From education to employment

Discovering network vulnerabilities is crucial to the education sector’s fight against cybercrime

Mark Wantling, Chief Information Officer, University of Salford

Having previously issued cautions in August and September last year, the National Cyber Security Centre (NCSC) recently warned that an increased number of ransomware attacks have affected education establishments in the UK since February 2021, including schools, colleges and universities.

Most universities around the world had to quickly transition to remote learning when Covid-19 struck. Overnight, that created new IT management and security challenges as students and teachers connected to schools and universities through home wi-fi networks and personal computers – and many institutions, including the University of Salford, were unprepared for that sudden shift.

Since then, British educational institutions have faced wave after wave of cybercrime. With a combination of profit-driven groups launching sophisticated digital attacks, aiming to capitalise on the forced transition to remote learning and teaching, and state-backed entities probing research networks for vaccine-development data, the sector is under attack.

Security issues and concerns

It became clear at University of Salford that we were not fully prepared for the study-from-anywhere era and knew there was real risk. As they say, “You don’t know what you don’t know” so it became a priority to find out exactly what would happen if the network was hit. And the results from the security assessment were concerning.

The assessment showed how vulnerable we were to a digital breach and cybersecurity immediately moved to the top of our risk priorities. Closing cybersecurity gaps became a board-level focus overnight.

Despite recognising our exposure to cyber risk, we realised that we lacked the necessary capabilities to effectively protect our network of devices. One of the key issues that the security assessment showed was that our five endpoint management tools did not work well together. Each required their own teams, created their own data and as result we were working in siloes. The existing tools simply didn’t provide the breadth and depth needed to support the university in a remote-first world. As a result of this, there were several issues we needed to address quickly.

Firstly, we did not have complete visibility of our assets connected to the network, or what vulnerabilities these devices carried. By partnering with Tanium, a provider of endpoint management and security, we were able to discover hundreds of “hidden” endpoints (devices connected to the network which we weren’t aware of before) and hundreds of thousands of open vulnerabilities – across both our on-premises and remote-based assets.

Leading on from this, we found that many endpoints connected to the network did not have the necessary software patches or updates. By gaining better visibility into the network, we were able to quickly fix 38,000 missing patches and we updated software on thousands of endpoints.

Adding weight to these challenges was the fact that our IT infrastructure was large and siloed. The university operates four different schools supported by a complex blend of on-premises and cloud systems. With Tanium, we were able to establish real-time visibility into our assets across each of these and create a common system of record for our IT, security, risk and executive teams.

The importance of endpoint security

By improving our endpoint visibility and control, we were able to transform our risk posture and incident response capabilities.

Within a recent two-month period, the university experienced two zero-day threats. Each time, we were thankfully able to quickly identify vulnerable assets across the distributed network, patch them and report the incident to the board in less than a few minutes.

Increased endpoint visibility and security has really helped to level the playing field between us and the cyber-attackers. Previously, we would deploy critical patches three, four or five weeks after they were released. Now, we can deploy critical patches within 24 hours – and we know we are patching our entire digital estate. I simply didn’t have this certainty before.

Mark Wantling, Chief Information Officer, University of Salford

Related Articles