Phished & Filleted
2018 ends with two additional breaches in the education space both the result of successful Phishing attacks. One involved a malicious link in emails that downloaded software to compromise administration computers and a second stole employee login credentials presumably through a spoofed school district login screen.
Earlier in the month Cape Cod Community College disclosed that they had over $800,000 stolen from school bank accounts. The theft was the result of employees clicking on malicious links in phishing emails. The phishing links downloaded and installed malicious software on several computers at the school’s administration building. The malware compromised the computers and allowed the hackers to gain access to the school’s banking information. The malware reportedly was able to bypass a common antivirus software that was installed on the computers. According to the school there is no evidence of student or staff Personally Identifiable Information (PII) compromise or broader compromise of the school’s payroll system. On a somewhat positive note the school is working with their banks and had been able to retrieve almost $300,000 of the funds by the time of the disclosure.
The second breach was disclosed by San Diego Unified School District last Friday and resulted in the complete disclosure of 10 years of student and parent data amounting to over 500,000 student. According to the school the perpetrator(s) sent targeted phishing emails that resulted in the capture of 50 district employees login credentials. The stolen credentials were then used to access district computers for the better part of 2018 (Jan-Nov 1st). The compromised PII included student: first and last name, date of birth, address, phone, social security number +/- state student ID number. It also included other student information including enrollment and schedule details as well as student discipline and health records. Even the student’s parent/ guardian information was compromised. On the staff side the breach included compensation, payroll and benefit information.
In addition to these most recent breaches, phishing campaigns were a prominent feature in many other education breaches this year, most notably the massive attack from Iran that compromised hundreds of universities in 21 countries including 144 universities in the united states. The multistage attack included targeted phishing emails to over 100,000 professors about half of which were US based. The phishing emails sought to compromise professor credentials and were successful compromising almost 8000 accounts which resulted in the exfiltration of 31.5 terabytes of academic data and university intellectual property.
Needless to say a comprehensive anti-phishing strategy will serve schools well as we bring in the new year. Given the success and prominence of phishing in 2018 data breaches in Education and beyond we can be certain that phishing attacks will remain a constant and increasing threat as we move into 2019. A three pronged approach to anti-phishing strategy could include: (1) Making it more difficult for attackers to gain access to systems even when successful with getting faculty, staff and student to click on links; (2) Education on recognizing phishing emails, not clicking links and reporting emails to IT/ security staff; as well as (3) Phishing simulation exercises which involves regularly sending simulated phishing emails and redirecting respondents who click links to immediate in situ education around phishing.
Anti-phishing protection, as with information security in general, begins with up to date antivirus software as well as ensuring machines are patched and updated. This offers your systems the best chance to defend against download and installation of malicious software that often lurks on the other end of clicked links. After that the use of multi-factor authentication for sensitive systems and privileged accounts is strongly recommended. Multi-factor can strongly reduced the possibility that bad guys can use stolen credentials (from successful phishing campaigns or other breaches) to access sensitive systems. Several large University campuses have initiated, or started to initiate, multi-factor for all accounts across campus. That being said campus wide multi-factor is a significant undertaking and not for the weak of heart.
User awareness training around phishing emails typically focuses on not clicking unknown links as well as recognizing and reporting suspected phishing emails. Unfortunately training alone may not be that effective in changing user behavior. That being said well conducted phishing simulation exercises have demonstrated effectiveness in increasing the ability of users to identify suspected phishing emails and reducing the likelihood that users will click on potentially malicious links and/or enter their credentials into phoney login capture screens.
If you are getting started in simulated phishing exercises there are many free resources out there to guide your plan and some free software to get you started. If you are looking for a phishing simulator that was purpose built for HigherEd and will scale effectively across large, distributed campuses you may want to consider PhishSlap. PhishSlap was built by the Information Security Office at Georgia Institute of Technology and is one of several purpose built for EDU by EDU security and risk workflow solutions available through SaltyCloud.
As mentioned above, well conducted phishing simulation exercises have demonstrated effectiveness in improving user recognition of phishing emails, reducing click rates and the resulting compromise of user credentials. So as we bring in the New Year make sure you have a robust strategy to reduce the effectiveness of phishing campaigns targeting your campus. Your campus will continue to be phished, but timely efforts will reduce the likelihood of being caught and filleted.
Regulations can help direct our efforts to where work might need to be done, but risk assessments give us advance notice of exactly where those gaps might be. Using a variety of applicable regulatory frameworks, anyone can shore up their compliance through the use of questionnaire-based risk assessments.