How Integrators Can Solve Higher Education’s Cybersecurity Woes
The Mirai botnet is a cautionary tale for security integrators who face unique and maybe unexpected challenges at colleges and universities.
Integrators configuring networks at businesses large and small are learning the importance of network segmentation. Finance data should not sit on the same network as HR, and video surveillance equipment should have its own network as well.
How much different can a university or college be from a business? In spite of the obvious similarities among networks, the Ivory Tower, where bright, creative young people are ideally encouraged to be inquisitive and curious, presents unique challenges to network safety and to security integrators working in this vertical market.
First, let’s consider the vast difference between the universe of network users in a business versus higher education. In a typical business, employees generally know that they need to follow rules and behave on their company’s internal network — their job and livelihood are at stake after all.
This is not to say they will behave, however. On the other hand, the network in an educational environment is unique and highly untrusted. A university environment is different in many ways, for example:
- The network is accessed by thousands or even tens of thousands of faculty and students, and the student population changes every year.
- Employees are typically hired based on a personal interview, work history and references. Students typically are accepted using little more than an application, grades and test scores.
- Students tend to have more free time than people working full-time.
- Students tend to be curious risk-takers.
- Our culture has long been amused by the “college prank” such as stealing mascots or defacing rival campuses. To some, this may make the digital prank seem more acceptable.
Due to the increased insider threat in this environment, it’s essential that the security integrator carefully segment college networks to ensure that students, faculty and other employees only have access to the data and resources that they need.
What Could Possibly Happen?
Despite the increased risk on campuses, most students are not bad, they are curious. College is a place to learn, and that happens by trying things and failing and changing your approach until you succeed.
Students need an environment where they can explore and learn, but all of this translates into extra challenges for security integrators. The people managing college campus networks need to build networks where students can learn, while also keeping students out of networks where they do not belong.
Many technology students are learning to write code, scan networks and look for and manage vulnerabilities. This typically happens in a lab environment, but inevitably some students will test their skills outside the lab. As a cautionary tale, it’s helpful to take a look at the origins of the Mirai botnet.
A 21-year-old Rutgers University student and his two college-aged friends wrote the Mirai botnet management code and malware. A botnet uses Internet-connected computers and IoT devices to attack a target on the web with what is called a Distributed Denial of Service (DDoS) attack.
The devious part of the botnet is that the threat actor who launches the attack doesn’t own those devices; people who do own them don’t even know they are infected with malware and under the control of the attacker.
The student and his friends built the botnet and first used it to attack the Rutgers network to do things like prevent upperclassmen from registering for classes that he wanted to take, or cause a network outage to delay the date of his calculus test. He also started a DDoS mitigation company and anonymously urged Rutgers to purchase his services to defend against the attacks that he was running against the university.
The student and his friends also managed a Minecraft gaming server and used the botnet to take down rival Minecraft servers so gamers would join the server hosted by the trio. They didn’t stop there.
In 2016, they used the botnet to attack a French hosting provider that offered Minecraft DDoS mitigation services. At this point, it seems that the student and his friends became afraid of being caught. They posted the botnet source code online so others could build botnets and muddy the waters to make it less likely that they would be discovered by law enforcement.
A month later someone used their code to launch a huge attack that took down and slowed down parts of the Internet including sites such as Twitter, Netflix, Reddit, Amazon, CNN, the Wall Street Journal, and many others in the United States and Europe.
When the student was tried in court, we learned that he was responsible for a dozen DDoS attacks against the Rutgers campus network during his first two years as a student. He timed the attacks to the midterm exam period to cause maximum disruption to the campus.
Of course, not all students will do things like this, but it is likely that many cybercriminals will attend a university at some point in their lives.
Mirai Harnessed Security Cameras
The Mirai morass was not the first cyberattack that started with college kids or teenagers. A story from 2017 in Wired magazine compiled a short history of cyberattacks coordinated by young people. These notorious hacks include a Cornell student’s unleashing of the first major computer worm in 1988.
In 2000, a hacker hijacked several university networks and used their combined computing power to attack Yahoo, “slowing the site to a crawl,” Wired reported. That hacker subsequently went on to target other top websites like Amazon, CNN, eBay and ZDNet.
The Mirai botnet is important for security integrators to understand because it was the first major cybersecurity attack that harnessed the power of compromised IoT devices such as home routers, security cameras and NVR/DVRs, to form a botnet of record-breaking power.
It’s also important to note that the security cameras that were recruited to the Mirai botnet used default username and passwords — a practice that many leading video surveillance providers had done away with before 2016. Unfortunately, several manufacturers had not, and there was also a lot of legacy equipment in the field that did not force users to choose a unique username and password.
Network Segmentation Overview
On a basic, flat network all devices can talk to one another. For example, PCs, security cameras, printers, smartphones and other smart devices such as thermostats or lightbulbs. If one device is compromised, all devices on that flat network can be seen and possibly infected by the compromised device.
Network segmentation is a cybersecurity best practice and the very first line of defense. It applies the Principle of Least Privilege (POLP) by isolating sensitive or proprietary systems on a network that is only accessible by those who have a need to access those systems.
In a segmented network, people and systems that do not need to interact cannot interact. In addition to the cybersecurity benefits, a segmented network uses bandwidth much more effectively. Networks can be segmented using hardware, such as firewalls, using software by creating isolation with virtual machines, or by using a combination of hardware and software by creating VLANs in a switch.
While network segmentation can’t defend against DDoS attacks coming from the Internet, they can keep critical resources from the attack targets. Segmentation also can keep a rogue system on your internal network from reaching critical systems.
Network Segmentation in Higher Ed
Another great risk to education institutions is ransomware. In the past decade, ransomware has become a low-cost, high revenue means of attack by threat actors. Universities have been hit with these attacks many times.
With the appropriate network segmentation, the automatic spread of ransomware is limited to the network on which it was launched. This is a tough lesson if you learn it the wrong way.
There are different considerations in architecting a segmented network at a college or university. The university likely has some segmentation in place, but the integrator should not recommend that the security equipment be added to an existing network unless there is already one that is dedicated to the security equipment.
The integrator does not need to architect the entire university’s network. However, the integrator should be architecting a security network that adds on to the university’s network, but is isolated and used only by the security team who needs to have access.
Another consideration during this global pandemic is that in most cases today faculty and students are off campus and remotely accessing the university resources. This can put an enormous strain on the VPN servers.
It is best to have a dedicated VPN server for the video surveillance network. This will ensure that students and faculty don’t accidentally DDoS the VPN server and prevent the security team from remotely accessing the security network.
Campuses Continue to Embrace Access Control Despite Pain Points
For years now, SSI sister publication Campus Safety magazine has been talking about the importance of access control, locks, lockdown and door hardware, and according to CS’ most recent survey, schools, colleges and healthcare facilities have heard that message loud and clear.
Nearly nine in 10 respondents to the CS 2019 Access Control and Lockdown Survey say they have adopted new or improved lockdown/shelter-in-place policies and procedures in the past two years and/or are considering doing so in the next two years.
With so much focus on lockdown, it’s not surprising that locks and/or door hardware are popular equipment purchases. Overall, 85% of respondents say they have purchased and/or are considering purchases of this type of solution.
Another big takeaway from the survey: integration, lack of expertise and maintenance are generating pain points for end customers. Despite the robust interest in access control and lockdown — or perhaps because of it — some interesting challenges in particular have emerged over the past two years.
Problems with integrating access control with other security and public safety systems have jumped significantly. Now, 56% of respondents say this issue is somewhat to extremely challenging for them. That’s 10 percentage points more than in 2017.
Additionally, more campuses are struggling to find a good integrator to install their access control solutions. Now 24% say this issue is somewhat to extremely challenging for them, compared to two years ago when that percentage was only 19%.
Lack of access control expertise is also posing more of a problem. Now 26% say wanting to install more access control “but I don’t know where to start” is an issue that is somewhat to extremely challenging. That’s seven percentage points more than in 2017.
Hospitals are the only respondents who don’t have as much of a challenge with this issue.
You can read the full report here and keep up with the latest in K-12 and college security happenings from Campus Safety.
Chuck Davis, MSIA, CISSP-ISSAP is Senior Director of Global Cybersecurity for video surveillance solutions provider Hikvision.
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!