Universities' cyber defences exposed in penetration testing

Out-Law News | 05 Apr 2019 | 4:40 pm | 2 min. read

Ethical hackers took less than two hours to access "high value data" held by UK higher education providers in each of a series of cybersecurity exercises, it has been revealed.

Jisc, the body that provides shared digital infrastructure and services for the sector, said the data was exposed through penetration testing, which involves probing networks and systems for security vulnerabilities that others might exploit.

"Alarmingly, when using spear phishing as part of its penetration testing service, Jisc has a 100% track record of gaining access to a higher education institution’s high value data within two hours," a new report published by Jisc and the Higher Education Policy Institution (Hepi) said.

According to the report, two state-sponsored cyber attacks hit providers in the UK's higher education sector in 2018, in addition to a number of other cyber attacks carried out by organised criminals.

"During 2018, we noticed phishing attacks becoming more sophisticated and better targeted towards the education sector," the report said. "For example, around the beginning of term, particularly at the start of the academic year, there has been an increase in student grant fraud. This is where students are sent phishing emails purporting to offer free grants or requesting bank details are updated so that loans can be paid."

"‘Spear phishing’ attacks, where specific individuals are targeted with requests for information, have also become increasingly common. One example includes ‘CEO fraud’ where criminals send urgent transfer requests via email to finance departments, impersonating senior members of staff in an attempt to trick them into transferring funds into the fraudster’s bank account," it said.

The report further flagged that there were also more than 1,000 'distributed denial of service' (DDoS) attacks detected across 241 different organisations in the UK higher education sector in 2018.

Pinsent Masons, the law firm behind Out-Law.com, recently highlighted the growing cyber threat faced by UK higher education providers in a new whitepaper on education technology, or edtech.

Cyber risk expert David McIlwaine of Pinsent Masons, the law firm behind Out-Law.com, said strengthening cybersecurity practices should be a priority for higher education providers, particularly as they look to adopt new edtech: "The rich data providers hold make them a target for attack and this, together with the scrutiny their data protection practices are coming under, calls for a renewed effort to address cyber risk."

"Technologies to help defend against attacks should be explored, but providers would be advised to focus much of their resources on detection tools – to help them quickly identify when systems have been breached – and in incident response. Coordinating a speedy response to a major cybersecurity incident is a significant challenge for any organisation, and therefore it is vital that providers develop and thoroughly test a cyber incident response plan," he said.

"In drawing up such plans, providers will identify important internal stakeholders and external advisers needed to respond quickly and effectively to incidents. Departments such as IT security, information systems, HR, communications, legal and risk are likely to be involved. Streamlined processes and clear reporting lines should be set out in the plan to ensure incidents identified are escalated quickly," McIlwaine said.