Cybersecurity in the HE sector – getting the basics right

Managing security updates, vulnerability reviews, password policies and multi-factor authentication are staple university needs, says Clive Madders

Clive Madders's avatar
Cyber Tec Security
16 Dec 2021
bookmark plus
  • Top of page
  • Main text
  • More on this topic
bookmark plus
Ransomware and other online dangers can be utilised by hackers to attack universities if they do not have their cybersecurity sorted

You may also like

Cybersecurity remains a critical issue that universities must face
Cybersecurity is getting better at universities but they all need to do more

With IT now almost essential in our everyday lives and the internet of things (IoT) becoming more mainstream, we’re adding more and more potential risks into our networks, and the education sector is no exception. Crucially, schools and academic institutions are struggling to tackle the cybersecurity challenge, above all else forgetting to implement the fundamentals.

Typically, the easiest way for a bad actor to gain access to any system is through people – staff and students – via social engineering tactics such as phishing. But often this only provides the bad actor user-level access, a foothold in the network – what hackers are really after is administrative control and “owning” systems, because at this point their options become limitless.

To achieve ownership, the bad actor will generally look for known vulnerabilities to exploit, bearing in mind they will have already bypassed protective measures such as internet firewalls. If successful, they will gain further access privileges until they end up with administrative access to a system. The attack is far simpler than you would think, requiring tools that can be legitimately downloaded from the internet for free – the same tools often used for more ethical purposes such as penetration testing and vulnerability assessments.

Of course, with this kind of high-level access, cybercriminals can acquire all kinds of data including teaching resources, financial records and staff, student and parent information. What we’ve also seen in the past year among higher education institutions is a rise in ransomware, where hackers may encrypt breached data and demand a sum of money for its release. The National Cyber Security Centre (NCSC) has issued official alerts to encourage the sector to take better preventative action.

So, how can schools and higher education institutions do this?

Training staff and students to recognise social engineering attempts is of course beneficial, but humans are always going to make mistakes, so it is likely that someone will succumb to and be caught by a phish at some point, which may well result in their own credentials being compromised. Multi-factor authentication is strongly recommended for every user on every system that supports it to ensure that if someone does have your password because of a successful phishing attempt, they won’t have access to the multi-factor solution – your phone, for example.

These measures are important, but it should also be assumed that at some point, whether through malware, a remote access solution or a compromised password, a bad actor will get in somehow. At this point, vulnerabilities – 164,873 of which are currently listed in the CVE (Common Vulnerabilities and Exposures) – may be exposed, which hackers can often exploit using pre-written code published on the internet.

The “basics” that the education sector needs to be looking at to reduce its risk should target these vulnerabilities. This is achieved through making sure all operating systems, software and applications have the latest security updates applied so that the HE institution is not running anything with serious flaws and vulnerabilities.

A good example of software that is generally seen as problematic in the tech world is Adobe Flash, which currently has 1,460 known vulnerabilities (far higher than similar browser-based technologies such as QuickTime or Shockwave) listed in the CVE database, 11 of which are “new” since the product was discontinued by Adobe in December 2020. That’s 11 potential gaps available for a bad actor to use for gaining access to an institution’s systems.

We are also seeing a newer risk arise with IoT devices, purchased mainly by departments and not necessarily adopted by IT teams, all of which are connected to the internet and running software which itself could have vulnerabilities and be exploited. It sounds crazy, but it won’t be long before there’s a breach caused by a software vulnerability in a fridge or coffee machine.

While higher education institutions face several challenges regarding cybersecurity, particularly in managing many users on its network (often on their own devices), more must be done at a basic level to tackle the cyber threat. Along with a good process to manage security updates, universities should have a vulnerability review programme in place, completing at least annual vulnerability assessments to ensure they know exactly what they have and what, if any, risks there are. If discovered early, these issues can be remediated, avoiding any old exploitable vulnerabilities being live and available within a network.

Good password policies and multi-factor authentication are also essential, the latter of which can, in most cases, be deployed easily throughout your systems at no additional product cost. Cyber awareness training for both students and staff will also play an integral role in a university’s cybersecurity strategy, as human error will likely always be the most common cause of cyberattack or breach.

On a final note, higher education institutions can begin to address these core cybersecurity controls by aligning with Cyber Essentials, the UK standard developed by the NCSC, which is specifically designed to deal with the basics, reducing the risk of suffering commodity-based attacks by up to 80 per cent.

Cyber Essentials may also be stipulated for certain grants and funding in the education sector, for example, it is now required by the Education and Skills Funding Agency. We recommend everyone looking at the standard and, at least, ensuring they align; at best, achieving the certification.

Clive Madders is chief technical officer and assessor at Cyber Tec Security and has more than 25 years’ experience in the industry.

If you found this interesting and want advice and insight from academics and university staff delivered direct to your inbox each week, sign up for the THE Campus newsletter.


You may also like

sticky sign up

Register for free

and unlock a host of features on the THE site