Higher Ed Gets an 'F' for Ransomware Protection: How the Industry Must Evolve
Published 04/25/2022
This blog was originally published by CXO REvolutionaries here.
Written by Bryan Green, Chief Information Security Officer, Zscaler.
Colleges and universities are amongst the slowest populations to modernize security controls, resulting in a high price tag – ransomware and breaches.
It’s human nature to go after the low-hanging fruit first, threat actors are no different. And from the standpoint of cybercriminals, colleges and universities are exceptionally vulnerable targets for ransomware attacks.
Why? Partly, it’s because these institutions often have the financial resources to pay high ransoms — $1.14 million from the University of California, San Francisco, and $457K from the University of Utah serve as two recent examples.
University networks are especially attractive to attackers, as their underlying security architectures are often representative of liberal academic cultural values and typically lag behind enterprises in sophistication and efficacy.
Ransomware attacks use increasingly sophisticated means, from encryption to trust apps.
Higher education emphasizes academic freedom and information sharing and rightfully so, however, these principles are incompatible with cybersecurity architectures. Meanwhile, understaffed and underfunded IT teams result in technical and procedural shortfalls that don’t sufficiently defend their respective academic institutions.
Organizational shortcomings add fuel to the fire as higher education routinely places security as a subordinate function under the CIO These circumstances create an inherent conflict of interest, increased competition for already constrained budgets, and disempowers CISOs by constraining the requisite access to executive leadership, or worse, having security viewed through the IT-centric lens of a CIO.
Everything works until it doesn’t is the residual artifact from hub-and-spoke architectures. These served higher education well enough in years past but absolutely fail in the current threat landscape. Cloud computing and pandemic-driven remote access requirements – demand a new approach to secure campus services and data.
Fortunately, campus teams can learn and benefit from the experience of enterprise IT in recognizing and addressing these issues via best practices and technical solutions. In particular, they should consider the power of zero trust architectures (ZTA) to restrict logical access, minimize the attack surface, and thus reduce the odds of risk and exposure to all security threats, including ransomware.
When properly implemented, ZTA will empower users with new benefits and simplified access – with an improved user experience and no steep learning curve. Among other strengths, it can deliver:
- Anytime, anywhere access, regardless of users’ devices or physical or logical locations
- Secure access to cloud services, regardless of whether those clouds exist on or off-campus
- Granular access policies that are limited to specific apps, as opposed to entire networks and all network resources
- A dramatically reduced surface by removing inbound listening services from public IP addresses on the internet
How ZTA can help colleges fend off the ransomware threat
These capabilities help mitigate modern security threats of many kinds, including malware, hackers, criminal or state-sponsored organizations, and ransomware.
To illustrate how, let's consider ransomware attacks in particular. These attacks can begin in various ways — via phishing, exploited vulnerabilities, or leaked/stolen credentials. The subsequent kill chain follows well-known and consistent processes regardless of the initial attack vector.
Once the attacker has gained network access, the next stage is to discover vulnerable but critically important high-value targets such as databases, encrypt them, and then demand payment in return for decryption. The more valuable the encrypted resource, and the more financially well-off the target, the higher the ransom the attacker can demand.
Such scenarios assume, and usually find, institutions with a legacy security architecture, in which east-west traffic taking place behind the security perimeter are assumed trustworthy and permitted by default. Furthermore, legacy architectures of this variety typically give IT teams no straightforward means to detect intruders, limit their access rights, or monitor and manage access to crucial resources such as databases in a granular manner.
In contrast, architectures based on ZTA principles are far harder to compromise because they’re based on a fundamentally different principle: that no network transactions should be assumed trustworthy at any time. Instead, all entities (whether machines or users) must authenticate regardless of where or how they originate.
Furthermore, subsequent access should be limited to the particular resource (such as an app or a database) required for the transaction to occur. This least-privilege per-request access prevents attackers from discovering and maliciously encrypting critically important resources.
So imagine you are a hacker looking to compromise a network, discover and encrypt a crucial database, and hold it for ransom. How much harder, given a ZTA-based architecture, has your job become?
Not all ZTA providers are created equal
Of course, ZTA is really just a set of principles and can be implemented in a variety of ways. The transition from the theoretical to the practical implementation can vary greatly in terms of complexity and sophistication. Leading ZTA solution providers have developed advanced capabilities for even more substantial fortification of the IT infrastructure, such as:
- Inline content inspection, to determine what kinds of data are involved in a transaction and assess its sensitivity
- IP address masking, to minimize attack surface by shielding the IP addresses of company systems and other assets from the public internet
- Cloud protection, to secure public cloud services delivered by external providers such as Google, Amazon, and Microsoft
Zero Trust Architectures can also address another major operational concern about cloud-delivered security: performance.
Some network latency will be involved when a ZTA provider secures all network transactions for an organization (in this case, a college or university). To mitigate this, the best providers offer a large number of widely distributed data centers to reduce the geographical distance between the client and the provider as much as possible and thus accelerate overall throughput. This avoids the need to backhaul and hairpin traffic required by legacy security stacks, which drives up costs while reducing performance.
Consolidating security services with a single provider can deliver a comprehensive suite of protective services and yield improvements in throughput. This is in stark contrast to legacy architectures that daisy chain disparate security services, each with its own performance characteristics and throughput overhead.
Universities should focus on consolidating to a unified platform, choosing one that is expressly designed for high security and high performance. Such an approach also simplifies management and reduced technical debt because there’s only one portal interface required for the campus team to attend to security tasks, not many.
Related Articles:
Modernization Strategies for Identity and Access Management
Published: 11/04/2024
Dispelling the ‘Straight Line’ Myth of Zero Trust Transformation
Published: 11/04/2024
Zero Standing Privileges: The Essentials
Published: 11/01/2024
Tackling Ransomware Head-On: A Business’s Guide to Understanding and Defense
Published: 10/31/2024