Tune into the Vercara podcast to hear cybersecurity experts break down the latest attack trends and explore how organizations defend against DDoS threats with cloud-based security management tools. Discover how to build resilient IT infrastructure that ensures secure and accessible online services for higher education.
[Anthony Jimenez]
Welcome back to Carahcast, the podcast from Carahsoft, the trusted government IT solutions provider. Subscribe to get the latest technology updates in the public sector. I'm Anthony Jimenez, your host from the Carahsoft production team.
On behalf of Vercara, a DigiCert company, we would like to welcome you to today's podcast, focused around recent attack trends in the education sector and how to prevent them with secure DNS and DDoS protection solutions. Rob Ayoub, Product Marketing Manager at DigiCert, and Richard Wallace, Senior Cyber Threat Analyst at DigiCert, will discuss why secure DNS and DDoS are the foundation of a resilient infrastructure.
[Richard Wallace]
What are we going to be talking about today? It's going to be focused on higher education, so we're going to talk about the landscape that we're seeing within the education industry, DDoS, ransomware, some other cyber threats, emerging threats, and how to build resilience in education. I think you see some of the macro threats that we're seeing within the landscape.
Why is education such a prime target for malicious actors? It's very lucrative because education, you have a lot of data there from student registration, student data, PII, but also a lot of research and proprietary intellectual property is housed within the education infrastructure as well. So just not your cyber criminals, but also your advanced persistent threats or your state actors look to target the education industry to gain access to that type of information.
Expansive attack services, campuses are very large and they have a lot of connected devices. I know probably when Rob and I went through education back in the day, smartphones wasn't there. You had a computer lab maybe and then library, but now it seems like everybody has at least seven or so devices.
What do you think, Rob?
[Rob Ayoub]
Yeah, I mean, I've seen some surveys. I found an old survey that said seven and growing, so I'm sure much higher now. But even just thinking about every student that goes, it takes a laptop and their phone and then their smart speaker and their Roku and their PlayStation or Xbox and their Switch maybe, right?
So it's definitely a proliferation of devices and the university doesn't manage any of those. And I think that's really a key challenge when you talk about higher ed is, hey, the office, they can lock down my machine. They can keep me from going to sites, but universities are really built around openness.
Yeah, it's a huge challenge.
[Richard Wallace]
Yeah, and you also think like in the dormitories, a lot of people are bringing IoT devices, Internet of Things, so smart lights, smart vacuums and stuff like that that are also potential ingestion points for the malicious actors. And those really don't get updated too much with security updates. They're built more for convenience versus security.
So having those in the dorms also having a potential endpoint or injection point as well. Another big thing is phishing. You know, like we were saying, you got so many devices, thousands of students even talk all the way down to elementary schools now have iPads and phones that have emails and stuff like that.
So clicking on a malicious link, thinking that they just want a free Xbox or a random thing that they might be interested in. And now they just made your network vulnerable to attacks that way.
[Rob Ayoub]
Right. You know, it's interesting. I mean, I have students that are middle school and high school age, and even at the elementary, they talk about Roblox and they talk about Minecraft.
And they're starting to do some phishing education, even at that level, starting to at least introduce the idea of like, hey, maybe you didn't win, you know, a thousand whatever Roblox points or whatever, or a new switch. And you got to really think about these things before you click. And it's kind of surprising coming in and talking to students at that level, and they're starting to be having to be educated about some of these things.
It's really interesting.
[Richard Wallace]
I know federal governments and state governments as well are pushing that cyber awareness type of training as much as they can to try to mitigate some of that threat. So, and then the growing nation state, those will be adversaries to think like Russia, Iran, North Korea, China, other places, or even might be a friendly country, UK or something like that, that are trying to get access to some of your research that you have within your networks, some proprietary algorithms or research that can be used to, you know, help them versus and try to beat you to the publication of something as well. Right.
[Rob Ayoub]
I mean, there's certainly that, but, you know, another thing I think you didn't mention it directly here, but I think it's related to nation state, but also just the other more persistent campaigns. Think about like university medical centers, right? That, you know, they have both the kind of research piece of it, but also insurance and the student, the patient base and medical history and all the potential there for those same challenges that a traditional hospital would face.
But also with the student piece of it, you know, the openness, the student intern internship jobs piece of it. So that's another, you know, I think another piece is that those are also very rich targets because the financial implications of insurance.
[Richard Wallace]
Yeah, you kind of get just not the personal information, but also personal health information. Right. That is, you know, very lucrative.
And then, of course, you brought up the financial piece of payment processing and all that as well. We're going to talk about kind of broken down. So we got DDoS and ransom.
So we're going to talk about DDoS first, which is distributive denial service. In case you don't know what that is, it's where I have, as an attacker, I have infected computers all around the world that I call my bots. And I have my botnet, you know, a bunch of them make up a net.
And I give command and control to them to attack Rob. I don't like Rob. So I have all my bots at the same time send bad traffic to Rob and hopefully take down his services.
So that's what we're talking about as a DDoS attack. And education. So looking at, so this is internal data that we have seen within our platform, our mitigation platform.
And what was interesting is when we overlay, so the three lines are the red is 23, the orange is 24, and the blue is 25. So those three years, looking at it, and then we overlay some of the key points within an academic year. So registration, you got your fall midterms, your fall finals, like December, your spring midterms, finals, like those major events.
And there's a little bit of a correlation between when those events happen and what we're actually seeing DDoS attacks as well. So these are confirmed attacks, like I said, within our network. So it's kind of interesting.
You see that definitely spike around midterm and finals in the fall. Definitely see attack, you know, they're trying to disrupt a lot of universities are now online. Like I'm in a bachelor program right now, which is completely 100% online.
So if I can't access my resources to take my test, then I might fail that class. So that is a lucrative time to conduct these types of attacks to disrupt, especially those major testing periods, as well as registration. If people can't register in time, then that causes issues of them actually getting enrolled in a timely manner.
[Rob Ayoub]
Right. And the disruptions, I mean, I know you're going to talk about ransomware next. And part of it, I'm sure, is opportunistic, right?
You distract with DDoS and then do other either hacking or malicious activities. But also, I mean, and I'm not sure if you all have the data, Richard, but do you have some thoughts that some of these are like internal students that just like the old calling a threat to push the final out because you're afraid of failing or something?
[Richard Wallace]
Yeah, pull the fire alarm. So the thing with DDoS attribution is very difficult because it is easy to spoof where the traffic's coming from. But that is definitely a possibility that I wouldn't be surprised that is happening.
You know, students like, oh, I'm not prepared today. Let me go ahead and take down the site. Give me an extra day to study.
Yeah, that's very plausible. I just don't have concrete evidence to back that up.
[Rob Ayoub]
We know these services exist, too. Like, hey, I need you to cause a disruption for me.
[Richard Wallace]
Yeah. So you brought up this call. It's where malicious actors rent out their platforms to people.
And I've seen, I track a lot of these what we call hacktivist groups that are doing attacks based on social or political ideology. And a lot of their they're selling time on their infrastructure for as low as $20. So for $20, I can go in, I can rent five, 10 minutes on one of their platforms and just give them a website or an IP and they go attack it for me.
So DDoS is very easy to do. There's a lot of open source tools as well. Like HP 3.3 is just a terminal way you can do it. Ion Cannon. There's a lot of open tools out there that you can download because a lot of these tools are actually developed for legitimate purposes to test your own infrastructure. They call it, you know, but bad guys repurpose them for bad things.
Anything good can be used for bad. So doing a DDoS attack is actually quite easy because you're just interrupting that the services on the network. Ransomware is a little bit harder because you actually have to penetrate into the network and install malware, which takes a little bit more time, a little more sophistication.
DDoS, like I said, anybody can do a DDoS if you have the right resources to do it. So just kind of looking at, so these are what we call OSINT, open source intelligence or things that are out there. Recent attacks that have been reported in the news, I try to keep it within the last year or so, but you can see 2020, there was a surge in DDoS attacks.
Focus is against education with the 30% jump in weekly DDoS attacks. And then there you have clean ISD in Texas last year. Kind of what you were saying, Rob, this student actually initiated that attack to try to get out of the testing process there in Texas.
So like I said, I don't have anything concrete, but there is open source to kind of corroborate that theory. So yes. Interesting.
[Rob Ayoub]
Well, we've seen the political emphasis has really unfortunately, fortunately really been in the news and headlines. There's been some, of course, some politics around where students and protesters and at the university level, kind of where they sit on different issues. And then I'm sure that's also got to be driving some of these attacks.
Regardless of which side of the fence the attackers are on, they're still taking a notice. And we're definitely hearing those stories coming up.
[Richard Wallace]
Yeah. So the two regional conflicts that are really fueling, just not against education, but industry worldwide as a whole is you have Ukraine, Russia, and then you have the Israel, Palestine, Gaza issue. And then, as you were saying, we saw a lot of unrest last year, focused around the Israel conflict there.
So there were some attacks kind of associated with that in support of the protesters there. But then we also look at last month with what happened in Utah, Charlie Kirk there. We actually had one of our known DDoS groups threaten or claim to have conducted an attack on that school, even though it was the wrong school in Utah.
They just saw Utah University, so they went after the Utah University versus the actual one they went in. So just not regional conflicts that are overseas impact education, but also stuff in the states will also drive hacktivist activity as well. Let's talk about ransomware.
So this is very, very bad if you get within your network. This can actually, like I said, it's high value disruption. So DDoS attacks are short lived in nature.
I looked this morning within our platform, average DDoS attacks about 15-ish minutes. That's average. So, but the mean is usually around like a couple minutes a piece.
Ransomware is a very long process. They just don't get in your network that day and then start doing something. They could be in your network for months to years without you noticing that you have a malware that's infected.
A couple of things for that is one, they're stealing data. So they're siphoning off data throughout that time, and then whenever they think they have enough or get what they want, then they will lock you down. So, like I said, that can take time.
Also, the initial injection into it takes time. It's a lot of social engineering. Most of the time, kind of going back to what we were talking about earlier, Rob, is those phishing emails or spam emails.
They can send out a thousand. All they need is just one person to click on it. That can take time.
Right? So this is something that you might not know is going on until you're completely locked out. And a lot of it is financially driven.
They like to kind of lock your system out and put a message saying, hey, we just locked all your files. Here's a link to send Bitcoin to. Or extortion of, hey, if you don't pay, we'll release all this data on a leaked site.
So you have the financial reputation as well. If an organization is hit with ransomware and they have a data leak, their reputation kind of goes down. People start second-guessing, like, should I go to this university because my data, my personal information might be exposed?
They're not taking care of my personal data. So that might be a factor after a ransomware attack of people going to different organizations for that.
[Rob Ayoub]
Right. Well, and while sort of the thought, I think we typically hear, don't negotiate, don't negotiate. But the truth of the matter is when everything's down, some universities, some folks, I'm sure, just feel like they don't really have a choice.
I've seen different reports about sort of unofficial reports about how much most people do end up paying a ransom, because sort of what we've historically seen. And even if the organization is prepared, has backups, and can sort of recover from it, there's still all the pieces associated with that. There's still downtime and rebuilding and still data lost.
Yeah. So it's a really challenging situation, no matter what.
[Richard Wallace]
Yeah. And then the organization has to go through that risk benefit of, okay, they're asking for $3 million to get the unlock code. Okay.
Well, if we don't pay, it might cost us $10 million because we have the downtime, we have to rebuild everything, the reputation damages, and also a regulatory aspect as well. A lot of industries have either US or national European regulatories that one is reporting, but two can get fined as well. So that's a whole factor going in.
Do I pay it or not? And like you said, Rob, a lot of times people do pay it because it's cheaper to pay the bad guy off than to go through all that. And the bad part about that is now they know, okay, they paid once, they'll pay again.
So become a repeated target if they do not figure out how they got into the network and close that point off. Right. I think we already talked about the double extortion about me stealing your data, telling you, hey, I'm going to leak it if you don't pay me, but also here's the unlock code.
That's something also we see with DDoS as well lately is the extortion piece of it was SAS Airlines in Sweden. They actually got hit with DDoS for a week straight. And it was no name, I believe it was a no name group was like, hey, pay us and we'll stop DDoSing you.
Which we really don't see a lot of that, which was kind of interesting as DDoS extortion. You definitely get the extortion piece with ransomware, but I found it interesting on the DDoS side. Yeah, well, likely we'll probably start seeing more, right?
Probably, if it's proved to be successful, they'll definitely reuse it. Some recent ones, like I said, you see there, it's just not US bases, you have St. Thomas, or I'm sorry, Texas. So, kind of that was a one, two, three, fourth bullet down the education sector ransomware.
So, that was a report that came out that the average demand is about half a million dollars to get unlocked. That's average, you probably go up to a couple million, maybe a couple thousand. I think it just depends on how big the institution is.
If, say, it's like a major university or college, the ransom might be a little bit bigger versus a local middle school. They probably know they can get more out of that bigger university place there.
[Rob Ayoub]
We've also seen these very, very large K-12 districts, too, that have gotten really, I mean, they've got hundreds of thousands of students, disruption. There's certainly a lot of potential for financial gain on those sort of networks.
[Richard Wallace]
This is from a database I have access to about threats or claims by bad actors that are out there. So, the red there is ransomware, blue is DDoS, and the green is data breach slash data leak. So, within the last year, so from September 24 through August 25, you can see data leak and data breaches were the most significant, followed by DDoS, as far as what they're claiming or threatening to do from an education standpoint.
And then what's interesting, kind of the same concept as the DDoS slide a little while ago, is I took those three categories, overlaid it again with the school year, and again, there's correlation between major school events and threats or claims of attacks on the education sector. So, it's kind of interesting that we saw that correlation as well from just not our own internal threat data, but also what's being reported out there in the wild as well.
[Rob Ayoub]
Yeah, I mean, it's interesting that there is such a strong correlation on the seasonality, and you literally can see drop-offs in the summer, there's just less. And yeah, I think it just highlights the, you know, just the attackers are, you know, they're watching their targets. They know that, you know, that downtime for the universities, you know, it's going to be noticed if they do something.
Whereas, hey, if it's during finals, IT's probably stretched thin already, the student services are already stretched thin, and then boom, you know, that wasn't an ideal time to go in and try to steal data, launch a ransomware attack, drop these services. Because, you know, now all the universities, they have learning management systems, they have testing services, they have document upload services for that.
[Richard Wallace]
Turn it in or something like that.
[Rob Ayoub]
Yeah, yeah, being heavily used during those times as well.
[Richard Wallace]
Yeah, so you brought up a good point. It's just not the university resources, but also supply chain or third-party services that the university might be. Like we talked about Turnitin, where students go in and actually upload assignments or papers that might also be a potential target when we talk about the education as a whole.
Right. I look at your, you know, what third-party services or apps or things that you're using, and if there is some form of cyber attack on them, how does that affect you as well? So, but yeah, you kind of brought up the thing is like, it seems like every bad guy or malicious group or whatever, they're always trying to outdo each other and like get in the newspaper, get that PR, so they can stick like, yeah, I did that.
I'm better than you. And then it's like, oh, you did that. I'm going to do this.
It's like a one-up man gamesmanship between them. Oh, I can, I'm better than you. No, I'm better than you.
So they love that PR. They love getting the news, getting their name out there because it makes them seem all big and scary. It's probably some guy on a keyboard.
So some of the emerging threats, I think we kind of loosely talked about this throughout the presentation, but we just kind of wanted to drive it home a little bit is phishing is probably the number one biggest threat when we talk about ransomware, especially when you have thousands of students and with connected devices that are on your network and they can click a phishing email. And now they just compromise your network as well as credential theft. If somebody on their personal laptop has a malware and they log into their student account or some form of school resources and that credential is stolen, then that can be a means of entry point that they can go out and use as well.
We talked about data breaches and IP theft. Data is the currency of the world. Almost everything is data, data, data.
So malicious actors love to get their hands on data because they can turn around and sell it. Everything is financially driven for them. The more lucrative the data or the intellectual property or some secret thing that they can turn around and sell on the darknet or to another nation state, the more that they want that money.
So that's what they're looking for. And then IoT devices and smart campuses. We talked about that, you know, smart lights, speakers, Alexa's, Siri's, and all these different devices that students, they're pretty cheap and students have them in the dorms.
They bring them with them to class, you know, Alexa or a little JBL speaker type of thing. Home routers that students have that can expand their network. These are all potential infected devices that most actors are going to look to exploit.
A lot of people don't update their firmware and a lot of companies don't actually provide an update of firmware or security patches for vulnerabilities that are out there. And if they do, people just don't update them because they don't think about it in that manner. So that is a very significant threat within the college campuses.
We kind of talked about too, Rob, the hacktivism. We talked about Russia, Ukraine, Gaza, and Israel. But then domestic things, just not in the U.S., but if we're talking about like educations within the U.K., there's a lot of social discourse in the U.K. as well. There in France as well. So those can be driving factors for disruption. Let's say I don't want to go to college or go to school today because I want to go to this protest.
I just go in and DDoS the services and now I can go do my protest. So those things will also be driving. And then, like I said, the third party, I think a lot of people don't think about it.
All your interconnected third party devices, services, networks that you use to conduct the school year. You should be reaching out to them, finding out what their security posture is. Also having a backup plan.
OK, this service is down. OK, we can shift to this one for the meantime type of thing. But a lot of people don't think about that.
They just think about my network. But you have to look at what other things you're using as well.
[Rob Ayoub]
Right. Yeah. Go back to the IOT.
I mean, correct me if I'm wrong, but the other challenge you mentioned is an entry point, but also the use of IOT in generating attacks. And now maybe not against that specific university, but some of the tsunamis that we've seen lately, haven't those been driven by IOT devices primarily? Yeah.
[Richard Wallace]
IOT is a it goes back to their security on them. They're built for convenience, not for security. So they're easily cracked.
A lot of people don't change the default username and passwords with them. So if it's exposed to the Internet and the Internet scan daily, multiple times a day, what devices are out there? will find one that's exposed like, oh, it's a TP-Link router or it's an Alexa device.
And that's what the normal user. So they can go in and install their malware to turn into a bot, especially with the increase in residential Internet capability. Like I have a one gig Internet service, you know, back in the day, it was about 52 kilobits per second for dial up.
Now I take gig just the advancements in throughput from home use is most actors are using those part of their attack. Yeah, they're not going to attack the school, but they'll compromise 100 devices. Well, now that's 100 devices to go conduct something else.
We've talked about all the big, bad things out there. So what can you do from an organizational standpoint to I don't like saying we're protect. That seems like nothing will happen.
I would say mitigate the risk. The biggest thing is cybersecurity awareness and training. About 99 percent of your ransomware are coming through social engineering attacks that can be that can be mitigated with the proper training.
I would recommend is part as a new student orientation. They have to take some form of cybersecurity class in order to get access to your network and then have them redo it on a yearly basis. Patching and vulnerability management, knowing what's on your network that is owned by you.
Having some form of process to want track it, where it is, what version is in, what patches on. And then a way to go in and periodically check check. Has there been updates to firmware or software security patches that if it's supposed to be automatically pushed to the device that is happening?
If it's not, then have a process to be able to get that from the vendor, not some random Internet site out there saying, hey, here's a patch for this, you know, this thing. And then a process actually integrate that and patch our systems up. And then defense and layer network segregation is key, is having a network for students, having a network for administrative people, for your finance people, for your research, segregate your network that if one is compromised, it's not going to affect everything.
It's just going to compromise that one segmented network. I would put students on their own completely network, the dorms on a completely different network. That way, and then have that proper protocol security where it's hard to either do VLANs or through network segregations of different IP ranges and then having the firewall in place that they can't talk to each other unless properly approved is the best place.
And then zero trust and identity kind of goes back to segregation, but also account is restricting people only having access to what they need. A HR rep should not have administrative authority on any network devices. And then that goes to your network guys, too, is have them have two accounts, one that they use as a normal user.
And then they have their administrative account that they use only to do administrative stuff. So if their user account is compromised, the admin account is not. So having two separate accounts for people that do have administrative authority that they use, depending on what role and what they're doing.
And then incident response and readiness, having that playbook of if something happens, what do we do? You know, policies in place that it's updated. You don't want something you pull from the shelf that's from 1994 and has somebody that's listed as a primary POC that's no longer there.
So those should be reviewed on a yearly basis. And they should be at least tabletopped or exercised once a year as well. Have some form of simulations like, OK, we just had this attack.
Let's pull this off. Let's run through it and see if it still makes sense. Do we still have all this hardware in place or have we updated or have we added hardware?
That way it kind of makes you look at your network every year as well.
[Rob Ayoub]
Yeah, I mean, I think I think that piece about the tabletop and then testing backups, all these pieces, I think, are we talk about an industry. And I'm sure I'm sure plenty of organizations do them. But even just even some of the non-tech things, I think, is something to emphasize here.
You know, what's the communication strategy? If this happens during finals, what what is our backup strategy? What do we tell professors?
What we tell students? What is the plan? Do they just get a paper?
Is there a delay strategy? And just getting getting folks some practice that, hey, you know, so they're not in the heat of the moment trying to work through some of these things. And, you know, I think it even goes beyond just, yes, you obviously need to have the policies in place, but having that practice so that even if it's not nearly the same intensity, at least they've been through it before and can say like, oh, yeah, you know, we we talked about this.
We I know who to contact. I know what. OK, this happened.
This is the new policy. This is the policy. This is what we're going to follow.
And, you know, I think there's a lot we tend to think very technically about these things. You know, I've got to check the backups. I've got to got to make sure the failover works, got to make sure the AV is properly.
But it's those people processes that are are really going to be the the key for surviving a ransomware.
[Richard Wallace]
So what's your messaging going to be just not within the university, but outside? Right. You know, because news organizations, you're messaging to the regulatory.
How are you going to what is the process actually fulfill that regulatory requirement of reporting? What's the process? But you brought up a good point of the messaging with internal is if you use Outlook for everything, that probably shouldn't be your primary means of communication during an incident, especially if it's ransomware, because that might not be available to you.
So having in the military, we have pace, you know, primary, alternate contingency and emergency. So we call that the pace plan. OK, my primary.
Yeah, it's going to be email as we do day to day. Well, that's gone. Then what's my alternate?
That's what's my. So kind of thinking about that. OK, I don't have access to this.
What's my next form of communication? OK, if we're going with that, does everybody have access to that or really have access during a time of an incident?
[Rob Ayoub]
We're talking about the threats to education, but it's also important. We wanted to bring up the products that DigiCert provides that specifically can address some of the challenges we've mentioned today. You know, we have our ultra DNS products, our ultra DDoS protect product and our ultra RAF products.
And all these fit into that that resilient infrastructure. You know, all these products have a long history proven in enterprises. We have lots of customers to vouch for for each of these.
And, you know, again, I don't want to spend a lot of time on these. But, you know, definitely bring the awareness that you are a district or K through 12 higher ed. And you're looking to improve your overall infrastructure to ensure that you can handle modern DDoS attacks to help stop some of these ransomware attacks.
And to be resilient in the case of an attack that we do offer products and more importantly, expertise around deploying these properly and then you get access to folks like Richard that do all the smart stuff on the back end on the Intel side.
[Richard Wallace]
You kind of brought up one thing we haven't really talked about is those web application attacks, which is definitely a threat that education higher or lower see. So if you have any forward facing website or web application, especially if it has a login or a comment or something like that, most actors will scan those as well to see if they're vulnerable to SQL injection, cross scripting, all these different type of web attacks that can get access to online data, but also use it as a pivot point to get into your network as well to have it download something that it shouldn't be on your network.
[Rob Ayoub]
Well, and I know, like I said, even with my own kids, see that more and more that applications, some are homegrown, some are third party, login and password for everything. And a lot more of the applications now accept pictures and documents and it makes them ripe for, like you said, injection attacks for malware coming in via an uploaded document, all those sorts of things.
[Richard Wallace]
Yeah. And I've talked about how easy it is to do DDoS attacks. WAF, a web application is also there's a Linux distribution called Kali Linux that, again, it was designed to do penetration testing for good, but it's also been used for bad.
But there's tools that are built into that, that once you install it, you have access to it, that I can have it scan a website and it'll tell me all the potential vulnerabilities. And then I can kind of go in and do some cool attacks that way, if I wanted to.
[Anthony Jimenez]
Thanks for listening. Thank you to our guests, Rob and Richard. Don't forget to like, comment and subscribe to Carahcast and be sure to listen to our other discussions.
If you'd like more information on how Vercara, a DigiCert company, can assist your organization, please visit www.Carahsoft.com or email us at Vercara@Carahsoft.com. Thanks again for listening and have a great day.