What can be done about the specific cyber-risks faced by the education sector?

From strength to weakness: How sprawling networks pose a #cyber-risk

In the last few years, ransomware has been on the rise. This type of cyber-attack – that threatens to publish victim’s data or perpetually block access to applications unless a ransom is paid – has seen an increasing number of high-profile attacks in recent years.

From the WannaCry attack on the NHS to the impact NotPetya had on the global logistics company, Maersk, ransomware attacks have done considerable, and often irreversible, damage to organisations across both private and public sector organisations.

These attacks generally have a broad range of targets – ultimately, any organisation that relies on IT for critical services, which in today’s landscape means, well, all of them. However, the National Cyber Security Centre has said that ‘cyber crime will probably present the most evident and disruptive difficulties for universities’ in its 2019 report, highlighting the unwanted attention being received by the sector. As evidenced by the damage done to shared drives and student management systems in University College London in the wake of  WannaCry, or more recent attacks to smaller-scale secondary schools, ransomware poses a risk to a broad range of educational organisations, regardless of scale. 

More concerning still is that ransomware is only one facet to a more all-encompassing threat: ‘disruptionware’. While ransomware often fulfils the ambition of monetary gain, there are other tactics employed by cyber criminals that are designed to disable, disrupt or damage services and key infrastructure without seeking financial remuneration, and education can often be one of them.

So, what specific risks does the education sector face?

Why is education at risk?

To put it simply, the challenges faced are varied, but one important factor that makes it a popular target is that today’s interconnected buildings host vast numbers of devices. With each single device, there is an opportunity for a bad actor to find a pathway into the network.

It could be argued that protecting a network against one single permanent device is a straightforward task, but when this is multiplied by tens of thousands of connections every single day, the task becomes much more difficult. If one vulnerable device is granted access, it becomes the viable method of attack for the threat actor, and therefore endangering all other connected device through lateral movement.

The large number of unknown devices makes addressing this issue a challenge for education. Not only do permanent IT assets need to be secured and managed, such as PCs, printers, smart TVs etc, but the popularity of Bring-Your-Own-Device (BYOD) means that students and staff can be collectively bringing thousands of new devices onto the Wi-Fi network in a single day. Couple this with the fact that devices also used at home are more likely to be used for ‘risky’ activities such as streaming and downloading for external when compared to public devices (such as a library computer), an enormous number of potentially vulnerable endpoints are created for bad actors to leverage. 

Funding is another major factor increasing the risk of companies being damaged from ‘disruptionware’ attacks. Jics (a non-profit organisation for post-16 and higher education) questioned IT professionals within further and higher education in its 2018 Cybersecurity Posture Survey and found that lack of resources and budget/insufficient funding were both in the top 10 threats named for further education, with ransomware and malware at number one.

It is no coincidence that the Institute for Critical Infrastructure Technology (ICIT) recommended spending money on preparing for potential incidents as its first method of responding to a ransomware attack. Many of the other factors causing a risk to attack are pre-determined and independent of each other, however funding is one area that the education boards and directors have control over. Assigning budget to security measures before an attack takes place is fundamental to mitigating, at least to some extent, all other risks.

Taking this one step further, the emergence of hardware and software dedicated to detecting or causing changes in physical processes such as valves or pumps, known as operational technology (OT) poses another considerable risk. OT covers devices as simple as building sensors, light switches, security cameras, and air conditioning units but also extends to medical equipment and engineering machinery which often use internet connections to enable ‘smart’ capabilities.

The use of smart devices has great benefits for education organisations looking to optimise efficiency reduce costs and provide the latest technology to students but creates even more vulnerabilities for bad actors to leverage. As these are not obvious endpoints providing security measures to account for vulnerabilities is often overlooked. These OT devices pose as much risk as their conventional counterparts and need the same layered security protocols to reduce blindspots and prevent access points for threat actors.

Keeping Eyes on the Prize

So, what can be done? For a start, gaining full visibility over devices, whether they be permanent or BYOD, IT or OT is a strong foundation for any cybersecurity practice. Recent research indicates that 85% of IT teams agree a lack of full visibility is a significant point of weakness in any security infrastructure and, on average, any organisation that then goes on to achieve comprehensive network visibility will find 30% more devices than they were expecting

Full visibility allows for all these devices to be consolidated under one management system and cybersecurity policies to be applied unilaterally or on a case-by-case basis. For instance, different permissions can be granted to student’s laptops compared to a fixed lab computer and non-compliant devices that attempt to gain access can be instantly quarantined to prevent the risk of lateral movement. 

This allows for vulnerabilities to be located and dealt with before they can spread across the network. Segmentation of connected devices across the network also allows for this. The result of which is that if a compromise does occur, it isn’t able to infect the whole network.

As schools, colleges and universities look to keep themselves at the technological cutting edge, they will also need to review if their cybersecurity practices can sustain this growth. The convergence of OT and IT devices is necessary for maximising resource efficiency and increasing staff and student productivity just as BYOD is needed for a seamless student experience.

At the same time, these sorts of innovations create further vulnerabilities for ransomware, and indeed it’s parent ‘disruptionware’, to exploit. In the future, it is only likely that this attack vector will grow in sophistication, creating further pressures on educational organisations. As such, for those institutions looking to protect themselves from future attack, now is a better time than any to review their network security.

Myles Bray, VP of EMEA, Forescout, and has previously lead F5 Networks and Dell EMC’s VCE team. He’s been in the security and networking industry for over a decade.