Jason Thurlbeck, Head of Internal Audit – University of the Highlands and Islands, has kindly shared his experience of a cyber-attack at the university, and saw first-hand the challenges organisations face. Jason and I jointly presented on this subject to CHEIA (Council for Higher Education Internal Auditors), with a focus on learning points and providing a robust assurance view.
What if… you lost access to all your IT? Inconvenient? Challenging? Tolerable?
How about; you lost access to all your IT for a few days? …weeks? …months?
Even with the best intentions, Business Continuity Plans, IT Disaster Recovery plans and Incident plans, most organisations would find it virtually impossible to continue until IT systems had been restored. When we think of IT outage we probably consider our backup processes that IT undertake; maybe a tape restore and functions are restored. However, a large-scale cyber-attack poses additional challenges that you may not have yet considered.
The way the attack happened is not necessarily the reason for this review. There are so many opportunities for an attacker. Many continue to use email as a route in, by persuading the user to click, download or log in to a fake site. Once the attacker has harvested the user credentials (or installed the malware), the attack can begin. With the use of remote working, we are even more exposed as attackers can use harvested stolen user names and passwords from the many breaches of data that have previously occurred. To give this perspective, the COMB “Compilation of Many Breaches” has over 3 billion records[i] of compromised user details (that’s roughly half the population of the world). IT security generally still relies on passwords; yet users continue to use easily guessable / common passwords[ii] such as abc123, password, iloveyou and liverpool.
From an IT perspective, we have become apathetic to the number of attacks. The National Cyber Security Centre (NCSC) reported 777 cyber incidents in 2021, with a dramatic increase in scale and sophistication. So let’s presume an attack of some scale has happened, as it is almost inevitable that some scale of cyber event will occur. What learning points should we focus on?
Preparation
- Know what data you have and where; you do not want to be doing this in the heat of an attack!
- Prepare now. Incident Response Planning is key. Use guidance from NCSC[iii] and test it!
- Check IT Disaster Recovery is aligned to the organisation’s priorities, business continuity requirements and back up testing has been undertaken. Update business continuity plans to consider the impact of a catastrophic cyber incident.
- Keep Board level scrutiny of cyber risks, and improvement plans.
- Adopt organisation wide ownership of information security. It is not an IT problem.
- Reduce complexity in your IT estate – are there similar applications doing the same thing?
- Build the necessary skills in-house for cyber incident response.
- Prepare a robust communication plan, as you will need to ensure all communication is routed and vetted centrally. Make sure everyone knows to direct all enquiries to the press officer, and that there is a way to make announcements outside the usual IT systems.
- Reinvigorate and monitor mandatory information security training for all staff. Provide support to students with awareness material.
- Improve resilience – e.g. use of cloud solutions, and collaboration spaces such as SharePoint.
Prevention
- Get assurance that your backup copy is completely isolated from your main network (or this could get encrypted too)
- Recognising that you cannot mitigate against every cyber incident or attack, and managing the risk robustly.
- Implement data exfiltration protection
- Deploy Multi-factor Authentication (MFA) for all accounts, to prevent user accounts from being hijacked. At the very minimum, protect all high privilege accounts.
- Move to a pro-active security posture, with appropriate tools (such as machine learning and behaviour analysis) to spot threats.
- Treat all connected parties as a potential route for an attack.
- Be cognisant that not all departments will have the same IT Security focus and awareness that IT have, and that is a risk.
- Build a technical containment plan into the IT incident response. Knowing what to switch off in what order can limit the attack.
- Decommission and remove all legacy IT equipment and assets no longer needed.
- Strictly control admin rights, and mandate multi factor authentication.
Treatment
- You will need professional help. Know who to contact such as Police, NCSC, ICO, connected partners, insurance firms, JISC (for educational network), and existing IT suppliers.
- Speed of recovery is negatively impacted by complexity, lack of standards, lack of documentation, lack of resilience (People, Technology, Processes)
- It is unlikely you will have spare IT servers and equipment on hand, so every system will have to be isolated and treated as compromised before it is cleared, rebuilt and released for use. This will take time. Having even just a few spare server computers will help reduce the time it takes. All untreated systems are effectively quarantined and considered a threat.
- Restoration times will be far longer than a simple “recover from backup” process. Some organisations have measured disruption in units of months.
- Build back better. Recovery is an opportunity to also correct any issues.
- Expect to be isolated from previously connected parties. Building back trust requires a robust scrutiny process.
- Staff welfare must not be overlooked. Breaks are vital to ease stress and avoid exhaustion which can lead to further mistakes. Assign someone to be a welfare champion, and make sure staff are fed and watered!
And finally…
- Don’t rely on human behaviour and training to prevent attacks. Mistakes happen.
P Sheppard, Director – Digital Assurance.
Grateful acknowledgment to Jason Thurlbeck, who provided valuable insight into their cyber-attack.
[i] https://cybernews.com/news/largest-compilation-of-emails-and-passwords-leaked-free/
[ii] Full list of 14 million is here https://md5hashonline.com/most-common-passwords/
[iii] https://www.ncsc.gov.uk/collection/incident-management/cyber-incident-response-processes