CybSec risks in higher education, Part 2: Vulnerability and Risk

This essay is part 2 of the short version from the findings in A Systematic Review of Cybersecurity Risks in Higher Education.

Part 1 adressed the study background, assets, and threats. Continuing where we left off, Joachim Ulven and I did a Comprehensive literature review of cyberrisks in higher education (HE). The research paper turned out quite long and the results deserve a summary. This essay firstly summarizes the findings on generic vulnerabilities in HE highligthed in the literature, with a short digression into password security. Before presenting risk analysis of common risks. Furthermore, we discuss some outcomes and consequences supplemented with publicly known examples.(please refer to the paper for further explanations and citations.)

Figure 1 — Control domains (Picture source: https://purplesec.us/security-controls/)

Generic vulnerabilities in Higher education

Vulnerabilities are often organization-specific. Technical vulnerabilities are related to e.g. how the network, components, and devices are configured, which makes vulnerability very organizational specific. However, in our literature review we looked for common denominators for academic institutions. We sorted our findings in a standard administrative (organizational), technical and physical categorization, summarized in Table 1. Vulnerabilities is a difficult topic to generalize and analyze, and we spent quite a lot of space in our original research paper discussing the topic.

Table 1— Summary of vulnerability areas for HE

In my opinion, culture and awareness are the key findings in the vulnerability analysis because they permeat everything. In their excellent report from 2015, FireEye writes that universities might be reluctant to incorporate any changes that may impede research. Security tools, or anything similar, that can limit access to information or communication might be undesirable. In their 2003 paper, Adams and Blandford describes this issue between academia and the security department a “clash of cultures’’, which can lead to the circumvention of security mechanisms caused by low usability. Adams and Blandford largely blames the HE security departments for not appropriately accommodate the needs of the faculty and students. The article was written 18 years ago, has the situation changed? I think the answer is maybe. Again the debate comes down to answering “What is acceptable risk?”.

To summarize, we found that the three vulnerability domains were tightly connected, where policy and budget decisions span the whole problem area. For example, the cultural aspects have deep roots in academia (as described in post 1) and directly impacts management thinking: for example, in physical security where openness is the dominating factor, and security restrictions might be undesirable. Furthermore, a lack of management commitment and investment in central IT and cybersecurity will lead to fragmented networks with weak segmentation, and insufficient security control. While not investing in security training will lead to negligent staff with a higher probability of data leaks and other security incidents.

And password security in HE…

Password security was one of the most frequently mentioned issues in the litterature. Coincidently, we did a socio-techincal root-cause analysis of password security at NTNU, published in ICISSP 2020. The study is cited in our research paper, but in short: the University was suffering under a large amount of compromised passwords and attackers were logging into the infrastructure doing all kinds of malicious stuff. We decided that we should do a study of the issue, and gathered data on the compromised accounts, made a couple of hypotheses of how they were breached, and, finally, reached out to the victims with a questionnaire to validate our theory with a scoring scheme (0–100). In short, our results turned out like this for the n=72 that participated:

Figure 2: Scoring scheme for probable cause of password compromise,the higher score, the more likely cause. n=72.

We found password re-use as the most probable culprit for 31 out of the 72 surveyed. The coloring scheme in the figure indicates when there was a mismatch between what we found to be the likely cause and self-reported cause by the participant. E.g. under “PW reuse” we see that one participant scored a high number, but also had phishing as the self-reported. Most of the causes for PW compromise investigated in the paper can be linked back to the administrative vulnerabilities listed in Table 1. I refer to the root cause paper for in-depth discussion on each issue.

Risks in HE

In the previous post, I included our summary analysis of the 2984 events. I included it here as well in Table 2, as it is nice starting point for a discussion of risk. The stats are compiled from different sources collected with different instruments and capabilities, in different organizations, and during different periods, which means a lot of bias. So, we only provided the distribution of incidents as-is together with the applied definition for the categorization. The distribution shows the most frequently reported threat events in HE.

Table 2 — The most common threat events for HE in the synthesized dataset.

Table 2 shows that the majority of incidents in HE are caused by Intrusion, malware and compromise, followed closely by incidents triggered by Vulnerable assets and scanning. While we did not originally plan to dig as deep into the risk analysis part of the paper, the reviewers suggested that it would be a nice contribution. We therefore made an example risk model of the most frequent event in Figure 3.

Figure 3 — Risk analysis combining threat agents, vulnerabilities, events, assets, and~consequences, for the “Intrusions, malware, and~compromise”-events.

Moving from the left to right, the model shows an attacker with a motive. He has multiple attack vectors to exploit vulnerabilities. In this example, two attack vectors and three possible vulnerabilities, which, if successful will lead to the threat event. The model has examples of information assets as potential targets and three possible consequences of the threat event.

By applying our findings from the asset, threat, and vulnerability analysis Joachim and I made the following risk analysis of the incidents presented in Table 2:

Table 3 — Asset, threat, and vulnerability Risk analysis of the most frequent evnts in HE

Table 3 combines all our findings from reviewing existing literature on assets, threats, threat events, and vulnerabilities in HE, and can be a nice starting point for working with or researching cybersecurity risk in HE.

The rightmost column in Table 3 provides keywords of possible consequences from each incident. I will spend the remainder of this post to summarize them as they are important. We briefly discuss countermeasures in our review paper, but I have chosen not to include that here considering the length of this post.

Data Leaks

Data leaks are often the focus in cybersecurity, and multiple severe incidents have already occurred. Targeted attacks by state-sponsored espionage and cyber-crime aim for several types of information managed in HE. Espionage can aim to map the organization and obtain a technological advantage. Organized crime will primarily look to sell obtained information for financial gain. Hacktivists are a threat for universities working with politically controversial material, which can gather sensitive data and release it for political~gain. An example of a persistent hacking attack hit the Australian National University targeting and extracting student and employee PII over multiple years. There are also publicly known industrial espionage attacks targeting universities. The publicly known incidents are probably just the tip of the iceberg.

Additionally, our original results document that data leaks can occur in multiple ways: Unintended disclosure can be caused by, for example, human error combined with poorly documented data handling routines and security management, both in the research and administrative processes. Weakly configured systems can also leak data publicly.

Data Loss

Irrecoverable data loss is a dreaded risk. The recent wave of ransomware during the corona should put in the front of everybody’s mind regarding cybersecurity. Ransomware encrypts data and demands a ransom to decrypt it. The malware can enter the network via different channels, for example, phishing emails, software vulnerabilities, BYOD, and other hacking attacks. Ransomware attacks are particularly severe when networks are poorly segmented and access controlled, as the attacker can, manually or automatically, traverse significant parts of the network unhindered and encrypt data. Furthermore, if the information is not backed up, or the backups are poorly protected, ransomware can lead to irrevocable data loss. Multiple universities have already ended up paying the ransom in the face of a data loss caused by ransomware. In 2020 alone, known cases include

• Maastricht University paying 250 thousand Euro in January
• University of California paying 1.14 million dollars in June, and
• The University of Utah paying 457 thousand dollars in August

And these are just the publicly known cases. Consider the asset lists in the previous post: how much did it cost to produce these assets and how much should be spent on adequate protection? It is unlikely that the cost of properly securing the data will outmatch the price demanded by the criminals. There is also no guarantee that the attackers will restore data upon received payment, you might even be re-infected by the same villains. Do your cost-benefit analysis and act accordingly.

Financial Fraud

Our findings documented cyber-crime as the main threat actor for academia. Primarily motivated by financial gain, this actor infiltrate systems and routines looking for financial and transactional data to exploit. Fraud is conducted mainly through social engineering, looking to exploit weak security routines in combination with low-security awareness. Criminals can also leverage extortion techniques to coerce universities and employees into paying money. A popular attack vector is hijacking acquisition processes through social engineering and sending false invoices to the target. This attack technique succeeded tricking, for example, the University of Tromsø into paying 1.2 million Euro in late 2019. Transactions in HE often involve large amounts of money and are lucarative targets.

Loss of Service availability

Universities are high availability organizations when considering services such as the internet connectivitiy, email systems, and digital libraries. For most universities, core processes will immediately suffer if critical services become unavailable. Weak risk management regarding not identifying essential systems and not making contingency plans is a significant vulnerability in HE. Under-staffing when operating security-critical systems is also a vulnerability, especially when personnel is unaware of criticality. Random errors can cause prolonged downtime and service level reduction if the HE institution is missing the appropriate workforce to restore the system quickly.
A large attack surface means many targets for both hacking and DoS attacks. The possibilities for sabotage are many. Furthermore, the Corona-pandemic in 2020 forced the HE sector to digitize. This development increased the requirements of IT-system availability to conduct core functionality, such as teaching.

Abuse and Misuse of University Infrastructure and Resources

We categorized 4% of the incidents in Table 2 as Abuse and Misuse. Universities possess a broad range of computing resources, hosting opportunities, subscriptions, and bandwidth. The review results show that these assets can be abused by threat agents ranging from non-malicious to worst-case scenario. Several sources mention The Silent librarian campaign where cybercriminals exploited compromised University accounts to steal thousands of research articles. Both criminals and insiders look to exploit University computing resources for cryptojacking for financial gain (mining for cryptocurrency using resources they do not own). Another severe risk from weak security controls occurs when the University infrastructure is abused by criminals as a stepping stone to attack third parties. Typically, they either hide the attacker’s true identity or masquerade the attack as legitimate traffic between the University and the target, and in cyberstalking.

Lastly, our results have documented large amounts of DDoS attacks occurring on the University networks. Again, this can be a relatively benign activity, for example, when students attack each other for fun, as described by Chapman. However, DDoS attacks can also be very serious when vulnerable network resources are leveraged by criminals to attack third parties.

Integrity Loss in Key Assets

One of the most critical information assets managed at the University is student records and the finishing diplomas. The incentive is obvious for students to hack and illegitimately change their grades for the better. However, a large-scale incident with changed exam grades and a loss of integrity in issued diplomas would be critical. Untrustworthy diplomas would be devastating for most HE institutions. Furthermore, integrity attacks on research data sets to sabotage competitors is also a likely scenario. Universities are also responsible for various payments and invoicing. Consider the possibility of such information being wrong, and either paying the wrong employee or billing the wrong recipient. Integrity risks are also present in HEI.

Summary

This essay has summarized the key findings from our vulnerability and risk analysis based on the literature review. There is a lot more to be said, and a lot of it is said in our very long research paper. But I would like to draw attention to the lack of standardization of incident categories, making it challenging to combine data and conduct a risk analysis. It is evident from analyzing the data that there is no unified agreement on what an incident really is: E.g. is it an incident when you get notified by a third party about a vulnerable asset?

Another finding was that the detection capabilities of the reporting institution are often poorly described. Solely relying on technical detection capabilities, such as an IDS, will bias the incident reporting towards things that can be detected with that technology. Or are you relying solely on user-reporting? These are essential aspects that are often overlooked when reporting data, which we encountered big time in this study.

Thank you for sticking with me to the end of this article. The reviewers wanted us to extrapolate the most severe risks in HE, but for reasons previously stated regarding the collected data and that risks will vary between institutions, we chose not to. But for this not-so-rigorous write-up, I can tell you that I think it is ransomware targeting high-value research data. (E.g. research data produced over decades that is irreplaceable)

If you want to cite our findings, the citation is:
Ulven, J.B.; Wangen, G. A Systematic Review of Cybersecurity Risks in Higher Education. Future Internet 2021, 13, 39. https://doi.org/10.3390/fi13020039

Nyblom, P., Wangen, G., Kianpour, M., & Østby, G. (2020). The Root Causes of Compromised Accounts at the University. In ICISSP (pp. 540–551).