At 3:00 AM EST on a recent morning, I sat bleary-eyed at my kitchen table, trying to get a grip on what a security analyst in Australia was telling me: “Your systems are under attack.” Cybercriminals were attempting to corrupt some of our hosted servers, and the origin of the attack: the campus network of that very customer.
How was this possible? What was going on? Institutions who use our Managed Services network have their servers protected by a leading Managed Security Services Provider (MSSP). Agents installed on each machine look for malware and suspicious activity of all stripes, which is important because if a cybercriminal gets past your security on one system, they can move to others on your network (and other networks to which yours is connected). This is exactly what was happening to one of our customers at 3:00 AM.
A cybercriminal had attempted to infiltrate a system and download malicious scripts, moving from machine to machine, laying traps that would, if completed, simultaneously spring and result in a system-wide ransomware lockdown. In this case, as they moved through our customer’s servers, they didn’t realize they were moving across a virtual private network (VPN) to devices in Jenzabar’s care. Their attempts to download their script set off our alerts.
We quickly shut off the VPN connecting the servers and reached out to alert our customer that their network had been compromised.
Cyberattacks in Higher Education Are on the Rise
The 3:00 AM attack on our customer’s server wasn’t a singular experience. It happened again, and again, and again: Four different institutions, all our customers, experienced a live attacker on their network in the fourth quarter of 2021. The good news is that we were able to alert our customers before the cybercriminals completed their work. But other institutions haven’t been so lucky.
In the past few years, cases of cybercrime in the education sector have risen exponentially. More than 1,000 schools have been affected by ransomware attacks this year, many of them colleges and universities. Attacks like those at Howard University, Lincoln College, UCSF, and Wichita State—among others—have made headlines in major newspapers and cost colleges millions of dollars.
As experts predict even more attacks on higher education in the years to come, decision-makers across higher ed must be asking, “What can we do to better protect ourselves?” While there are dozens of steps you can take to secure your systems, I’ve laid out some of the most important steps below.
Multi-factor authentication (MFA) means using more than one authentication factor to protect your server. Servers exposed to the internet and protected only by a username and password are the number one source of attacks in higher education. In fact, servers running Windows’ remote desktop protocol (RDP) without MFA are one of the most exploited ways into many educational and corporate networks.
There are numerous factors one can use beyond your password: an app on your mobile phone that prompts you to authorize access, a code you enter, a hardware key you plug into your laptop, a cryptographic certificate that is installed, and more. Some means of MFA are stronger than others but adding any one of the above-mentioned factors to your authentication process is better than using a password alone.
Patch and Vulnerability Management
Patch management is the act of fixing system vulnerabilities via security updates. Applying security updates to your computer systems must be a regular (at least monthly) process. If you have someone on campus in charge of network security, they should be doing this job regularly. However, you can also set certain devices or applications to automatically update themselves.
I hasten to add that what you really want is “vulnerability management.” Companies like Tenable, Rapid 7, and Qualys—among others—make fine enterprise products that scan your devices for missing patches, insecure configurations, and other vulnerabilities. These products can be expensive, but there are stand-alone scanners that won’t cause tens of thousands of dollars. At the very least, you need to make sure you are keeping your systems updated to ensure fixes to identified vulnerabilities.
In the spirit of good patch management, Jenzabar will be announcing a new policy soon that requires our applications to be kept more up to date in order to maintain support (and more importantly, to remediate security issues).
Endpoint Detection and Response Solutions
Endpoint detection and response (EDR) solutions are those that use various data analytics to detect suspicious system behavior, block malicious activity, and provide suggestions for restoring impacted systems. Those four incidents where an attacker was caught trying to move from a campus server onto Jenzabar servers—that was a managed EDR solution at work.
EDR solutions are the marriage of a good product and good services and deciding how to choose an EDR solution can be a lengthy process. Microsoft is a strong player in this space and Microsoft Defender for Endpoint is worth strong consideration, especially if you already own it in an A5/E5 contract or can acquire it as an add-on.
Protect Backups From Ransomware Actors
A big mistake institutions can make is backing systems up to disk but keeping that data somewhere accessible (and corruptible) on their networks. Ideally, you want your backed up data to be housed in immutable storage, which is storage that can’t be overwritten/encrypted/corrupted by anyone in the organization.
Cloud solutions from Azure, AWS, Wasabi, and other vendors may be your best bet. On-premises immutable storage exists, but be absolutely certain that your storage cannot be accessed administratively to destroy the data.
Preparing for When a Cyberattack Happens on Your Campus
Do not doubt that your system will, at some point, be targeted by cybercriminals. Having an incident response plan in place is critical, but I also recommend getting a retainer from an outside expert in incident response. An incident response retainer is like getting an insurance policy; it’s an additional resource to help you respond to a cyberattack. You don’t want to go searching for an incident response expert while the attack is occurring.
If you have no budget for this, I recommend getting a zero-dollar retainer. This is where you pre-negotiate legal and financial terms now and not while the proverbial house is burning down. Even better: Get a funded retainer and use the funds for other security services (such as penetration testing). This way your outside partners are familiar with your environment and better suited to assist you when the need arises.
There are plenty of other steps higher education institutions can take to reduce the risk of ransomware and other attacks. But the five methods listed above are very strong steps that you can take now to prevent and mitigate the damage of an inevitable cyberattack.
This blog was written by Bill Kyrouz, Jenzabar’s Director of Information Security.
Are You Ready for the FAFSA Simplification? Here’s What You Need to Know.
November 29, 2023
The simplified FAFSA comes out on December 31. How can you prepare for its impact on your campus?