Following a spate of ransomware attacks targeting universities, the National Cyber Security Centre has advised academic institutions in the UK to implement a ‘defence in depth’ strategy to defend against malware and ransomware attacks.
Noting that it has observed an increasing number of ransomware attacks targeting universities in recent months, NCSC said it is essential for academic institutions to take a number of steps to prevent malicious actors from encrypting their data and blackmailing them to pay large sums of money to regain access to data.
"Ransomware attacks can have a devastating impact on organisations, with victims requiring a significant amount of recovery time to re-enable critical services. These events can also be high profile in nature, with wide public and media interest," it warned.
NCSC said malicious actors are using a number of vectors to infiltrate the networks of universities and other academic institutions. These vectors include insecure Remote Desktop Protocol (RDP) used by employees to log in to office servers from different devices, vulnerable software or hardware attached to computer networks, and phishing emails that often impersonate CEOs, senior management, or trusted vendors to lure employees into handing over sensitive data.
Upon gaining access to computer networks, hackers not only plant malware or ransomware to hijack the networks or exfiltrate data, they also sabotage backup or auditing devices to make recovery more difficult, encrypt entire virtual servers, and use scripting environments (i.e. PowerShell) to easily deploy tooling or ransomware.
Academic institutions must implement a defence in depth strategy to ward off ransomware attacks
To save themselves from becoming a victim of the next big ransomware attack, NCSC said academic institutions must implement a ‘defence in depth’ strategy to defend against malware and ransomware attacks.
This strategy involves enabling effective vulnerability management and patching procedures, securing RDP services using Multi-factor Authentication, installing and enabling antivirus software, implementing mechanisms to prevent phishing attacks, and disabling scripting environments and macros.
Universities, colleges, schools, and other organisations in the education sector must also have up-to-date and tested offline backups as offline backups are the most effective way to recover from a ransomware attack, NCSC added.
Commenting on NCSC's latest advisory to universities and other educational institutions, Andy Swift, Head of Offensive Security at Six Degrees, said many schools, colleges, and universities that have pivoted from classrooms to online learning have focused on deploying supporting technologies without giving due diligence to the cyber security risks they have introduced. Cybercriminals know this, and the successful ransomware attacks they have launched to date will only continue.
"Schools, colleges, and universities have put a lot of effort into keeping staff and students safe from physical dangers. But now is the time to start thinking virtually too, and that means going on their own cyber security journeys.
"As a first step, by carrying out cyber security assessments these institutions can establish their risk appetites, understand the cyber security risks they face, and align their cyber security postures to ensure they continue to provide excellent learning experiences whilst protecting their staff and students in this new operating reality," he added.
Despite risks, UK universities not spending enough on cyber security training
In July, security firm Redscan reported that 54% of UK universities reported a data breach to the Information Commissioner's Office in the last twelve months, yet a majority of universities were found lagging behind in terms of imparting cyber security training to staff and students, expenditure on security, carrying out pen testing, or hiring cyber security professionals.
Redscan found that out of 134 universities that responded to an ROI request, only 66 had Cyber Essentials or Cyber Essential Plus certification, 49% were not proactive in providing security training and information to students, 12% of universities did not offer any kind of security guidance, support or training at all to students, and 46% of all university staff in the UK received no security training in the last year.
“Even at this time of intense budgetary pressure, institutions need to ensure that their cyber security teams receive the support they need to defend against sophisticated adversaries. Breaches have the potential to seriously impact organisations’ reputation and funding. The threat posed to universities by nation-state attackers makes the need for improvements even more critical. The cost of failing to protect scientific research is immeasurable,” said Mark Nicholls, CTO of Redscan.