Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:20 AM

Universities Face Double Threat of Ransomware, Data Breaches

Lack of strong security policies put many schools at risk of compromise, disrupted services, and collateral damage.

Institutions of higher education continue to have problematic password policies, lack multifactor authentication (MFA), and have a plethora of open ports — despite suffering dozens of ransomware attacks and targeting by attackers focused on stealing student information and university research, according to a new study published Tuesday.

An analysis by cybersecurity services firm BlueVoyant of publicly reported cybersecurity incidents involving higher education found that over the past two years, about 9% of the passwords on a common list used by attackers matched those used in combination with a university-assigned e-mail address. Meanwhile, about two-thirds of universities had no DNS-based e-mail security protocols in place, and 38% of all universities had at least one open database port.

Related Content:

Higher Education CISOs Share COVID-19 Response Stories

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

While universities have traditionally seen the same types of attacks that other organizations do — and perhaps more nation-state espionage attacks because of their research, especially those institutions focused on COVID-19 — their openness and vulnerability puts them at greater risk, says Austin Berglas, former head of cyber at the FBI's New York office and global head of professional services at BlueVoyant.

"The risks that we outline are not impossible to remediate," he says. "However, especially in COVID times when you have an already-understaffed and underfunded IT team whose primary focus is to make sure that everyone has a working laptop and camera for remote learning ... it is daunting."

Because educational institutions are focused on access to learning and freedom to exchange knowledge, security is often a difficult prospect. In the US, almost every student — 97% — used their own laptop for at least one course and 89% used their own smartphones, according to an October 2019 survey conducted by the EDUCAUSE Center for Analysis and Research. A UK study found similar usage, with 93% of students using their own laptops and 83% using their own smartphones.

The combination of students using personal systems with the difficulty in enforcing security policies undermines many of the potential protections. When online textbook service Chegg suffered a compromise in April 2018, about an eighth of the 40 million subscribers affected by the breach used their university e-mail addresses as passwords, the BlueVoyant report states.

Those credentials, combined with password reuse and weak security policies, make such breaches a significant threat, says Berglas.

Looking at a subset of 30 public universities, BlueVoyant's analysis found an "across-the-board lack of basic e-mail security and a lack of multifactor authentication," he says. "This makes phishing, for example, a huge vulnerability."

Passwords continue to be a large issue, especially because MFA has not made significant inroads at schools. 

BlueVoyant collected billions of credentials from publicly available username and password lists, so-called "combolists," and compared those credentials to a list of 14.3 million popular passwords — the RockYou.txt file. Of the credentials that used an e-mail address from a .edu domain as a username, about 9% had passwords on the RockYou.txt list, the company found.

The problem extends beyond just gaining access to student e-mail messages, says Berglas.

"There is a massive amount of password reuse going on," he says. "Students and staff use their .edu accounts not just for school stuff, they use it for everything. And they often hang onto them long after they graduate. And so we see the reuse of those passwords be really critical with credential-stuffing attacks and brute-force attacks, and with allowing the bad guys to utilize those credentials for multiple other accounts."

Such weaknesses make attacks easier for the top higher-education attacker — ransomware gangs. With most schools offering virtual learning during the spring semester, they are particularly vulnerable to the operational disruption used by ransomware attackers to ensure payment, Berglas says.

"When they had on-site learning prior to the pandemic, if a school got hit with ransomware, maybe they could make the business decision to not pay the ransom because they could fall back to old-school learning," Berglas says. "But when 100% of your students are remote learning, and then you get hit with ransomware and the network goes down, it is forcing the hands of these universities to pay the ransom."

The company advised universities to adopt long passwords and implement MFA across all sensitive accounts, including e-mail access. To enforce these requirements, the organizations should monitor authentication attempts for anomalous activity and lock accounts that have nontypical behavior. In addition, password strength should be checked using blacklists, strength tests, or machine-learning algorithms designed to spot weak passwords.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...