Wargaming at Exeter helps keep the university battle ready

Alan Hill of the University of Exeter says more universities need to understand who is targeting them and why to improve cybersecurity defenses and improve incidence response.

Alan Hill, chief information and digital officer, University of Exeter; CIO UK Summit, London [2019]

Higher education institutions in the UK are increasing efforts to better secure their systems and protect students while becoming more digitised, but they have a long way to go. Lancaster University, the University of York, the University of South Wales and Greenwich University have all suffered incidents in recent years, while industry reports suggest most higher education institutions are too easily compromised.

Speaking at the CIO UK 2019 CIO Summit in London, Alan Hill, chief information and digital officer at the University of Exeter, discussed the need for UK universities to be better prepared to respond to cyber incidents, especially around its valuable and often nationally important research data.

Exeter University secures its “digital wrap”

With around 22,000 students and 4,500 staff across its four campuses, Exeter University is responsible for around 7% of employment in the city. It is both a Russell Group University noted for its research and is rated as one of the top 10 in the country according to the Guardian.

Hill joined Exeter three years ago in early 2016 after a career in the UK military – including in the British Army as its Head of Information Superiority - Deputy CIO (the de facto CIO as you have to be a General to have a CxO title) – and became Head of Operate and Defend at MoD. As the university doesn’t have a CSO, Hill is responsible for both delivering and securing its digita services and infrastructure.

While education doesn’t perhaps share the same goals as commercial entities, they do share some of the same challenges. Brand and reputation are key to attracting research grants and convincing students, whom Hill describes as Exeter’s customers, to attend the university.

“We don't do sales as it were,” Hill says, “but league tables are very important for student recruitment and league tables are very important for research income. These are the kind of markers that you will be looking up to make a judgement on a decision as to whether you enroll at the university or not.”

“They're all paying £9,000 or more per year for tuition; they are customers. As am I, as a parent -- my son is at Cardiff university – and I expect them to deliver on what they promised. As I remind the Cardiff CIO quite regularly.”

While Hill says the university values face-to-face teaching, it’s important to put what he calls a “digital wrap” around that as part of delivering robust and secure services for those student customers. As an example, one of these critical digital services is the university’s collaborative learning environment.

All lectures are recorded and made available to watch at a later date through the learning environment. Hill says last year the system had 650,000 views of video content, and when tied to analytics around attendance, shows students are going to lectures and then reviewing the content later as well. As a core part of the learning experience, ensuring that system and others like it are secure and robust is important to the university.

“The university is a business,” Hill says. “We are under threat, and we need good defenses, and we need to prepare for when it is going to happen.”

Research is the crown jewels 

The university was awarded some £76 million in research grants according to recent public statements, and research is a key part of Exeter’s operations and therefore a security imperative. Hill has previously told CSO’s sister site CIO that being an early adopter of the UK’s National Cyber Security Centre’s (NCSC’s) Cyber Essentials accreditation helps Exeter win research grants from the Ministry of Defence and critical national infrastructure organisations.

“Our strength around the environments and economic issues around that, climate change, astrophysics, medical school activity, [is] really fantastic stuff,” Hill says. “The Exeter IT team contribute to the discovery of atmospheres in exoplanets 200 light years away. They support research into dementia in the over 50s. We have to protect that because all that research data is really valuable.”

“If it's publicly funded research, or coming from the UK government, you have to make that data available, but you don't do that for two, three or four years until you then publish,” says Hill. “Within that time, you need to protect your data and get as much value as you possibly can. We've got intellectual property tied up in this which is income and patents, and we do research for critical national infrastructure, so suddenly research data is not just about standard storage.”

However, that research has become a choice target for state-sponsored actors. China has long been known for its efforts around stealing high-value research and intellectual property (IP) from a broad range of organizations, while other actors are known to target higher education. Groups linked to Iran’s Islamic Revolutionary Guard Corps (though there may also be a Russian influence) are accused of conducting what the US Department of Justice has called a “massive and brazen cyber-assault on the computer systems of hundreds of universities” that saw terabytes of information stolen from universities across the world, including a number in the UK.

“This is about security and planning for attacks in order to protect the crown jewels of the university, which is its research data that generates patents. That generates intellectual property. That engenders stuff at critical national infrastructure,” says Hill. “It's a real threat on our research data, this is fact. We can assume now in the sector that our research has all been copied.”

Hill says under that assumption, the university is now looking more at the dark web for both stolen credentials and stolen research. That allows the university to be aware of compromises before they can be sold and exploited.

“That is what is important; to be able to react far quicker than we could ever do [before] and to spot any of my research data or sensitive data that is for sale there in order that I can help contain the breach” Hill says. “If you've lost it, you've lost it, but don't let the exploitation [happen] and prevent it as quickly as you can.”

The NCSC has published information outlining key threats to universities and the types of information threat actors are likely to target, as well as information in conjunction with the Centre for the Protection of National Infrastructure (CPNI) about how to better secure research data, which Hill describes as a “really welcome addition.”

Wargames at Exeter University

As part of its efforts to be prepared and better respond to threats and incidents, Exeter conducts regular wargames and simulations to test its reaction time and capabilities. As part of his preparation, Hill has to identify what he calls his “high-value targets” and understanding who is attacking the university and why.

“If somebody is looking at us in the university, who are our high-value targets? The professor's researching into graphene, for example, are high-value targets,” says Hill. “Those professors who are doing research into anything related to the Ministry of Defence are all high-value targets, and how I treat them and the wrap I need to put around them and the security I need is a step the university sector has not had to do before.”

“Start by browsing your website from the outside as if you were a just a citizen and start looking as if you were after something,” Hill advises. “Then look at it from the inside as well. If you've lost some credentials, what can you do once you get in? What do we actually look like to the attacker?”

While the Iran/Russia example was a state actor going after research, criminals may want to steal student records for financial purposes, while distributed denial-of-service (DDoS) attacks could easily be politically motivated or done by bored students. Jisc – a non-profit that provides digital services to education institutions – recorded over 1,000 attempted DDoS attacks against 241 education institutions in 2018, and a number of universities including The Stevens Institute of Technology, Monroe College, University College London, and the University of Calgary have all suffered ransomware attacks in recent years. Exeter wargames include similar scenarios around ransomware and denial of service attacks.

“You need to understand the capabilities that can be rained upon us--the routes in, why they are doing it, the techniques used,” says Hill. “Theft of information, theft of research data, theft of credentials, reputational damage as a result of that, and how that is then subsequently exploited in second- and third-order phases of operations and how are we going to respond to that? There is a really important part now of doing the estimate about what it looks like inside out to the attacker.”

Hill says the wargames involve potential cyber-incident scenarios based on events from the news, attacks that may have happened elsewhere in the industry, and the university’s own assessments of around who may attack it and their goals. “Plan those scenarios; understand what the attacker’s intent might be. Is their intent to damage your reputation, steal credentials? What are you going to do in that scenario?” he says.

“Let's say I don't have 24/7 security cover. So what? That means if an event happens outside of hours my react time is potentially slower. So what? That could cause massive disruption. So what? You keep doing that until you work out what you're going to do, and you add those into your courses of action. Then draft the plan out the response plan.”

Hill says that response plan should include tasks for everyone--individuals, executives, business leads, and the IT team, and then should be tested and rehearsed repeatedly. “Once you've got that draft plan, start looking around the business and have that discussion. Put them around the table and walk through the event, stage by stage, step by step by step. Go through and practice losing the phone lines, or losing the student database, or losing your website. This discipline is something that is really important.”

One example could be the telephones going down. If IT says it would take two hours to fix, what impact would that have right in the middle of student recruiting? How would you contact key stakeholders? If they are unavailable, who do you contact in their place? “You work that through to the minutiae detail, and then you take all that information back in and amend your plan.”

Though Hill refers to a quote from German General Helmuth von Moltke, “No plan of operations extends with any certainty beyond the first contact with the main hostile force,” he says that’s no excuse not to have a plan.

“You must plan and rehearse these responses; I can't overstate that enough,” he says. “No matter how good your planning is, you can do 100 plans and responses something will happen which doesn't fit that, but because you've rehearsed it, because you've thought it through and done in that way, you're going to respond far more effectively.”

One such scenario the university went through was the website being hijacked by ransomware, which was actually a smokescreen to distract IT while attackers sent through phishing emails designed to harvest credentials and eventually exploit the financial details of students. “We learned so much out of that. We learnt that we didn't realise how much traffic goes through our website, how much services and activity, how reliant we are on that website, and how long it takes to get a website back up if you're not completely in the cloud with full disaster recovery, and so on, so forth.“

“They all became really important learning points for us. Lo and behold, a month later, what happened? We lost the website for 24 hours. Not, thankfully, through ransomware, but our response was far, far better,” says Hill.

Security a work in progress

While Hill says that communication and collaboration in the higher education space is better than in other industries, he also admits security was until recently not at the forefront of priorities and still requires work.  “I think we work potentially in the sector far more collaboratively with other IT directors and CIOs [compared to other industries],” he says, “and therefore we've got a broader view than just Exeter on its own. Within the higher education sector think we're pretty well set up for this. We operate pretty well and do share quite openly when one organization has had a particular problem and we will go and help others.”

There’s also increasing efforts to improve security sector-wide from a technology point of view. The Janet Network, national research and education network provided by Jisc, is putting more effort into controlling denial of service attacks. Exeter is a heavy Splunk user for its security monitoring efforts, and Jisc is now offering Splunk services across the UK education sector, which when combined with a more open approach to sharing information can help make more education institutions aware of potential threats.

“That multiplies forming greater than the sum of the parts is really important,” says Hill. “So, schools, who could never afford technology like that nor have the expertise or headcount to operate it can start to benefit from something sector wide.”

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)