Inside job? Cyber criminals not responsible for hacks of universities and colleges, study suggests
Organised crime and hacking groups may not be responsible for the spate of cyber-attacks against universities and colleges in the UK.
The analysis has reportedly concluded that staff or students could instead be responsible, rather than outside hackers.
According to the BBC, Jisc examined the timing of 850 attacks in 2017-2018 and it found a “clear pattern” of attacks being concentrated during term times and during the working day.
When holidays begin, the report said that “the number of attacks decreases dramatically”.
This led the report to conclude there are “suspicions that staff or students could be in the frame.”
The report apparently says that rather than hacking groups or online criminals, the findings instead suggest that cyber attacks on universities and colleges are more likely to have been caused by disgruntled staff or students wanting to provoke “chaos”.
“It’s notoriously difficult to identify individual cyber-criminals,” Dr John Chapman, head of security operations for Jisc is quoted by the BBC as saying.
The report showed that the peaks and troughs of attacks mirror when students and staff were most likely to be present.
They increased from 08:00 or 09:00 and then tailed off in the early afternoon. There was a very sharp decline in attacks in the Christmas, Easter and summer breaks and during half-terms – with attacks rising again sharply when terms resumed.
The report found that there had been more than 850 attacks across the academic year, aimed at almost 190 universities and colleges.
One security expert has warned that universities need to do more to warn both students and staff of the impact of cyber attacks.
“Some of this will come down to educating staff and students,” said Nick Murison, managing consultant at Synopsys. “Campus networks can feel like safe places for students to try their hand at hacking, with some of the activity being down to curiosity as opposed to any intentional malice.”
“Staff may feel that their data doesn’t warrant much protection as it’s ‘just research data’ that holds little commercial value, and so may not take appropriate steps to secure their systems,” said Synopsys’ Murison. “University IT departments are constantly battling ‘shadow IT’, with students and staff connecting various systems to the network that are not centrally managed, and are often not secured.”
“Universities should ensure that everyone understands the impact of lax security and ‘messing around’, both through education campaigns and making it clear that there are real-world consequences for violating IT security policies, not to mention the law,” he said.
Murison said that universities have to enforce strong security controls for both internal and external systems, and enforce principles of least privilege.
“You cannot simply rely on a strong external perimeter; you have to harden all systems in anticipation of attacks from both the outside and the inside,” he said.
Another expert said it was little surprise that the attacks were coming from insiders.
“It’s no great surprise to hear that universities are suffering at the hands of insiders,” said Simon Cuthbert, Head of International, 8MAN by Protected Networks. “Whist external threats exist, the fact is that 80 percent of breaches are internal, and no network is exempt from the threat of these hackers, whether malicious or accidental.”
“The risks to universities are much the same as any given organisation, and these internal hacks often occur because users have too many permissions and access to data that they do not need,” said Cuthbert.
“IT teams need to be able to get a clear and simple view of who has access to what,” he said. “Once they have that baseline they can then work to understand why they have this access and whether it is required? They can then work on the process of repairing the permissions structure. As time goes on, managing permissions becomes much less taxing and far more rewarding when hacks of this nature can be thwarted.”
In 2016 security firm SentinelOne found that British universities were being actively attacked by ransomware.
SentinelOne submitted freedom of information (FoI) requests to 71 British universities to see if they had suffered a ransomware attack in 2016. It seems that 58 universities replied, and 23 admitted they had been attacked in the last year.
How much do you know about hackers? Take our quiz!