Ethical hackers take down university cyber defences and obtain valuable data in just two hours
The cyber defences of British universities has been called into question after ethical hackers quickly overcame them.
Under penetration testing agreed in advance with the universities, Jisc – the UK provider of ICT (Information and Communications Technology) services for the education sector, said there was a 100 percent track record of gaining access to high-value data within two hours when spear phishing was used as a method of infiltration.
It comes after Jisc warned last year that a spate of cyber attacks against universities and colleges in the UK was more than likely down to staff or students, rather than outside hackers.
The “ethical hackers” working for Jisc were able to access personal data, finance systems and research networks in a number of the universities they were asked to test, within the space of just two hours.
The Jisc paper also found that during 2018, there were more than 1,000 Distributed Denial of Service (DDoS) attacks detected at 241 different UK education and research institutions.
Jisc also said more than 173 higher education providers engaged with Jisc’s Computer Security Incident Response Team (CSIRT) in 2018 (a 12 percent increase).
“Cyber attacks are becoming more sophisticated and prevalent and universities can’t afford to stand still in the face of this constantly evolving threat,” said Dr John Chapman, head of Jisc’s security operations centre and the author of the report.
“While the majority of higher education providers take this problem seriously, we are not confident that all UK universities are equipped with adequate cyber security knowledge, skills and investment,” said Dr Chapman.
“To avert a potentially disastrous data breach, or network outage, it is critical that all university leaders know what action to take to build robust defences,” he added.
And it was pointed out that universities are a natural target as they often hold sensitive and valuable data.
“Universities hold masses of data on sensitive research, on the inventions of the future and on their staff and students, but some of it is not properly secured,” said Nick Hillman, director of HEPI.
“The two main functions of universities are to teach and to research,” said Hillman. “Students like having their personal data used to improve teaching and learning. But this support is conditional and is unlikely to survive a really serious data breach. Meanwhile, future UK economic growth is highly dependent on university research. This provides valuable information that a few unscrupulous foreign governments are keen to access.”
The Jisc ethical hacking exercise was welcomed by security experts.
“Universities have been the target of many attacks over the last 12 months which has highlight numerous weaknesses in their defences,” said Jake Moore, cyber security specialist at ESET.
“Testing defences in this way is a great opportunity to showcase not only the threat landscape on all industries but it also helps to produce the next generation of cyber professionals,” said Moore.
“Ethical hacking is notoriously the more interesting or even ‘sexier’ side of IT so it is excellent to see challenges such as this throughout the UK,” he added. “There is still a vast skills gap in the industry so initiatives such as this are encouraging.”
“One takeaway from this report suggests that spear phishing is still a typical threat actor required to gain the highest access to data, so awareness training needs to be heightened,” Moore concluded. “Training is still imperative to organisations whatever industry you are in.”
Do you know all about security? Try our quiz!