Prominent Washington, D.C.-area higher education institution Howard University was forced to cancel classes on Tuesday, after a Sept. 3 ransomware attack forced the HBCU’s Enterprise Technology Services team to shut down its network.
The incident exemplifies the potential disorder and disruption that a cyberattack can cause to educational institutions, especially as they are already are trying to keep classes on schedule in during the COVID-19 epidemic. Higher education environments are known to have their own unique cyber risk profile, as they are targeted by national-state cyber espionage campaigns for their valuable research and by cybercriminals for their vast amounts of student data and personal information, and potentially for their deep pockets.
“Universities are tough environments to secure. Their populations vary greatly over the course of a year. They accept all kinds of devices into their networks, both from staff and students. And they change out their users at a high rate as students graduate and matriculate,” said Tim Erlin, vice president of strategy at Tripwire. Not many other IT organizations have to deal with all of these factors.”
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, also noted that education institutions tend to be soft targets to penetrate. “Often university departments enjoy independence from each other, [which] can lead to sprawling disparate technology projects that can remain unpatched or orphaned with no centralized oversight by IT,” he said. “Overly permissive access and permissions is another common issue in high education organizations that can easily be exploited by attackers if they gain access to a single user account.”
So far, there is no indication that student or faculty personal information was accessed or exfiltrated, according to a press statement from Howard, which notes that the school continues to investigate the incident alongside forensic efforts and law enforcement.
Howard hopes to resume operations shortly, but for now only essential employees are allowed on campus and the university’s Wi-Fi network is inaccessible. However, certain applications stored in the cloud remain accessible to users.
Doug Matthews, vice president of data protection at Veritas Technologies, said there’s now officially a term for cancelling classes for the reason Howard University did: “cyber day.” Hopefully that cyber day doesn’t expand into a cyber week or longer. For that reason,“ preparation for dealing with the aftermath of a successful attack is more important than ever,” he said.
Additionally, transparent and regular communication is an important aspect of any incident response – and it appears Howard is executing this best practice.
“Each day at 2 p.m., we will let you know the status of campus operations for the next day. This is a moment in time for our campus when IT security will be at its tightest,” the university press release states. “We recognize that there has to be a balance between access and security; but at this point in time, the University’s response will be from a position of heightened security.”
“This is a highly dynamic situation, and it is our priority to protect all sensitive personal, research and clinical data. We are in contact with the FBI and the D.C. city government, and we are installing additional safety measures to further protect the University’s and your personal data from any criminal ciphering,” the statement continues.
