There were numerous phishing incidents at universities across the country in the past year. The three highlighted here provide considerable insight about why hackers target colleges and universities. WSU counters hacking attempts with several best practices.
Hackers phish because they only need occasional success to make it profitable, thus making our awareness and vigilance paramount.
Rich with Sensitive Information
The Chronicle of Higher Education - Just in Time for Fall Term, a Cyberattack Forces an Entire College's Systems Offline
"Colleges may not view themselves as money pots for hackers, compared with other organizations ... but they're confronting their own susceptibility as targets rich with sensitive research and personal information."
"Colleges and universities have some challenges that maybe don't exist as much in the corporate world. Generally speaking, they like to be very open. Nor do they have the sheer resources of ... companies that have been hit by major data breaches in recent years."
"But they should still follow best practices for cyber defense, including two-factor authentication and regular updates of software. They should also train users to resist "social engineering" attacks, like phishing attempts, that prey on human error."
Inside Higher Ed - Hackers Demand $2 Million From Monroe
"Typically, these attacks start with a phishing email - an email disguised to look as if it is from a trusted source. If someone unwittingly clicks on a link in a fraudulent email or enters their personal log-in information, hackers can install malicious software known as ransomware. The hackers then demand money for the encryption key."
"You need to train your community to recognize anything suspicious and report it ASAP. In the past few years, many colleges have started to use simulated phishing programs - deliberately send fraudulent-looking emails to faculty, staff and students to see how they respond. Previously, many institutions were unwilling to take this approach because they didn't want to "trick" their community, but it's increasingly seen as necessary."
The Verge - Chinese hackers reportedly targeted 27 universities for military secrets
"Chinese hackers singled out more than two dozen universities in the U.S. and around the world in an apparent bid to gain access to maritime military research, according to a report by cybersecurity firm iDefense."
"The hackers sent spear phishing emails doctored to appear as if they came from partner universities, but they unleashed a malicious payload when opened. Universities are traditionally seen as easier targets than military contractors and they can still contain useful military research."
Best Practices
Colleges and universities can be susceptible to cyberattacks because they:
- Operate in open computing environments
- Are rich with sensitive research and personal information
- Have comparatively limited computing resources
- Are viewed as easier targets
Best practices for countering these vulnerabilities include:
- Regular software updates
- Two-factor authentication
- Security education program with simulated phishing
- Means for reporting suspicious activity, e.g. spamreport@wichita.edu
Hackers look for any small entryway, such as an executive transition, to help their email look legitimate.
In early January, I received a phishing email purportedly from incoming president Jay Golden. My first thought was that it was probably just another test from WSU ITS, but I forwarded it to spamreport just in case.
Shortly thereafter, an ITS technician replied to confirm that the phishing attempt was "the real deal" and had been reported to Microsoft. Ironically, the bogus email was about a business ethics and integrity program.
These examples illustrate why WSU ITS has been aggressive with these and other best practices, especially the recent emphasis on simulated phishing.
Update - January 28, 2020
Not long after my phish tales entry, I saw that the Denver Post reported the following:
Denver's Regis University paid ransom to "malicious actors" behind campus cyberattack
Most notably, Regis officials acknowledged that even after the university paid the ransom, the cyberattack impaired day-to-day operations for months nonetheless.