With their vast stores of personal data, Washington State University and other higher education institutions are prime targets for hackers looking to graduate from small-time credit card theft to big-time virtual havoc makers.
Ransomware attacks, in particular, have hit the education sector harder than any other industry during the pandemic.
Nearly half of all universities and K–12 schools globally were targeted by ransomware in 2020, according to a recent survey of IT professionals by the cybersecurity firm Sophos.
This included attacks against the University of Utah and the University of California, San Francisco, which both forked over large ransoms to obtain decryption keys for their data. But so far, WSU has escaped a similar fate.
Adding up the costs of downtime, repairs, and lost opportunities, the average ransomware attack cost educational institutions a staggering $2.73 million in 2020.
“The threat of ransomware has always been in the background, but it has really come to the fore over the last three years or so and continues to pick up,” says Tom Ambrosi, former assistant vice president and chief security officer at WSU. He worked at the university for 19 years, until last December. “Email is the primary threat vector, and universities are so heavily targeted because users often have account credentials that enable them direct access to research, payroll, and student data.”
One of the factors influencing the increase in ransomware attacks has been hardcore cybercriminals outsourcing much of the hard work of phishing for email login credentials to less experienced hackers, who then sell the compromised account information to the highest bidder.
“Cybercriminals are employing people who are willing to cast a wide net to get access to the easiest prey as fast as possible,” says Sasi Pillay, vice president of Information Technology Services (ITS) and chief information officer. “This makes it easier for the hardcore cybercriminals to focus on encrypting data and harder for law enforcement to figure out which actor is actually performing or conducting the attack.”
To combat the growing threat, Ambrosi and Pillay spent the better part of the last decade spearheading efforts to overhaul WSU’s online defenses to make it more difficult for hackers to target the greatest cybersecurity weakness of any organization: their people.
For example, WSU’s email protection services scan malicious attachments and block a daily average of 70,000 threatening emails, or 50 each minute, from even making their way to university email inboxes.
Probably the most effective change has been the implementation of multifactor authentication (MFA) for many WSU online services.
MFA requires users to provide a secondary verification to log into a university account following initial password entry.
Prior to the implementation of MFA in the summer of 2019, WSU ITS reported an average of 1,000 compromised accounts each month that required reset by their team.
After the implementation, Pillay says, to the best of his knowledge, the university hasn’t had a single successful attempt at compromising an MFA-affiliated account.
In addition to increasing online security for its faculty, students, and staff, WSU is also helping to educate the next generation of cybersecurity professionals.
Last summer, the university established the Northwest Virtual Institute for Cybersecurity Education and Research (CySER) with the help of a $1.5 million Department of Defense award.
The institute is one of the first three funded in the United States by the Department of Defense’s Air Force Military Command.
Led by Bernie Van Wie, professor in the Gene and Linda Voiland School of Chemical Engineering and Bioengineering, CySER will train students in cyber basics, operations, or defense, offering bachelor’s degrees as well as specialized certificates.
It will capitalize on the research expertise of WSU scientists such as Assefaw Gebremedhin, associate professor, and Haipeng Cai, assistant professor, in the WSU School of Electrical Engineering and Computer Science.
Gebremedhin and his doctoral student James Halvorsen are using machine learning techniques to generate synthetic data that could help simulate cyberattacks.
“There isn’t a whole lot of good cybersecurity data out there, so machine learning gives us the capability to simulate the kind of attacks we expect to happen,” Gebremedhin says. “This then enables us to come up with solutions for how best to respond.”
Cai’s work focuses on ensuring mobile apps are doing what they are supposed to and not acting maliciously (e.g., disclosing private user data). He and his team developed a tool called DroidCat that uses a technique based on program analysis to identify abnormalities in the behaviors of apps operating on a user’s smart device.
“What we enable you to do is see whether apps on your phone are actually doing the things they are supposed to be doing,” Cai says. “It lets you know when something is going wrong with one of your apps, and you may want to address it.”
On the web
A sign of ransomware growth (The Associated Press)