How Aussie universities can avoid cyber attacks

Over the past few years, we've seen an escalation of cyber attacks on Australian universities, with The University of Western Australia targeted in August and Deakin University back in July, and at least 6 in total over the last three years. Universities have always been targets for cybercrime, so we're not necessarily seeing anything new; however, the volume of attacks is alarming and should serve as a warning for universities to bolster their defences in preparation for the inevitable.

Universities work alongside the government, conduct valuable research and also have large student and client databases that are worth a lot of money on the black market. Some universities also partner with Defence and others even have government network environments installed on campus. In addition, many academics take up tenure as advisors on company boards or work as industry consultants while undertaking their own valuable research. All of these appointments and extracurricular activities can make university networks highly attractive targets, as a breach of the campus network can expose not just the university, but all of those interconnected organisations.

More recently, during COVID-19, Australian universities were leading the charge on vaccine research and development and therefore making them even bigger targets for nation-state attacks.

What makes universities harder to defend?

One of the reasons universities make for an easier target is because they have complex and sprawling ICT systems, meaning the attack surface is broad and often open in certain places, making them harder to protect.

What this means is that technology itself is not going to make a university secure. Instead, university IT teams need to invest in the people side of cybersecurity too. To cover all bases, a balanced approach that includes people, processes and technology is needed to continually monitor the network for unusual behaviour that may indicate a breach might have occurred.

In a cautionary tale for universities, in late 2018, ANU suffered what is considered one of the most sophisticated attacks ever seen, with attackers gaining access to the private information of students, faculty and potentially high-ranking global officials. The damage was so advanced because it was months before ANU even realised they had been breached.

Cybersecurity often conjures up images of dark, secret rooms filled with screens and people working through the night. However, modern security operations centres (SOCs) can now, just as securely, run virtually and tap into resources across time zones to improve 24/7 monitoring. Universities should consider turning to a modern approach to security operations to improve their ability to both detect and respond to these threats.

What exactly is a SOC?

When you design any IT system there are going to be security vulnerabilities and issues. You can put technology controls in like firewalls, content checkers and endpoint protection systems, but that's not going to work for all environments.

The team within a SOC act as detectives, monitoring all running systems across a network for activities that resemble an attack. They rely on technology to collect and analyse the data, but they also need logic applied by cybersecurity experts based on known or inferred attack patterns. For example, a security guard monitoring a building knows that the same car driving past multiple times is a sign of something suspicious — but it takes human intervention to determine what patterns are suspicious.

What makes one SOC better than another?

When looking for a SOC partner, it's important to know that it's not all about the tech stack, but the quality of people looking under the hood. So due diligence is needed to ensure confidence in the skills of the team responsible for protecting the crown jewels.

A lot of SOC providers will lend the hardware to the customer, which sounds great in theory, but what happens if an organisation is unhappy with the provider's services and decides to replace them? Well, they'll decommission the database, take all of the equipment back and the customer will be left with a data dump that's of very little use. This can be very disruptive and costly to an organisation, and even if it starts working with a new provider, it could take six months to get back to the same level of protection.

Instead, look for an organisation that lets its customers take ownership of the infrastructure after the engagement ends. This also means they're more likely to benchmark their performance on the quality of service delivered, rather than contractual obligations.

When it comes to information sharing, some SOC providers will gatekeep and only send incident notifications to their clients. This means the client has no way of verifying issues or participating in the investigation. Furthermore, they can't get their hands on the tools and have their own internal teams learn from the experts. Organisations should look for a collaborative partnering approach that drives improvements in their own people, processes and technology, along with a partner that is happy to provide access to the tools of the trade. If a university already has a security team, it's better if they are involved in the work of the SOC provider and learn from the engagement. That means they can focus on gaining that advantage, rather than having a service provider throwing stuff at them.

It's no surprise that universities continue to be the victims of an increasing number of cyber attacks. However, engaging a SOC can ensure that when (not if) an attack does occur, universities have the technology and the expertise in place to identify and remediate threats quickly and avoid becoming the next headline.

Image credit: iStock.com/Oleh Svetiukha