This article is more than 5 years old

Carry on up the cyber

Universities are often porous and vulnerable organisations to cyber security breaches, and have tended to find it difficult to implement consistent security measures. It's time to get our act together.
This article is more than 5 years old

Paul Greatrix is Registrar at The University of Nottingham, author and creator of Registrarism and a Contributing Editor of Wonkhe.

There are big concerns about the UK’s cyber security as this recent BBC article notes. It’s not just about those who are attacking Britain but the country’s preparedness, a significant skills shortage, and “chaotic” handling of personal data breaches:

The Commons Public Accounts Committee said ministers had taken too long to consolidate the “alphabet soup” of agencies tasked with stopping attacks.

Cyber attacks are ranked among the top four risks to UK national security.

The government said it had acted with “pace and ambition” on the issue.

In November, Chancellor Philip Hammond said that hostile “foreign actors” were developing techniques that threatened the country’s electrical grid and airports.

And in a speech on Thursday night, Defence Secretary Sir Michael Fallon warned that Russia was carrying out a sustained campaign of cyber attacks targeting democracy and critical infrastructure in the West.

There are plenty of worrying reports about the impact of these attacks. But it is important not to get carried away, and the same story quotes Professor Alan Woodward, a computer security expert from the University of Surrey, who describes the PAC report as “a little unfair”. He added:

“Could we say that we are cyber-bomb proof? Probably not, but I’m not sure anyone could,” he said.

“But we are getting better, and the government is taking strides to get its own house in order.”

The weakest link in any cybersecurity clampdown remained people, Prof Woodward said.

“There are still people who copy things they shouldn’t on to laptops or people who decide to connect a nuclear power station to the internet,” he said.

Nonetheless, higher education is a particularly vulnerable area, as this recent story about a university which was attacked by its own vending machines demonstrates:

It involves an unnamed university, seafood searches, and an IoT botnet; hackers were using the university’s own vending machines and other IoT devices to attack the university’s network.

Since the university’s help desk had previously blown off student complaints about slow or inaccessible network connectivity, it was a mess by the time a senior member of the IT security team was notified. The incident is given from that team member’s perspective; he or she suspected something fishy after detecting a sudden big interest in seafood-related domains.

The “incident commander” noticed “the name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood. As the servers struggled to keep up, legitimate lookups were being dropped—preventing access to the majority of the internet.” That explained the “slow network” issues, but not much else.

The university then contacted the Verizon RISK (Research, Investigations, Solutions and Knowledge) Team and handed over DNS and firewall logs. The RISK team discovered the university’s hijacked vending machines and 5,000 other IoT devices were making seafood-related DNS requests every 15 minutes.

Everything from lamp posts to smart light bulbs to drinks machines was involved. And no university wants to be taken over by its own vending machines.

Part of the response to all of these cyber threats to the UK was recently announced as part of a royal visit:

The Queen was shown how hackers could target the UK’s electricity supply as she opened a centre to protect the nation from cyber attacks.

The National Cyber Security Centre – part of intelligence agency GCHQ – started work in October as part of a £1.9bn five-year strategy.
Staff in Victoria, central London, will be joined by experts from the private sector to help identify threats.

NCSC chief Ciaran Martin said: “We want to make the UK the hardest target”.

The secondments to the centre by 100 private sector employees will be funded by their own companies.

Announcing the initiative, Chancellor Philip Hammond said the “best and the brightest in industry” will help “test and to challenge the government’s thinking” in cyber security.

He added: “Government cannot protect business and the general public from the risks of cyber-attack on its own. It has to be a team effort. It is only in this way that we can stay one step ahead of the scale and pace of the threat that we face.”

There were 188 cyber attacks classed by the NCSC as Category Two or Three during the last three months.

These are big challenges for universities which are, on the whole, extremely porous and vulnerable organisations, but also they have tended to find it difficult to implement consistent cyber security measures. Hence the problems with vending machines. We had better get serious about protecting our data or there are going to be many more examples of university servers ordering seafood, or perhaps far worse.

2 responses to “Carry on up the cyber

    1. Thanks for this Steve. Always happy to share a platform with you – although suspect you are quite a bit better informed than me on this issue!

Leave a Reply