FE institutions are under increasing attack from cybercriminals looking to exploit open networks and steal personal information and IP. Jesper Johannson, chief security architect at Yubico looks at what they should do to keep hackers out.
Driven by “tempting and easily accessible” open networks, sensitive information such as cutting-edge research, in addition to personal and payment information entered on shared computers and networks, hackers see educational institutions as particularly tantalizing targets. As a result, students take on more risk than they realise when they go online on campus.
Students aged between 18 and 25 face a dual threat; according to the UK government's Cyber Aware campaign, this age group is the most likely to reuse passwords for multiple online services. The danger was particularly acute because of the sensitive data people typically send via email and other accounts, which commonly includes bank details and copies of passports and driving licences. For collaborating students, this list is likely to include their research and other intellectual property.
Before FE institutions can effectively protect themselves and their students online, they must first understand the threats that they are facing. So let’s uncover some of the most common techniques for stealing internet credentials, popular and proven methods of defending against these attacks, and best practices to keep data safe:
Getting the job done, whatever the cost
With tight deadlines and busy schedules, it can be attractive for ambitious, well-intentioned students to cut corners, and security is usually one of the first areas to take a hit. They may borrow or share account credentials, leave shared devices unattended or unlocked, or mistakenly click on malicious links. These are all common practices that result in breaches.
Students have work to do, and if security hinders rather than helps them, they will work around controls they don’t understand. They may want to work on the go, but one common pitfall of the conscientious student can be encountered when accessing important accounts and data via unsecured networks such as public WiFi.
Sometimes, unsecured networks allow attackers access to the network path and the ability to place a fake site between their victim’s computer and the site they are accessing in what’s known as a “Man in the Middle” (MitM) attack. This can enable the attacker to steal their login credentials and data if the connection is not encrypted, or if the victim believes the attacker’s system is legitimate.
Phishing attacks are becoming more sophisticated and targeted, and even the most tech- or security-savvy students can find themselves a victim. 91% of cyber-attacks start with a phishing email. While some attempts are obvious, sent by unknown senders with subjects like, ‘Claim your ultimate deal now!’ the far more successful subject lines are the ones that don’t raise much suspicion.
Many phishing emails look like they have been sent legitimately by people known to the user. ‘Account action required’, ‘Important student loan information’, or ‘library loan return due’ can all be ploys to weaken the email recipient’s defences through seemingly ordinary alerts.
The body of the email can hold a whole new set of clues, including misspelled words and confusing context. Hackers can also use current or popular events to their advantage. For example, holiday seasons, trending causes and natural disaster or tragedy relief efforts are all used to sneak an unsuspecting phishing email into the inbox of thousands of targets.
Attackers can be surprisingly successful at accessing accounts across many sites by guessing common passwords with specific or common usernames. Unfortunately, most people struggle with creating or remembering strong passwords. As a result, it’s common to choose weak passwords for convenience, and to use the same password, or a variant, across multiple sites.
This problem is exacerbated by the large volume of stolen credentials available for sale on the dark web with hundreds of millions of credentials available to attackers. Attackers have also reportedly targeted weaker sites to gain an individual’s credentials. If they’re successful, they’ll use those same credentials on other sites that they’re actually interested in.
Hackers are increasingly sophisticated
Hackers today want to stay one step ahead of organisations’ security protocols. PCs that are connected to the internet have large attack surfaces, making them vulnerable to attacks from many fronts, including malware, phishing, malicious apps, Wifi exploits, VPN masking, and social engineering.
Attacker objectives, victims, and techniques vary significantly. That said, we do know that internet credential theft and misuse is involved in nearly 81% of hacker-related breaches. Since stealing someone’s password is relatively easy to do from afar, and there’s little risk of or danger in getting caught, it’s become one of the most common attacks in the world.
Having the strongest usernames and passwords isn’t a failsafe method. If they are compromised, a hacker can easily access your accounts. Phishing/malicious emails can often look like credible emails, and may even come from one of your known contacts. Thankfully, colleges have begun to recognize that strong authentication provides security that counters the fallout from the unprecedented swell of password breaches.
So how can FE institutions best protect themselves and their students against the onslaught of credential theft they face?
Prevention is the best protection
Institutions should ensure that security policies and procedures are communicated to all students and staff. They should take time to educate students not just on their chosen subject, but about the negative impact a data breach could have on the institution’s revenue, safety, and overall reputation. Regular communication with students is key to reinforcing what should be done to prevent breaches, and how to respond in the event of one.
All students will be best advised to follow some basic best practice to help protect their accounts. They should never open an attachment or click a link if any aspect of the email seems suspicious, they should be reminded of good habits while using shared computers, and cyber security awareness campaigns should always be encouraged.
Fail to plan? Plan to fail
While no one wants to deal with a data breach, those that prepare for doing so before it happens weather the storm better. After you get compromised is a terrible time to draft the notification to staff students, and is just as bad for figuring out how to determine what happened and stop it. A clear, and tested, response plan helps all parties involved know what to do. This attack mitigation plan must be implemented and championed from the top.
Unfortunately, while it’s common for FE institutions to have academic staff responsible for training the cyber security professionals of tomorrow, it is far less so for members of the SLT to have direct expertise in or responsibility for IT security. Prioritizing the protection of data and systems starts at the top. Building out a senior position with responsibility for cyber security and data privacy will ensure that there is a holistic, comprehensive approach to the security and privacy strategy, and it will also help further leadership buy-in by giving security a seat at the executive committee and decision-making process.
Unfortunately, some attacks are so sophisticated that they can even bypass the savviest of users. Thankfully there is a surprisingly easy and affordable way to protect online accounts from all of these attacks. There are technology solutions that can help, and we strongly recommend two-factor authentication (2FA). Many services enable the use of 2FA, which can help students protect their online accounts, emails and computer logins while helping to protect the most sensitive data of the institution and its students.
Physical hardware such as 2FA tokens are considered more effective than other methods such as SMS or software tokens. These involve staff or students logging in using both their password and the physical hardware token to secure logins to web applications, computers, email and other online accounts. The combination of using passwords and the hardware token prevents hackers from accessing your account. Even if credentials were to become compromised, the hacker would still need the user’s physical token to gain access to their accounts.
There’s no simple fix to prevent cybercriminals from attempting to plunder the most precious resources on campus, it is possible to keep them from walking out with the data they want. The best way to achieve this is to ensure good cyber security practices are implemented, that these are reinforced throughout the institution from the leadership to every student and member of staff, and to double-lock accounts using 2FA.
Jesper Johansson, Chief Security Architect at Yubico