Managing the threat of cyberattacks with LastPass, learnings from the higher education sector
Universities are quite attractive targets for cyber attackers in the digital age. In the recent past APAC-based universities such as the Australian Catholic University, National University of Singapore, Nanyang Technological University, and University Malaya, among others, have suffered devastating cyberattacks.
Victims of the attacks include students, staff and faculty, as well as senior academic executives. Some had data stolen, typically login credentials, personal data such as date of birth and national IDs, and work items such as privileged research data.
“The data breach originated from a phishing attack: an email pretending to be from ACU tricking users into clicking on a link or opening an attachment and then entering credentials into a fake ACU login page,” said ACU Acting Vice Chancellor Stephen Weller.
Given the value of the information at stake, detailed investigation were conducted which revealed that the attacks were extremely sophisticated operations. They are planned over several months by organised teams who used custom-built malware and zero-day hacks to exploit unknown vulnerabilities.
Given that 81 percent of hacking related incidents occur due to stolen or weak passwords (VDBIR 2019), to prevent such attacks, universities are strengthening their defense strategy by incorporating Identity Access Management (IAM) into their cyber security roadmap. LastPass by LogMeIn is a leading IAM solution helping enterprises, and academic institutions, prevent security breaches and guard their applications and data against sophisticated cyberattacks.
In a recent conversation between Deakin University’s Cyber Security Operations Lead Dushyant Sattiraju and Lloyd Evans from the LastPass team, some interesting challenges in the academic environment were revealed.
“The threat landscape has shifted quite significantly for the university sector. In the past, there were regular spam and other attacks but they weren’t targeted towards a specific member of the university. Now, research groups and executives are being targeted for data exfiltration,” said Sattiraju.
The fact that universities believe in building an open ecosystem and often share their staff directory online is a big concern for cybersecurity specialists because it makes it really easy to arrange for a targeted phishing attack.
The other major concern for Sattiraju’s team is the fact that bring your own device (BYOD) is now standard practice. However, in an environment like Deakin’s, with 20,000 staff and 75,000 students logging in almost every day, monitoring the entire network is very difficult.
As a result, the university has decided to adopt a zero trust approach and focus on managing access to applications rather than monitoring the network.
In fact, agility in monitoring and responding to red flags in application access is now a cornerstone of Deakin’s (Cybersecurity) Shield program — with help from LastPass. Deakin have deployed the LastPass solution covering authentication methods through to accessing passwords.
It’s important to adopt a people-first approach
LastPass CISO Gerald Beuchelt believes security is about the combination of people, process, and technology. Employees, or staff, students, and executives in universities, unknowingly put the institution at risk if they aren’t aware of the vulnerabilities their actions could be exposing — especially if they use the same password all over the internet.
Deakin University’s Sattiraju couldn’t agree more. According to the Cyber Security Operations Lead, failure to communicate with, educate, and create awareness among people can defeat even the most brilliant, robust, security policies and systems.
Of course, dealing with nearly 100,000 people every day, Sattiraju has plenty of examples to share with colleagues. The underlying fact, however, remains that a people-first approach is the foundation of the best defense in the digital-first world.
The University uses single sign on so most users only have to remember a single login credential. Compared to peers, Deakin’s approach definitely helped as most students, faculty, and staff could avoid saving passwords (and even credit card and passport details) in excel sheets that made them vulnerable in cyberspace or even creating simple passwords that could be easily guessed.
Single sign on, however, did pose problems as credentials sometimes needed to be shared among team members or be unique so as to provide admin or root user access.
This prompted the need for a robust credential manager, turbocharged with multi-factor authentication (MFA) – which was recently rolled-out with the help of LastPass’ suite of security solutions.
The team initially implemented MFA policies to the IT team, identified potential challenges such as teachers leaving their phones in the locker when going to class and hence being unable to receive a code to login or students preferring to not have a phone to avoid distractions, and ironed those out before deciding to go ahead with the rollout.
Since Sattiraju believed that getting executive sponsorship was key to successful rollout of the program, his team rolled out the solution to the senior-most executives at the university starting with the CFO.
Support from senior executives rolled down to staff in management and administration and influence that executive sponsorship plays in widespread adoption in a people-first environment helped Sattiraju’s team ensure users got started with MFA quickly.
Of course, spreading awareness about the importance of MFA played a big role in the roll-out of the added layer of security too. In fact, the Deakin University team tailored the message to suit different cohorts of students based on their interests such as arts, business, and technology to boost adoption.
The MFA project was large, given the number of users involved but success was satisfying.
At the end of the day, with support from LastPass, Deakin University has a strong cyber defense strategy. Of course, it’s an ongoing endeavor, something that the internal team is focused on improving every day. Deakin is a good role model for other universities who want to work on their own strategy to boost cybersecurity.
To learn more about Deakin’s journey and listen to the Q&A with LastPass, click here. Read more about LastPass by LogMeIn for the enterprise here, and get in touch with a member the team in your location from this page.
(If you haven’t already, get LastPass free here.)