The education industry has unceremoniously emerged as the second most common target for ransomware. In 2020, at least 1,681 schools, colleges, and universities of all sizes and prestige were infected. Institutions face the difficult challenge of preserving academic freedom, easy access to information, and open collaboration while defending from threat actors who exploit these same characteristics. The adoption of public cloud, software as a service, and the Internet of Things add additional layers of complexity onto IT architectures not designed to support these applications.
Network architectures within higher education are largely designed as hub-and-spoke, mirroring the physical topography of campuses. While this enables the prioritization of academic freedom and access to information, the legacy security controls designed for this architecture lose effectiveness as workloads move to public cloud and SaaS services.
The growth in remote learning has also provided a great opportunity for bad actors. It has created an incredibly wide attack surface, providing seemingly endless entry points to the network. Additionally, digital uptime is now paramount for classes and work to happen, making schools more willing to quickly pay higher ransoms to just get back online.
Finally, the variety of users presents a final challenge of competing missions, charters, and personas. Security policies and technologies must work for a user base that includes students, faculty, researchers, medical staff, private industry partners, and more. The relationships between users—who may have multiple personas—and the institution further complicate security guidance and structure. For example, when I was at UC Davis I had to simultaneously fulfill the mission of a university, hospital, and a research organization that collaborated with other institutions and government agencies.
Transforming the legacy
Legacy security is based on the data center being the center of gravity containing all apps and services. The data center was the core of hub-and-spoke networks. Users connected via VPN and networks were segmented with firewalls. This worked when the number of people connecting was relatively low and the applications were fairly simple. But as more people connected and the data being accessed grew, latency and complexity grew along with it. Frustrated with complex change and slow IT turnarounds, business users found ways around roadblocks caused by the complexity. Adding to the issues, universities adopted cloud, mobile, and IoT/OT into their technology stack to meet user needs, further complicating and diversifying the already vast IT surface.
How ransomware beats the system
Ransomware is often less about technological sophistication and more about exploitation of the human element. The initial access points for the malware that kicks off a ransomware attack include:
- Phishing emails
- Exploiting vulnerabilities of legitimate websites and trusted cloud-based apps like DropBox, Google Drive, etc.
- Buying access – by purchasing credentials over the darknet or using previously leaked credentials with credential stuffing or brute force attacks
The breach often starts with a single compromise, leading to the subsequent deployment of commercial and open-source ethical hacking tools made available through a malware loader. The ransomware is designed to maximize the impact on business operations by encrypting as many files as possible. The malware leaves behind a ransom note notifying the victim how to contact the threat actor to negotiate and pay a ransom.
If you can’t control it, contain it
Organizations need to focus on stopping lateral movement. The main goal of the lateral movement of a cyberattack is to compromise additional systems, elevate their access, and steal secrets. The domain controller, or identity infrastructure, allows the threat actor access to nearly all systems. These are used to stage the next phases of the attack, which include performing reconnaissance to identify data to exfiltrate, identify the company’s backup systems (to prevent file recovery), and rummaging through finance and HR systems to identify important documents (such as intellectual property and trade secrets ), people, and the organization’s account balances to determine how much cash they have on hand. After the recon and exfiltration phase, ransomware is deployed across the organization.
The best way to contain a threat is to never let it on your network.
The Zscaler Zero Trust Exchange allows organizations to do just that. Using Zscaler, users can get to any application or data they need (and are permitted to access) without ever getting on the network. Zscaler was built from the ground up to enable customers to move securely in a world where the cloud is the new data center and the internet the new network. The Zero Trust Exchange was developed to ensure that organizations can operate under any conditions, at any scale, anywhere in the world, regardless of user device or location.
We invite you to join us at Educause’s Cybersecurity and Privacy Professionals Conference this May and hope you will participate in an interactive session I will be hosting.
