How can further and higher education institutions secure a workforce, faculty and student body that has – virtually overnight – moved entirely to remote delivery, and which are likely to remain remote for the foreseeable future?
This is the central question facing cyber security and IT managers across the education sector right now.
It was also the subject of the presentation that Imayon Pragadish from KHIPU Networks and I delivered at Networkshop48, Jisc’s event focusing on how to respond to the challenges faced by the education and research sector due to coronavirus.
Our presentation, ‘Protecting your workforce at home', addressed the challenges of securely working or learning from home, and techniques to overcome those challenges.
Essentially, the problem for the education sector’s IT security community is this: how do they provide the same level of IT security to remote users as can be delivered on campus?
The short answer is that there’s really no way to identically match the cyber security conditions within a campus setting – where the network infrastructure is under the watchful eye of a professional IT security staff – when hundreds or thousands of dispersed users are all logging on to online sessions via home wifi.
However, it is possible to identify the most pressing threats users face and implement best practice and solutions to address those threats.
In this way, users can access on-campus-quality cyber protections even when logging on remotely.
Threat 1: coronavirus-themed phishing
In the US, the Cybersecurity and Infrastructure Security Agency (CISA) issued a notice that malicious cyber attackers were likely to exploit the pandemic to increase phishing emails, targeting teleworkers to steal their usernames and passwords.
And that’s exactly what happened.
During the first week of March, the Infoblox cyber intelligence unit noted that ‘LokiBot infostealer’ joined the list of malware campaigns being distributed by cyber criminals.
In March alone, we observed two malicious spam email campaigns distributing LokiBot under the guise of providing information on the coronavirus impact to supply chains; a series of campaigns using COVID-19 or coronavirus-themed spam emails to distribute the ‘Agent Tesla infostealer’, and two other large campaigns distributing the ‘Hawkeye keylogger’ and ‘Predator the Thief’.
Threat 2: lookalike domains
Lookalike domains are fraudulent websites set up to look like an organisation’s website, or that of a well-known brand.
This style of cyber attack falls into two categories: customer-targeted attacks and employee-targeted attacks.
Customers are likely to become victims of attacks impersonating a genuine organisation, and the attack is typically delivered via a phishing email, social media or, occasionally, mobile messaging. Malicious links in the message take the customer to a fake website asking users to log in, attempting to gain access to credentials.
With employee-targeted attacks, attackers impersonate the brands of business partners, vendors or service providers. Attackers then leverage the trusted relationship between organisations to trick employees into making mistakes. The impact may be a direct compromise, particularly if the victim was highly targeted, like a chief financial officer (CFO).
They may also intend to compromise the users’ device so they can begin to move throughout the network in search of valuable data.
Threat 3: data exfiltration over DNS
Data exfiltration over DNS - the unauthorised transfer of data from a computer - is often attempted through an unchecked communication channel, meaning security services do not look for malicious domain names (DNS).
For example, if malware infects a compromised device, sensitive data stored on the device is at risk. This data could include banking records, spreadsheets, network locations, and fileshares. These types of attacks are possible because often the DNS server is not going to inspect it – that traffic will pass on as usual.
Fighting back - leveraging DNS intelligence for security
The most efficient way to protect educational infrastructure is not to shy away from evolving malware campaigns, but to develop a greater understanding of a) how they penetrate systems, and b) the most effective ways of countering threats.
At Infoblox, we've seen that the organisations who have been most successful in securing remote users during the crisis are leveraging DNS intelligence to enhance security.
These organisations embrace best practices such as monitoring who is accessing applications and from which devices, and then analysing network data to uncover actionable insights drawn in order to enhance security and availability. It also helps in understanding how threat intelligence, coupled with analytics, plays a decisive role in mitigating such attacks.
Leveraging DNS as a security control is highly effective for breaking the chain of attacks. Having a DNS platform that can leverage threat intelligence - a constantly updated directory of known malicious destinations on the internet - to recognise which sites are malicious and should be blocked is essential. Therefore, when a student or staff member tries to connect to a website that is identified in the threat database as malicious, the request will be denied.
This is a proactive mechanism for protecting the device from initial infection, but can also be effective with devices that are already infected.
For instance, if a device is infected when connected to an external network, and then tries connects to the organisation’s network, the organisation’s DNS will reject the communication, preventing the infection from being transferred.
It’s an unfortunate reality that the COVID-19 pandemic has opened new vulnerabilities for cyber attackers to exploit.
However, organisations that are well informed, prepared and equipped for this new reality will be able to protect themselves and their users.
Find out how Infoblox is helping you manage the COVID-19 crisis or read more information on KHIPU Networks and Infoblox.
Infoblox and KHIPU Networks were sponsors of Networkshop48. View their presentation slides - securing your remote workforce (pdf).