University CIO: 'We were owned in 4 hours'
And that certainly focused minds, says Salford University’s Mark Wantling
The risk of a serious, existential-level cyberattack has grown significantly in recent years, and it's now number one on Salford University’s risk register.
Which is quite the turnaround, considering that five years ago cybersecurity was not even in the top 10 risks. Cyber, CIO Mark Wantling told Computing, existed in a management blindspot. Unlike, economic, reputational or policy risk, which were seen as everyone's problem, "cybersecurity was seen as an IT issue."
To bump cyber up the organisational agenda, Wantling commissioned a test, one he suspected Salford was likely to fail - although he had no idea at the time how badly. A penetration tester was hired and given five days to break into the university's core systems.
"She started on Friday morning," Wantling recalled. "Next thing, my CISO phoned me at 1pm, I presumed to give me an update on how the pen test was going, and this is how the call went: ‘It's over'.
"We were owned in four hours."
In the course of a morning, a solitary pentester had managed to gain access to Salford University's HR data, found the Vice Chancellor's passport details and moved sideways to uncover credit card details. Job done. She could take the next four-and-a-half days off.
Wantling relayed this information to the university's board, taking the opportunity to give them a brief tour of dark web leak sites where criminals publish samples of stolen data, including from UK universities. "I told them, if this had been a ransomware gang, this is what it would look like."
Astonished at how vulnerable their core systems were, board members were also were also appalled to learn how the personal information of people like them was bought and sold, and how low the prices were. Personal data belonging to a chief financial officer at a similar sized organisation could be had for an ego-bruising $50, an indication of plentiful supply.
"They recoginised at that point there was only so much I could do from a technical defence standpoint, and that there has to be a culture to go with it," said Wantling. "They also saw that should the worst happen we could effectively go out of business overnight"
A soft target
Fortunately, by the time Covid hit, when research departments and their suppliers everywhere became the target of nation states, the cyber risk had been recognised with measures taken to protect core assets. So far Salford has avoided serious attacks of the type that hit Manchester University just down the road, but Wantling is certainly not resting on his laurels.
Like all educational establishments, the university faces challenges defending itself due to its porous physical and digital boundaries, large attack surface (30,000 students, 10,000+ endpoints), and need to balance security with enabling academic collaboration and innovation.
"We're seen as a rich vein of data as well as IP," said Wantling. "We're a soft target in that like most universities we haven't invested in core technology for a long time."
Compounding this legacy, departmental IT purchasing is autonomous or semi-autonomous, resulting in a hodge podge of disparate systems. "Managing across that landscape is really challenging," Wantling explained.
The front line against this challenge, Wantling's IT team numbers just 150 people, including five security specialists. The imbalance is stark, and in view of the rising threat levels, unbridgeable by adding personnel alone.
A force multiplier
The approach, therefore, is to identify and secure the most important data across the university – the HR systems, financial systems, student data and core IP - and to make sure team members keep on top of breach attempts, of which there are many.
In an average month, Salford University records 100,000 attacks, from targeted phishing to fake sites set up to deceive students.
"We can't possibly deal with that with five people. So we use automation as a force multiplier," Wantling said,
Wantling's team makes heavy use of Tanium's endpoint security platform integrated with Microsoft's Sentinel SIEM service as a one-stop SOC shop, to detect threats and automate responses to regularly seen patterns, such as automatically patching software.
The same tools provide the required visibility to help the team judge its performance.
"We implemented Tanium thinking that we were doing quite well with our patching cadence. But we found tens of thousands of critical vulnerabilities on our estate compared to the report I was getting from my existing tooling, including the EternalBlue vulnerability which we thought we'd dealt with."
The team is working towards a zero trust architecture, but it is a journey that will take time and investment to retrofit into the organically developed legacy network. But gaining visibility into assets and vulnerabilities is a necessary step.
Get the basics right
Prominent among Wantling's concerns are ransomware, DDoS and nation state hackers.
Defence against the former include immutable backups (especially for critical systems), monitoring for early signs of an attack, and locking down lateral movement. The university also has cyber insurance, although he described this as this as being "of diminishing value".
DDoS attacks are an rising risk as the university relies more and more on internet connectivity to the cloud, to suppliers and to other universities and corporations. Defences include minimising exposed endpoints, having backup internet routes, and using DDoS protection services.
And nation state groups are increasingly active in pursuit of IP, research results, or seeking a stepping stone to attack other organisations.
But if the thought of 100,000 attacks per month, including by state actors, seems overwhelming, Wantling has some words of reassurance. First, the number of attempts by such groups is vanishingly small. Furthermore, most cyber attempts look to exploit basic security failures rather than using advanced techniques. Get the basics right, including timely patching, access controls and multifactor authentication, and you will prevent the vast majority of incidents.
"Very few of them are super-complex nation state sponsored attacks on zero day vulnerabilities; the majority are just because the basics weren't in place," he said.
"If you don't have those basics in place, then you can have the best immutable backups and network segregation in the world but you've still left the front door open."