30 October 2020

With more of us working from home, cyber security issues have become an even more pressing global threat.

Protecting education and research institutions against them is a global enterprise and national education and research networks (NRENs) are taking a highly collaborative approach to sharing intelligence and developing solutions.

We asked six security experts – all of them speakers at the Jisc security conference – to share their thoughts on recent events and current threats.

How have cyber security threats developed during the COVID-19 pandemic and how are NRENs responding to these challenges? 

TC: Some of the choices made very quickly when people were sent home became permanent. In Nordic nations, the risks around video conferences came into sharper focus. Virtual private networks (VPNs) also came under scrutiny because they had to scale (and often they couldn’t because of hardware and licence limitations). We saw a number of universities moving to eduVPN because it scales well and is supported by NRENs.  

Suddenly, threats relating to the internet of things (IoT) get a different character when the threat isn’t limited to home networks, which are generally poorly secured, because there is also a tunnel to the home institution. 

HH: Cyber security threat actors have shifted their focus to targeting systems used to support remote working such as VPNs and remote desktop protocol (RDP) services.

We provide regular security briefings and we also offer services that help protect against these threats, including DDoS mitigation, critical services protection and geographic IP location blocking. 

AM: As with all major events, there is an increase in related spam mail. Mostly it’s an annoyance, but it can be accompanied by phishing and other threats. 

DO’L: We have seen an uptick in DDoS attacks, COVID-related phishing and unique attacks like Zoom bombing.  We have been working with global and domestic partners to identify and leverage common challenges, share information and capabilities and simply swap stories to spark ideas. Conversely, face-to-face meetings have shifted to virtual, which opens up more opportunities to involve greater numbers of participants, albeit with the limitations that virtual imposes. 

LO’S: In Ireland, ‘smishing’ campaigns have increased drastically. We’ve seen COVID-19 related text messages allegedly from contact tracing and special ‘lockdown’ offers from food establishments, all trying to trick people into revealing their personal data. We have responded by ensuring we keep our teams up to date on current threats, providing tips and offering security awareness training.  

KW: Home working introduces more attack vectors because perimeter security is a valuable part of defence-in-depth. The weakest link is devices that are connected to unmanaged networks. Having said that, increased focus on remote working has brought positive changes, including greater attention to document classification and centralising document storage in a well-managed location. There’s also a lot more interest in using VPN-technology for secure campus access. 

What are the key cyber security challenges that education institutions face in keeping people and systems safe from harm when working from home? 

TC: The nature of the risks hasn’t changed much, it’s mostly the numbers. Everyone is using their own devices on home networks that aren’t necessarily well secured. Controlling devices centrally is hard when we are dealing with the IoT. 

HH: The first line of defence for any organisation is its staff. Cyber security and information security training help an organisation protect itself from phishing and social engineering attacks. In terms of risks to infrastructure and systems, it’s essential to separate critical elements of digital infrastructure. As an example, allowing active directory domain administrators’ accounts to access backup, logging and monitoring systems opens up the possibility of attacks that can gain elevated privileges and encrypt those critical systems. As far as possible, critical functions should be separated in terms of both the network and user accounts.  

AM: Normal protection measures might have been bypassed while getting people working online quickly, especially as it was originally intended to be for just a couple of weeks. Organisations allowed people to take equipment home without keeping proper track and the updating mechanisms need to be redesigned because, for example, laptops usually need to be on the campus network to receive updates. Home workers may have laptops that could be vulnerable to compromise. 

Some people won’t have dedicated equipment for remote working – and using a shared computer introduces extra threats. For example, accessing Facebook and the university network during the same browser session without extra protection isn’t a good idea. 

DO’L: The pandemic has accelerated digital transformation in remote/teleworking, which many institutions had previously dismissed as unworkable. At the same time, there are many more challenges, including home network vulnerabilities, bring-your-own device (BYOD), corporate patch issues and privacy concerns with exam invigilation applications. 

Usage patterns and behaviours have shifted, and some detection and analytic functions need to adapt. 

LO’S: One of the main challenges is the unfamiliarity of working from home and knowing how to get help from the IT department. Questions like ‘how do I check if I have antivirus?’ and ‘where can I store passwords?’ are very common now. 

Home working can make people a lot more vulnerable to phishing email scams. It is important to remember that we are out of our usual working environment and there are lots of demands on our time and attention. Opportunistic fraudsters know this and some of us will be specifically targeted, particularly key groups such as new hires and finance departments. 

Good communication is key

KW: It starts with encouraging users to patch, install anti-virus software etc and take up training. Next, they need secure access through a VPN like eduVPN. 

Are there things universities and colleges can do to encourage people to take more responsibility for their own safety online? 

TC: Yes. Education and awareness campaigns are probably necessary regarding end-point security. But you can also impose some rules as an administrator (up-to-date software, use of a VPN, etc). 

HH: Awareness-raising and training demystify the challenges and enable individuals to protect themselves. Understanding, for example, the importance of using supported and patched operating systems and software allows people to make more informed choices and avoid becoming victims of cyber crime.  

AM: Universities and colleges should explain the importance of the data and information that people have access to and describe the threats that exist. They should teach people how to use tools for safer working (such as a VPN) and how they can check and fix the safety of their home network and home equipment. And repeat this, time and again. 

DO’L: Institutions have made some great adaptations with well-tailored security awareness campaigns that have likened the corporate challenges directly to the individual’s personal experiences like social media. Highlighting a shared responsibility can have a very positive effect. 

They can also use appropriate tools to educate and implement security in ways that could support personal security, too. We have seen organisations offer corporate/personal bundles of licensing for some applications that give a direct work and personal licence for a service like multi-factor authentication (MFA) or password vaults. 

LO’S: We provide security awareness training, encouraging individuals to understand their role in their own safety online. We use real-life examples from the educational context and everyday life and we localise it to make it relatable. 

KW: Training! 

To find out more, register for the free, online Jisc security conference 2020, 3-5 November 2020. Don’t miss these important sessions: 

• Tuesday 3 November, 10:15 – eduVPN: an open source VPN solution that scales, Tangui Coulouarn, DeiC  
• Tuesday 3 November, 15:15 – addressing the challenges with COVID-19 and remote working, David Batho and Lee Harrigan-Green, Jisc  
• Wednesday 4 November, 10:15 – why security awareness training has to take focus – the human element of cyber security, Louise O Sullivan, HEAnet 
• Wednesday 4 November, 14:15 – keynote, Klaas Wierenga, GÉANT 
• Thursday 5 November, 10:15 – international collaboration for safe and secure research and education, Alf Moens, GÉANT