Whitehat’s carrying out penetration tests on the online infrastructure of UK universities had a 100 percent success rate in every test within two hours.
The tests were carried out on behalf of the Higher Education Policy Institute (HEPI) and Jisc, the institution that provides internet services to UK universities. Penetration testing was done on over 50 universities, all of which failed.
Their report found that: “Alarmingly, when using spear phishing as part of its penetration testing service, Jisc has a 100 per cent track record of gaining access to a higher education institution’s high value data within two hours.”
Third level educational facilities and organisations hold extremely sensitive data belonging to their students, staff and organisations engaged in research projects on campus. This data can range from staff and students’ medical, financial and location data, to the intellectual property of companies.
UK Universities Hacked
The report states that: “In the spring of 2018, Jisc surveyed university information technology and security staff to better understand their security position. The results demonstrate that perceptions of cyber-security protection are fairly negative.”
That survey notes that only 15 percent of higher education IT and security staff believed that their organisation was well protected. A host of reasons were cited for the low scores such as a lack of dedicated staff, budget constraints, lack of policies and suggestions that “senior leaders are not taking the issue seriously enough.”
Adrian Taylor, CTO of ITC Secure told Computer Business Review in an emailed statement that: “Academic networks have long been a target for malicious actors for several reasons, the two most prominent being that they tend to have huge bandwidth to the internet, which is super handy if you happen to be running a DDoS farm and can gain control of a server or two to run one of your bots.”
“They often run cutting-edge technology or configurations far in advance of a typical enterprise risk appetite – for example most universities had IPv6 in production long before enterprises were even considering the benefits.”
“This has been the case for years, but as Universities are partnering with commercial institutions to carry out research with potentially very sensitive implications – think pharmaceuticals or environmental / geopolitical – then their attraction for bad actors becomes greater and greater.”
“Ironically, of course, some of the most valuable research into cyber security comes from these self-same institutions, so it’s not as if they don’t have the skills or capabilities to secure their own estate.”