By Nikhil Sharma
Universities are vulnerable to increasingly complex and dangerous cyberattacks. Ransomware, phishing emails and automated password-guessing are all ways in which hackers target Ryerson staff and students. The Eyeopener spoke with Brian Lesser, Ryerson’s chief information officer, about the threats Ryerson is facing and what it’s doing to protect your information.
According to the FBI, law enforcement saw an increase in ransomware attacks in 2015, specifically “against organizations because the payoffs are higher.” The FBI also said more of ransomware incidents will continue to grow in 2016 “if individuals and organizations don’t prepare for these attacks in advance.”
Ransomware is a form of malware designed to disable a computer by encrypting a user’s data, before demanding payment for the decryption key.
Financial, educational and law enforcement institutions can all fall victim to this if someone simply clicks a link. In some cases, that can lead them to open an attachment masquerading as a legitimate document such as an invoice or report that will immediately encrypt data on their system.
Lesser said attackers don’t want victims to be able to break their encryption, so it is in their best interest to improve their ransomware.
Attackers used to operate out of one kind of business model where they would take over email accounts and send people spam. “But now you see they’re diversifying,” Lesser said. “Not only am I going to send out spam to make some money, but I’m going to check the email account for any information about credit cards.”
Hackers are expanding their range on what can do with a compromised account, including accessing research data and committing identity theft, Lesser said.
According to a recent report released by US technology company Symantec, Canadians were impacted by more than 1,600 ransomware attacks per day in 2015, and ranked fourth among countries often hit by the ransomware and social media scam.
Another report by Symantec said Canada was in the top 10 with 16 per cent of ransomware infections logged globally between January 2015 and April 2016.
Ryerson staff hacked
Hackers targeted Ryerson’s network with ransomware in two separate incidents in 2016. The university did not have to pay the ransom in either case, Lesser said.
The first attacker demanded a payment of 0.4 bitcoins—a digital currency—to release the encrypted files on the machine attacked. Lesser could not provide the exact ransom amount for the second attack, but he said it wasn’t a large sum.
Ryerson Computing and Communications Services (CCS) was able to decrypt all of the data.
The second case of ransomware involved a staff member in an administrative department. That staff member was hacked in November 2016. They had almost all of their files backed upon a shared drive system. CCS was also able to recover some files deleted by the ransomware.
That staff member had received an email, which was sent as a zip file containing the ransomware.
University of Calgary paid ransom for encrypted systems
Ryerson’s CCS has “growing concerns” about ransomware following the recent string of cyberattacks on universities across the country—specifically the one that took place at the University of Calgary in July 2016.
The University of Calgary was forced to pay hackers $20,000 following a ransomware attack that targeted their computer systems. Hackers encrypted the university’s staff and faculty email servers, which blocked any access to them. The hackers gave decryption keys to the university once they got the ransom.
Carleton University experienced a similar situation after being attacked by ransomware in November 2016. Students and staff were warned they may see ransomware messages appear on their devices demanding bitcoin payments.
Lesser said that before the University of Calgary attack, CCS wasn’t “thinking hard” about a situation where an attack uses a vulnerability or works over a month to gain access to one’s Windows infrastructure, then infects the entire system with ransomware and demands a huge ransom.
“That really ratcheted up our focus on this and we started accelerating things that we’d planned on doing, but weren’t doing them, say, with the same level of passion,” Lesser said.
After the ransomware attack at the University of Calgary, CCS sent out a number of warnings about ransomware and steps on how to reduce the likelihood of infection to students, faculty and staff at Ryerson.
“We all trying to figure out how do we maintain relative openness for researchers and students who want to surf the net, travel around the world and access everything, and at the same time improve our security posture,” Lesser said.
He said the University of Calgary was attacked the night before the Congress of the Humanities and Social Sciences began at the university. Ryerson will be hosting Congress 2017 later this spring.
When asked if Ryerson would pay a large ransom like Calgary did, Lesser said Ryerson “would work really hard not to pay.”
What Ryerson is doing to improve online security
The speed at which Ryerson’s CCS can detect a cyberattack depends on the type and quality of the attack. About 46 per cent of account hijackings are detected by Google, which informs CCS. Most of Ryerson’s email systems are hosted on Gmail.
“We are working at getting better at spotting these things ourselves. At the rate we are going, I’d guess it will be a year before we start detecting many more incidents before Google does,” Lesser said.
The CCS is in the final stages of selecting a Security Information and Event Management (SIEM) system for Ryerson.
One of the things a SIEM does is act as a central database of logs, Lesser said.
“If the logs show someone logged in at 2 p.m. from Ryerson but also logged in at 2:30 p.m. from Alaska, we would suspect the account has been compromised. Until we can do that we won’t even get close to detecting what Google can detect for us,” he said.
After the number of detected hijacked Ryerson accounts dropped from 1,170 in 2014 to 249 in 2015, it increased to 345 in 2016.
In late 2014, CCS began disabling accounts that had not been used for more than two years and had been created when the CCS had weaker password complexity rules. Lesser said that made a big difference in reducing the number of account hijackings between 2014 and 2015.
The change meant it was much harder for automated scripts to guess passwords based on dictionaries of common passwords like “password123.”
In the final six months of 2016, Ryerson’s CCS set up six computers and put them on the Internet without announcing them or listing them in the university’s Domain Name Service, just to see what would happen. Ryerson saw attacks from over 60,000 unique IP addresses around the world against a handful of test machines during that time. The attacks ranged from probing for vulnerabilities to password guessing.
If a widespread infection put a department at risk of losing a significant amount of data that it would really be damaging to staff or students’ ability to continue their research or something really important, Lesser explained, when asked under what circumstances would Ryerson give into such a demand.
Although not formally announced, Ryerson implemented two-factor authentication for all my.ryerson accounts in October. Students and staff who enable it must enter a single-use code produced by an app. Two-factor authentication increases security by ensuring that even if one’s password is guessed, a hacker is still missing information needed to access an account.
When logging in, a person can check that they trust a browser and my.ryerson won’t ask for a code for 30 days.
Students are now also allowed to make longer passwords (more than 100 characters long) for their Ryerson accounts. Longer passwords are generally harder to guess.
Lesser said if 200 people use the two-factor authentication out of the university’s population, that doesn’t have a big impact.
At Ryerson between Sept. 19, 2016 and Jan. 16, 2017, the university has gone from 406 employees using two-factor authentication for all applications to 1,030.
Although two-factor authentication has not made mandatory for staff, the CCS has asked employees who handle sensitive data to use it.
Lesser says they’re going to try to get above 90 per cent adoption, but don’t have a specific timeline as to when they will reach that goal.
This coming fall, Lesser said Ryerson’s CCS may start phishing (sending misleading emails that can trick people into sharing personal info) Ryerson students, a method that’s already underway with some university email accounts.
While a lot of the solutions or testers are in its early stages of planning and are “tentative,” students may start receiving phoney phishing emails as a test to see if they’ll get caught clicking on something they shouldn’t, which will then take them to a teaching page that will explain what phishing is and how to avoid being phished in the future.
“It is a much more effective learning experience than ignoring or skimming through warning emails from CCS,” he said.
With tens of thousands of people on campus, it’s hard to educate everyone about phishing in an effective way. Ryerson ran a pilot “test phishing” program on about 1,500 people, who received test phishing messages and if they were fooled into responding to the phish, were taken to a training page to learn more about phishing.
This approach may be expanded to students next year, Lesser said.
“It helps reduce successful phishing but doesn’t eliminate it. People are vulnerable—not just the computers.”
University system inherently vulnerable
He added that university networks are easier to attack because there are a lot more systems open to the Internet than a private business would ever allow.
“We have researchers sharing research information with the world on their own servers. But if one is compromised by a remote attacker, they will get a foothold on the campus network. So we put a lot of effort into network segmentation and early detection. With a large number of student accounts come opportunities to hijack some of them. Each hijacked account—depending on what it has access to—is worth something.”
Vulnerability management means regularly looking for vulnerabilities in systems and either patching them or mitigating vulnerabilities in some way.
While the CCS is better than they were a few years ago, they still have a lot of work to do.
“Malware infections have always been a problem, but ransomware is more malicious and can be part of a more wide-reaching attack,” Lesser said. “We are making slow progress on hardening our Windows systems, but it is challenging.”
“Until we can test them out and see that they work and they’re cost-effective. I think we’re all lacking.”
There will be a steady increase in employees over the next year put in place to defend the university’s IT network, which has been planned for a few years.
Since 2009, the number of employees focusing on cyber security has grown slightly, but Lesser says they’re currently short staffed because Ryerson’s Information System Security Officer left for another job and needs to be replaced.
Lesser said that if workstations, accounts and passwords are compromised, it takes an enormous amount of time, effort and money to clean up systems, recover data and analyze an attack.
“We’re all working trying to figure out how can we improve security and I think we’re all struggling with that. Universities are difficult to defend. I wouldn’t say Ryerson is better or worse than everybody else.”