Further education institutions have been investing more in cyber security training, products and services in the last few years. More colleges are using third-party services to help with detecting and managing threats and there’s been an increase in those achieving the Cyber Essentials certifications.
However, evidence from Jisc’s security operations centre (SOC) and the National Cyber Security Centre NCSC) has shown that colleges are still impacted by attacks and concerns about the growing threat of cyber attacks have increased.
Attacks – the facts
Over the past few years, Jisc’s computer security incident response team (CSIRT), which covers the national research and education network, Janet, has handled between 5,000 and 6,000 incidents and queries a year. The graph below shows a breakdown of the types of incidents affecting Jisc’s members.
These statistics help illustrate the breadth of incidents experienced across the education sector; the actual figures are heavily influenced by the activity of Janet CSIRT and the detection of events rather than their actual rates of occurrence. For example, a successful investigation into a botnet will cause that month’s malware figures to rise even though the malware may have been active, but undetected, in previous months.
Although the move to remote working for staff and students has changed the threat model facing colleges, it hasn’t changed the fact that security remains a high priority. Criminals are notorious for taking advantage of news events and piggybacking on emerging and trending issues, and the current COVID-19 situation is no different.
Very soon after news of the crisis arose, attacks started adapting to take advantage of the new context. Phishing emails have always been a problem and are even more so as criminals use coronavirus-related emails to encourage victims to follow links or download malware.
NCSC warned the public about this in April this year. Although not COVID-19 related, Janet CSIRT has had to respond recently to some extremely serious ransomware incidents. This included one college that had to close down all its systems for more than a week. With all incidents, and particularly business-disrupting examples like this, the sooner Janet CSIRT is contacted, the more effective digital forensics can be, and the quicker normal service can be resumed.
Denial of service attacks
During the last 12 months, Jisc has detected 569 denial of service attacks (DDoS) against colleges in England, which is more than 10% higher than the previous 12-month period. However, looking at the statistics from the start of lockdown until the time of writing (20 March to 20 May 2020), we detected 26 DDoS attacks targeting 15 UK colleges, which is fewer than those seen over the same time period in 2019 (100 DDoS attacks targeting 33 UK colleges).
The number of DDoS attacks in March and April for both years was fairly similar, but May has shown a significant drop, with 47 attacks reported 1-20 May 2019 and just five in the same period this year.
It is too soon to determine if this is due to lockdown changing the way everybody is working (including criminals) or if it is an anomaly. From previous analysis of attacks, and where we have managed to work with colleges to identify perpetrators, Janet CSIRT strongly suspects that a large proportion of DDoS attacks are being launched from within colleges.
With many systems hosted in the cloud rather than on campus, and resources and systems accessed directly from home networks, there is potentially less to gain from launching a denial of service attack against the college network during lockdown.
In one example, Jisc’s security analysts were mitigating an attack at a college that was launched at about 09:00. It finished at 12:00 and then started up again at 13:00 before petering out later that afternoon. This suggested that the attacker was somebody on campus who wanted to get online at lunchtime. The Jisc SOC has also detected access from colleges to websites that provide ‘attacks as a service’: so-called Booter and Stresser sites allow attackers to launch DDoS attacks against any organisation for just a few pounds.
If more colleges sign up to Jisc’s Janet Network resolver service (JNRS), then we can help prevent access to such sites from the college network. JNRS can also help mitigate the risk of users’ web requests being directed to compromised or dangerous web sites (for example, as a result of phishing or related attacks).
It is also important for colleges to maintain adequate logs on college systems to help identify attackers and determine what they have been up to. When a college experiences a cyber incident, its staff can call on Janet CSIRT for assistance. This could involve providing advice and guidance over email or by phone, but quite often entails a detailed investigation. This can include digital forensics to identify what exactly has happened, and how an attacker managed to get access, for example.
The team helps staff at institutions to get systems back up and working, to enable teaching and learning to continue. The CSIRT team also proactively contacts colleges when incidents have been detected, or when it has been alerted to a particular threat.
Attitude to risk
A total of 70% of respondents to the (pre-COVID-19) AoC/Jisc college IT survey said they either agreed or strongly agreed that their college is able to deal with a cyber security risk. This is an even more confident response than noted in Jisc’s 2019 cyber security posture survey where a mean score of 6.6/10 was given in response to the question ‘on a scale of 1 (not at all well) to 10 (very well protected) how well do you feel your organisation is protected?’ Almost a quarter of respondents gave a score of 8/10 or higher.
Although Jisc has witnessed good practice within some colleges, such as good processes and policies, including patching policies, as with all organisations, there are choices to be made on what is a priority.
There is some concern that not all colleges are aware of the range of threats and that incidents are under-reported: more than half of colleges stated in the 2019 posture survey that they had not reported cyber security incidents in the previous 12 months. In the AoC/Jisc IT survey, 11% of colleges reported experiencing at least one cyber security incident that caused significant business disruption and nearly all (96%) had experienced at least one minor incident.
Resource and expertise
Very few colleges have dedicated cyber security staff. In fact, just 11% of respondents to the 2019 posture survey stated they have specific security roles. Many have small teams with wide-ranging responsibilities, which mean they can’t do everything, so they have to prioritise. This might mean important attack vectors are overlooked.
Making good use of technology or working with a trusted partner, can help. Although adoption of security information and event management (SIEM) systems is low within FE currently, (4% according to the 2019 survey), having a central place for logging information from disparate systems helps save time in manually searching for signs of attack and can alert teams when something suspicious has been detected. Similarly, if it is already known what assets are connected to the network, it is easier to effectively manage threats.
From the findings of Jisc’s 2019 survey, we know that an increasing number of colleges are ensuring they have basic security controls in place, by gaining the Government’s Cyber Essentials certification. From just 4% of colleges in 2018, the 2019 survey results showed a large jump, to 31%. We expect this figure to have increased much further in this year’s survey as colleges strive to meet the data security requirements in the Education and Skills Funding Agency’s funding agreements.
Culture and training
Cyber security is both a technological and a cultural issue. Having technical controls in place to ensure that systems are kept up to date, patched, scanned for vulnerabilities etc. is key, but so is user training and awareness. It is encouraging to see more colleges training their staff, with an increase from 55% reporting mandatory training for some or all their staff in the posture survey from June 2019 to 67% in the AoC/Jisc IT survey in December.
The number that reported training students is not as positive, however, rising from just under a quarter in the June survey to 27% in December. Ensuring staff and learners are aware of the risk of phishing and malware as well as the need to back up their data is even more important with the current ways of working.
Cyber security awareness training should be in place for everyone across the organisation; getting the board and the directors to buy into the college’s cyber security strategy and embedding it throughout the whole organisation is vital.
Build strong defences
Remote working due to COVID-19 has changed the threat landscape but it still means the basic security controls and training needs to be undertaken. Attackers only have to find one weakness to exploit, so the more eyes on a network, the better the chance of blocking those weaknesses before the attackers get in or very soon after.
Although no institution is immune to cyber-attacks, there are a number of controls that should be in place to make colleges a harder target and to minimise the impact of an attack or breach. Colleges should ensure that systems are patched and kept up to date; networks should be segmented; all users should have information security awareness training; and consideration should be given to implementing a SIEM, either internally or via a managed service to maximise visibility.
Jisc is very keen to work with institutions to improve their cyber security posture and to ensure no college or their students get left behind when it comes to good security practices.
This article is part of a new e-book produced by the Association of Colleges and funded by Ufi, called Creating a post-Covid19 EdTech Strategy, bringing together all the wisdom and lessons learned from lockdown.
To learn more about cyber security, sign up free for Jisc's security conference (3-5 November 2020).