As expected from authorities anticipating an increase in threats to the education sector, cyberattacks are continuing to wreak havoc on colleges and universities across the United States. As of the beginning of May, there had already been 27 confirmed ransomware attacks against U.S. institutions. These ransomware numbers only tell part of the story as data breaches, malware attacks, and more account for an even greater number of threats, not all of which are reported to the public as they occur.

The second quarter of 2023 has seen a flurry of cyberattacks strike higher education institutions, including West Virginia’s Bluefield University, Tennessee’s Chattanooga State Community College, and Georgia’s Mercer University, among others. Beyond the obvious consequences of ransom payments and leaked personal data, some of the most severe attacks in recent memory have culminated in the delay and cancelation of classes, as well as the closure of one college in Illinois entirely.

With attacks against higher education on the rise year-over-year, campuses have become one of the top targets for attempted data breaches, ransomware attacks, malware, and more. Feeling the effects of various financial and/or technological hurdles, most schools are not currently equipped with the security controls to adequately defend themselves from increasingly sophisticated cyber threats that continue to hamper the community.

This increase in cyberactivity should serve as a wake-up call for higher education institutions to reevaluate and enhance their cybersecurity postures. Here are some of the top considerations for higher education leaders seeking to plug the gaps in their cybersecurity strategy.

Securing Data

One of the recurring themes in attacks against higher education is the vulnerability of sensitive data. From student, staff, and faculty information to sensitive school records, there are countless data assets that, if breached, can be weaponized against institutions.

Data exfiltration, or unauthorized data transfer, is a leading threat to data security in higher education. To help prevent data loss, colleges and universities need to be able to monitor user and entity behavioral analytics (UEBA) and they need to be able to watch their network using a network detection and response (NDR) tool. This allows schools to detect, qualify, and remediate any anomalous activity at the individual level, as well as malicious or unauthorized attempts at exfiltration.

Managing Access

For colleges and universities, student information, research data, and assessment criteria are all critical to daily operations. However, it can be common for institutions to encounter unauthorized access to these types of crucial information due to a lack of IT resources and necessary safeguards. This can result in the loss of confidentiality, integrity, and availability of technological assets, among other things.

To better facilitate and manage user access to sensitive data, schools should implement an effective IT security strategy intentionally designed to protect critical assets. This strategy should include the compartmentalization of data and provide a least privileged approach to accessing that data. Utilizing a least privileged approach, users are only granted access to the data required for their specific roles. This helps to prioritize the protection of intellectual property that is so valuable to higher education institutions. In doing so, schools can better protect the privacy of their students and employees and their reputations.

Detecting Threats

Even with cybersecurity mechanisms in place, no security threat can be resolved if it falls undetected. Colleges and universities must be able to detect, alert and automate security response capabilities when threats arise. Institutions should consider adopting security orchestration, automation, and response (SOAR) tools to help standardize and scale their incident response.

By relying on SOAR, schools can automate workflows to accelerate various stages of the threat investigation and response processes. Given the severity of a particular threat, it can be escalated to key decision-makers for a manual response or remediated automatically (or semi-automatically) from a playbook of preselected actions. Ultimately, SOAR is intended to help security teams cut through the noise and allow them to prioritize and direct their attention toward the most pressing threats.

Protecting and Prospering

Given the attack patterns of the last two years, cyberattacks in higher education are not going away overnight. Colleges and universities continue to be targeted by malicious actors for a reason. As long as institutions remain underequipped to monitor and respond to cybersecurity threats, they will find themselves with a target on their back.

Regardless of an institution’s budgetary constraints, there are tried and true precautions that can be taken to better protect their campus. Implementing threat detection, stricter access controls, and stronger data security measures are all foundational components of an effective cybersecurity strategy. By solidifying that foundation, colleges and universities can do their part to avoid being next in the line of higher education victims.

Another version of this article originally appeared on our sister-site Campus Safety on August 14, 2023. It has since been updated for My TechDecisions’ audience.

Kevin Kirkwood is Deputy CISO for LogRhythm.

The post Spike in Cyberattacks Exposes Vulnerabilities in University Security Measures appeared first on My TechDecisions.

The company’s semi-yearly Cyber Risk Index (CRI) found an index of -0.04, which indicates an elevated risk. A quarter of respondents say they are “very likely” to be successfully attacked over the next 12 months, with more than a third (34%) of North American organizations fearing an attack.

In the U.S., the CRI was -.18, against -.01 for North America, suggesting that the U.S. has a much higher level of risk than many other countries.

The report found that 76% of global organizations think they’ll be successful attacked in the next 12 months, but that figure may be low, as 84% claim to have suffered one or more successful cyberattacks within the last year.

Even more alarming, 35% say they have experienced at least seven successful attacks in that same time.

Globally, organizations are most concerned with cyber risks such ransomware, phishing and social engineering, denial of service, botnets and man-in-the-middle attacks.

Other top risk factors cited include human capital risks such as a lack of authority in cybersecurity executive positions, and infrastructure challenges including weak inventory practices and stagnated security tools, Trend Micro found.

When it comes to IT infrastructure, organizations say they are most worried about mobile or remote employees, cloud computing and third-party applications. U.S. organizations put the cloud computing risk score at a very high 9.87/10.

“To craft effective cybersecurity strategy, organizations must master the art of risk management. This is where reports like the CRI can be a great resource in highlighting areas of possible concern,” said Jon Clay, Trend Micro vice president of threat intelligence, in a statement. “As remote working and digital infrastructure threats persist, organizations should adopt a platform-based approach to optimize security whilst minimizing their security sprawl.”

The post More than 75% Of Organizations Say They’ll Be Attacked In Next 12 Months appeared first on My TechDecisions.

Microsoft says ZLoader is an attacker’s tool of choice— it has defense evasion capabilities, such as disabling security and antivirus tools and selling access-as-a-service to other affiliate groups. Operators will frequently monetize access from infections by selling it to other affiliate groups, who then use the purchase access to carry out their own malicious objectives.

Its capabilities include capturing screenshots, collecting cookies, stealing credentials, and performing reconnaissance, launching persistence mechanisms, misusing legitimate security tools and providing remote access to attackers.

ZLoader has been linked to ransomware infections such as Ryuk, DarkSide and BlackMatter.

The majority of ZLoader attacks have targeted the U.S., China, Western Europe and Japan. Microsoft warns that due to the modular nature of some of the loaders capabilities and it’s constant shift in techniques, different ZLoader campaigns may look nothing alike.

Related: A Ransomware Loader Is Being Spread Through Google Ads

Previous ZLoader campaigns have been fairly simple, with malware delivered via malicious Office macros attached to emails and then used to deploy modules for capabilities. Other campaigns inject malicious code into legitimate processes, disabling antivirus solutions and ultimately ending in ransomware.

ZLoader operators have also updated their methodology to deliver the malware through targeted malicious Google ads. They will use malicious ads on search engines like Google to trick users into visiting malicious sites. Microsoft also noted ZLoader campaigns have the potential to impersonate a specific company or product, such as Java, Zoom, TeamViewer and Discord.

How to Prevent ZLoader Infections

The best advice for preventing ZLoader infections is to simply avoid downloading attachments contained in emails from unknown senders, as well as clicking on sponsored ads in links and search engine results, instead of opting for unsponsored results from verified, trusted sources.

Organizations should have good credential hygiene and network segmentation. Best practices increase the cost to attackers helping disrupt their activities before they reach their target.

According to Microsoft, defenders can further apply the following mitigations to reduce the environmental attack surface and mitigate the impact of this threat and its payloads:

• Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
• Configure Microsoft Defender for Office 365 to detonate file attachments via Safe Attachments. Safe Attachments provides an additional layer of protection for email attachments by verifying a file in a virtual environment prior to delivering to the inbox.
• Check your Office 365 antispam policy and your mail flow rules for allowed senders, domains and IP addresses. Apply extra caution when using these settings to bypass antispam filters, even if the allowed sender addresses are associated with trusted organizations—Office 365 will honor these settings and can let potentially harmful messages pass through. Review system overrides in threat explorer to determine why attack messages have reached recipient mailboxes.
• Configure Exchange Online to enable zero-hour auto purge (ZAP) in response to newly acquired threat intelligence. ZAP retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
• Turn on network protection to block connections to malicious domains and IP addresses.
• Turn on tamper protection features to prevent attackers from stopping security services.
• Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
• Turn on the following attack surface reduction rules to block or audit activity associated with this threat:
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  • Block all Office applications from creating child processes
  • Block Office applications from creating executable content
  • Block executable content from email client and webmail
  • Block Office applications from injecting code into other processes
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block process creations originating from PsExec and WMI commands
  • Use advanced protection against ransomware
  • Block JavaScript or VBScript from launching downloaded executable content
  • Block execution of potentially obfuscated scripts

The post How to Identify and Defend Against ZLoader Attacks appeared first on My TechDecisions.

The survey polled 2,600 Americans workers, including 600 workers from the Washington, D.C. metro area, and 338 workers employed by federal, state or local governments across the U.S.

The majority of government employees reported being “very concerned” about cyberattacks striking their employers in the coming years. At least one-third of the government employees in the D.C. metro area say they have experienced a disruption at work because of a cyberattack. At least 40% said the likelihood their organization would be a victim of a cyberattack was very likely.

At least 80% of respondents said that recent attacks have them concerned about their personal data, privacy and that of their family members.

Those in the Washington, D.C. area, were consistently higher than the national average, according to the study. The most likely culprit for the concern about cyberattacks is that many of the respondents reported experiencing a cyberattack at work. Meanwhile, nationally, one in 10 workers have experienced disruptions from cyberattack at work. For those in the Washington, D.C. area, the number increased to nearly one in three— three times higher than the national average.

At least 84% of the Washington, D.C., metro area government employees primarily use Microsoft products at work, including Word, Outlook, Teams in One Drive.

“This reliance on a single software suite might suggest that these products are safe and secure, but the Public Opinion Strategies survey found that more than half of all respondents said that the government’s reliance on these Microsoft products actually made the federal government more vulnerable to hacking or cyberattacks.,” writes Jeanette Manfra, senior director, global risk and compliance in a blog post.

Why Government Organizations Choose Microsoft 

When asked why employees use Microsoft services, around half said that the reason their employer continues to choose legacy, incumbent vendors was more about not wanting to change than not wanting the most effective tools for the job. Among those who used Microsoft at work, 43% believe there are other products and services that would allow them to do their job better, according to the study.

This may lead to workers to adopt shadow IT. The survey found that 35% of Washington D.C. metro government workers have used shadow IT to get their jobs done. Among workers aged 20 to 34, that number jumps to 41%.

Listen: My TechDecisions Podcast Episode 156: Preventing Shadow IT

With so many survey respondents reporting that they were dissatisfied with their legacy IT solutions, it may be time for the government to rethink its approach to procurement.

In a separate research survey from Omdia in December 2021, 250 people responsible for technology purchasing decisions in federal, state and local government said that government technology procurement practices often are more about making things easier for IT versus choosing what employees feel would be the best solution, and only 27% of officials surveyed in that research cited user demand as a factor affecting their purchasing decisions.

There’s an overreliance on legacy solutions despite a track record of cybersecurity vulnerabilities and poor user perception.

“The survey results show a lack of sophistication with legacy software, with more than 50% of government workers nationally responding that there are other products and services that could help them do their jobs better,” writes Manfra.

The post Google: Government Employees Echo Concerns About Cyberattacks on Legacy Systems appeared first on My TechDecisions.

These attacks have targeted government websites, infrastructure and more with DDoS attacks and destructive malware. Cybersecurity firm Symantec has a detailed writeup of the latter, calling it a new form of disk-wiping malware that has targeted finance, defense, aviation and IT services.

Now, U.S. agencies and cybersecurity experts say those Russian cyberthreats against Ukraine may very well make their way to elsewhere in Europe or the U.S. if retaliatory sanctions and other non-military actions provoke them. There are no specific threats, but officials and experts are issuing warnings nonetheless.

Especially for critical infrastructure organizations including IT, healthcare, transportation, financial services, energy, defense, water and more as defined by the U.S. government, IT and security personnel should take these steps immediately.

1. Scrutinize information. CISA is warning critical infrastructure organizations to be wary of misinformation, disinformation and malformation (MDM) as a means to compromise specific sectors and lead to social engineering attacks against sensitive accounts.
2. Accelerate security projects now. The Krebs Stamos Group, headed by former CISA Director Chris Krebs, recommends switching from long-term goals to short-term priorities. Security projects like multifactor authentication should be accelerated by adding resources and removing bureaucratic barriers.
3. Ensure systems are up to date. CISA keeps a list of vulnerabilities that it knows to be actively exploited, and it continues to grow. Many of the vulnerabilities listed are several years old, which highlights the importance of implementing security patches as soon as possible.
4. Conduct vulnerability scans. CISA says a handful of vulnerabilities are routinely leveraged by Russian state-sponsored hackers, so prioritize those specific patches.
5. Deploy antivirus/antimalware solutions. Confirm that an organization’s IT environment is completely protected by antivirus/antimalware tools and that signatures in the tools are updated.
6. Develop and test an incident response plan. Identify key stakeholders and IT/security personnel who will be responsible for responding to a cybersecurity incident. Conduct penetration tests and simulations to test those plans.
7. Ensure your backups are secure and operational. There have been reports that ransomware is accompanying that destructive malware used on Ukrainian systems, and notorious Russia-based ransomware group Conti has reportedly pledged to support the Russian government and retaliate in the event of a cyberattack against Russia.
8. Implement log collection and retention. CISA and other agencies recommend using native tools such as Microsoft 365 Sentinel, Sparrow, Hawk or CrowdStrike’s Azure Reporting Tool.
9. Prioritize protection of critical systems. One of CISA’s recommendations during this period in history includes prioritizing critical business systems to maintain operational continuity. Conduct tests against those systems to ensure they remain available in the event of a cyberattack.
10. It is no longer just IT’s job to be aware of cybersecurity threats. Conduct hands-on training on obvious signs of a hacking attempt, deploy phishing tests and share recent cybersecurity news with staff.

For more information on potential attacks, we recommend visiting CISA’s website. For more information on the details of specific attacks, follow this ongoing blog and the Twitter thread below from cybersecurity leader Sophos.

NEW

Sophos principal research scientist @chetwisniewski reviews the history of known or suspected Russian state activities in the cyber realm to assess what types of activities to expect and how organizations can be prepared.

Read more: https://t.co/zLlPFtADnu pic.twitter.com/ooZAe1frLW

— Sophos (@Sophos) February 23, 2022

The post 10 Things IT Can Do To Harden Cyber Defenses Amid The Russia-Ukraine Conflict appeared first on My TechDecisions.

The 2021 data comes just a few months after the company reported in October a 40% increase in cyberattacks globally. However, the fourth quarter of 2021 was a particularly busy one for IT professionals, largely due to the Log4j vulnerabilities.

The remote code execution bugs in the popular Java logger discovered last month appears to have pushed that increase to 50%. According to Check Point, there were 925 cyberattacks per week per organization globally in the fourth quarter.

This dramatic increase, the firm says, began in the second quarter of 2020 and has continued to wreak havoc on IT and security teams everywhere. That aligns with the start of the COVID-19 pandemic and shift to remote work, which has eliminated the idea of the traditional IT perimeter and exposed organizations to increased risk.

The education and research sector was the hardest hit in 2021, with a reported 1605 weekly attacks per organization, which is a 75% increase from 2020, Check Point reports.

Government and military organizations were the next most targeted in 2021 with 1,136 weekly attacks per organization, a 47% increase over 2020. That was followed by the communications industry, which saw a weekly average of 1,079 cyberattacks per organization, a 51% increase over 2020.

Reporting the largest uptick in weekly cyberattacks were software vendors, which saw a weekly average of 536 attacks per organization, a 146% increase over 2020.

That reflects the need for supply chain security following several intrusions into the build environments of several trusted IT vendors, such as SolarWinds and Kaseya.

Also alarming is the continued attacks against ISPs, MPSs and other third-party services providers. According to Check Point, ISPs and MSPs saw a weekly average of 1,068 cyberattacks in 2021, a 67% increase over the previous year. Meanwhile, other service providers like system integrators, value-added resellers and distributors saw an 18% increase in weekly cyberattacks, but saw far fewer, at 778.

That data reflects the growing trend of threat actors seeking to compromise one organization that has access to the networks of enterprise customers, rather than targeting one organization individually.

Surprisingly, the most targeted regions for attacks were Africa, APAC, Latin America, Europe and North America, in that order. However, North America and Europe both reported increases of at least 61% over 2020.

The company recommends maintain good cybersecurity hygiene, including:

• Applying security patches in a timely manner
• Segmenting networks
• Educating employees on how to recognize threats
• Leveraging IT security tools and software

The post Cyberattacks Increased By 50% In 2021 appeared first on My TechDecisions.