophistication that hackers are applying to target Australian education institutions, and the level of vigilance needed by this sector to defend the fort.

Universities, colleges and schools are prime targets for hackers, due to their large treasure troves of valuable data, coupled with often under-resourced cybersecurity teams and outdated legacy technologies which are difficult to update across the system. But there are basic steps that education institutions can take to significantly mitigate this threat and protect their data.

A report from ANU about the attack said it had an “incredible level of sophistication” and was a “state-of-the-art hack”. It involved a single email sent to a senior staff member at ANU that was previewed, but not opened.

This allowed the hacker to gain their username, password and calendar and then send targeting phishing emails to other staff members, eventually gaining more access to the system.

The cyber attack was likely carried out by up to 15 people, and may have been backed by a nation-state, the report found.

Melbourne Polytechnic and the New South Wales Department of Education have also recently been targeted by hacks. In recent months Deakin University in Victoria saw a breach involving one of its third-party providers, where names, identification and mobile numbers of about 47,000 students were accessed.

Of these, around 10,000 students were sent a text message pretending to be from the university, requesting them to pay a fee through a link.

In August, the University of Western Australia also suffered a breach of its student information system, compromising the personal information of current and past students.

According to the Australian Cyber Security Centre, education and training providers are now the fifth most targeted sector for cyber attacks. The sector is now worth $135.5 billion, and cyber attacks on it have risen by almost 20% in the last year.

Education institutions are particularly vulnerable to cyber attacks, due to the level of sensitive data they hold, and the complex systems of data flow which make it difficult to shore up defences. These systems are often highly complicated and siloed, and generate heterogeneous network traffic, creating the perfect place for malicious actors to hide.

Digital access for students is a difficult task, with a regular ebb and flow of students bringing in unmanaged devices with them, and these institutions are also often bureaucratic and siloed, relying on sometimes very outdated technologies.

Education institutions also present appealing targets for hackers looking to gain access to the personal information of individuals to hold it for ransom or sell it on for identity theft, and for more sophisticated attackers in terms of the important intellectual property many education providers also hold.

Cybersecurity is also unfortunately not always a top priority at many education institutions. According to one survey, nearly 40% of education institutions place their senior cybersecurity expert to report to a tech-focused role below the CIO, meaning that cybersecurity is left out of the boardroom.

The first step in defending against cyber attacks is awareness. Most breaches — no matter how sophisticated — start with human error, and staff and students need to be trained. Emails leading to the ANU breach adopted a spear phishing technique utilising social engineering, a common tactic among hackers, and security training would go a long way to preventing this happening.

This training should encompass best-practice password etiquette, how to spot scams and the value of personal data. And this training can’t be a tick-box exercise, it needs to be engaging and regular. Hackers are constantly adapting their techniques, and training needs to keep up with this.

There are also many basic but effective techniques that all education institutions should implement, immediately. These include multi-factor authentication and the use of biometrics. Organisations should also consider using threat intelligence, encrypting data and managing endpoints, network segmentation and zero-trust frameworks and regular backups of data. These techniques should already be in place at all education institutions. If they’re not, they need to be implemented urgently.

Due to the hugely appealing nature of education institutions and the data they hold for hackers, they need to be constantly reducing attack surfaces in order to contain these attacks and limit the damage caused if one does occur.

Many of these techniques are fairly basic and easy to implement and can go a long way to protecting against potentially hugely damaging cyber attacks for education institutions, both in terms of the data taken and the long-term reputational damage.

Universities have to be successful every time in defending against a cyber attack, while hackers just have to be successful once. Cybersecurity needs to be prioritised across the entire education system to effectively protect against cyber-attacks of all forms, from the “diamond heists” to the lone hacktavists.

Garrett O’Hara is Mimecast’s APAC Field CTO and co-host of the Get Cyber Resilient podcast where he has interviewed local and global security leaders. Over two decades he has held roles across development, project management and delivery, training and development, and cyber resilience. This broad experience helps him support organisations as they navigate their cyber resilience strategies. He is a regular contributor to Australian media on all things cyber.

Image credit: iStock.com/NDinfinity