Students blamed for university and college cyber-attacks

The BBC has reported that a security analysis of cyber-attacks against universities and colleges in the UK has discovered staff or students could often be responsible, rather than organised crime or hacking groups.

Commenting on this, Nick Murison, managing consultant at Synopsys, said “Some of this will come down to educating staff and students. Campus networks can feel like safe places for students to try their hand at hacking, with some of the activity being down to curiosity as opposed to any intentional malice. Staff may feel that their data doesn’t warrant much protection as it’s “just research data” that holds little commercial value, and so may not take appropriate steps to secure their systems. University IT departments are constantly battling “shadow IT”, with students and staff connecting various systems to the network that are not centrally managed, and are often not secured. Universities should ensure that everyone understands the impact of lax security and “messing around”, both through education campaigns and making it clear that there are real-world consequences for violating IT security policies, not to mention the law.

Any threats are likely to be a combination of internal threats as well as external threats, where external attackers have managed to install malware on internal systems, and pivoting their attacks from the outside through internal systems. For example, if a Denial of Service attack seems to start and stop based on office hours, this could be down to a member of staff or a student turning their laptop or desktop computer on and off. The user of the computer may be entirely unaware of what is happening.

Much like dealing with any other threat actor, it comes down to minimising risk through keeping systems up to date, enforcing strong security controls for both internal and external systems, and enforcing principles of least privilege. You cannot simply rely on a strong external perimeter; you have to harden all systems in anticipation of attacks from both the outside and the inside.”