Your P- or S-number
How strong is the UG’s cybersecurity?
Hackers are upon us
Hundreds of staff members were locked out of their accounts last Tuesday. On Wednesday, the same went for even more students. They were not able to access their UG account until they reset their passwords. They may have grunted and moped. They will probably do so even more, because two-factor authentication is coming. Soon, students and staff will no longer be able to log into their account by just clicking the preset passwords that haven’t changed in years.
But it’s the only way, says CIT director Ronald Stolk.
More than one year has passed since the University of Maastricht had to pay a ransom of 30 bitcoin – then 200,000 euros – to Russian hackers. For two months, they had been in the system, carefully placing their ransomware until they finally struck and took all university computers hostage. Including the backups.
This spring, the Dutch Research Council (NWO) was hacked, too. The process of awarding grants to Dutch researchers was delayed for months. The University of Amsterdam, too, faced work interruptions due to hackers and the privacy-sensitive data of municipality Hof van Twente was held hostage for days.
These events might sound like isolated and precise attacks, but they are just the tip of the iceberg, which sees institutions, companies and organisations under constant menace by cyber criminals. And the UG is one of them.
Cyber criminality is becoming an easy and successful business
Director of the CIT and CIO of the university Ronald Stolk says the problem of hackers is real and important. Attacks are increasing in number and complexity. ‘We are always under threat’, he says. ‘Cyber criminality is becoming an easy and successful business. You just need to find a small hole into the systems to be able to cause irreparable damage and have high revenues.’
Such a hole could be anything, like a weak spot in some software. ‘We had a problem with Microsoft Office, an acute security issue. An emergency patch had to be applied. Nothing happened, but that problem – if not detected – could have been an open door to cyber criminals.’
However, the daily users of UG systems – like students or staff – might be even more dangerous. ‘In the case of the University of Maastricht, someone simply fell for a phishing email. Cyber criminals were then able to access the university system and install malware. They slowly crawled up until the administrative level and then it was too late to act’, Stolk says.
Hof van Twente had a similar situation. A staff member used the password ‘Welkom2020’ to access his account. With a downright disaster as a consequence.
The hackers’ goal is to breach the system and reach the administrative level in the shortest time possible. Once there, they take control of the core of an institution, and can access, publish, or delete data. They often install ransomware, which can block access unless a ransom is paid.
Some criminals aim to steal knowledge
But others don’t care for the money as such. The UG has to tackle intelligence threats too, Stolk says. ‘Besides personal data, we hold a great amount of valuable information in our research. Some criminals aim to steal knowledge and either use it for their publications or sell it to those interested.’
These attacks are way subtler, because the hackers don’t try to block or tamper with the system. They watch, unnoticed, and strike and leave as fast as possible.
There have been attacks, says Sander van Lien from CIT. However, even revealing information about it remains risky. ‘The university prefers not to share this sensitive data’, he says.
What he can say is that there are phishing emails around and there’s always the risk of some staff member unknowingly clicking on one. And when that happens, CIT has to work hard to keep the threat out.
The situation is ‘delicate’ Stolk says. However, he is confident too. ‘Our level of cyber security is fairly good. Considering the numerous dangers we faced and still face daily, and the fact that none of them hit the UG with success, we can say that we are doing a good job.’
However, there is no one solution to prevent attacks. Hackers will always find new ways to crack codes. The UG-wide password change – where both students and staff members were invited to change their eight-character password to one of at least fourteen characters – was only the first step. ‘It is a small action, but it is the best thing a single person can do to enhance cyber security effectively’, Stolk says.
And there is more to come. Multi-factor authentication (MFA) should be fully in place by July, and students and staff will need another way to access their accounts apart from their passwords. The Google Authenticator app on mobile phones is the preferred choice within the project. A token or another device can also be used.
About time, says computer science, intelligence systems and visualisation master student Daan Opheikens (26). ‘I consider single login access to be one of the greatest weaknesses in our system. MFA is a must, everyone has it.’
A lengthening of a few characters makes a huge difference
He’s also happy with the ‘stronger password’ policy. ‘A simple lengthening of the password of a few characters can make a huge difference.’
An eight-character password with upper/lower cases and numbers entails two hundred trillion guesses. But a computer can do 100 billion guesses per second. So, it will calculate it in about a half an hour. ‘But a twelve-character one would already require ten thousand years to be calculated.’
Chemistry PhD student Stefano Poli (27) looks at the situation less technically. ‘I agree with the improvement in security’, he says. ‘But a fourteen-character long password can be quite impractical.’
Typing the whole password all the time can be super annoying. Stefano suggests diversification of passwords, at least for the one simply used to access Windows. ‘I am happy with the improvements, but it could be done more effectively. Who would come physically to hack the computer in my office?’
Chances of physical hacks are indeed lower, but certainly not negligible, stresses Ronald Stolk. He also shares a tip to overcome the impracticality of a long password: ’Use a passphrase, instead of a password. That would be easier to remember and to type.’
UG is also perfecting the already implemented zoning procedure, which consists in breaking up the internal network in different zones – like the rooms of a house, divided by doors and corridors. So, in case of a cyber attack, criminals would have difficulty to move from one zone to the other and would struggle to overcome the several doors.
Another fundamental measure is represented by collaboration among institutions. Under the umbrella of CIT organisation SURF, fourteen universities collaborate with academic hospitals and other institutions and colleges of higher education.
Be careful withyour passwords and be prudent on what you click on
This partnership is essential, says Remco Poortinga, team lead of security and privacy at SURF. ‘It is crucial to do prevention and to share information to help each other.’
In the SURF network, universities share information on potential threats and threats they’ve already faced. It also provides support in case of security accidents. Moreover, a security organisation centre monitors cyber threats, possible attacks, and break-ins.
SURF also organises every year a ‘fire drill’ for cyber security called OZON, during which institutes’ representatives learn how to react to a cyber crisis.
‘The last one was in March’, Stolk says. He was quite satisfied with the results. ‘Our team was prepared, both on a technical and organisational level.’ The exercise revealed several learning points nonetheless. One was the need for improvements in the way the crisis team communicates during an attack. And yes, there were also technical points that need to be fixed. However, Stolk would rather not elaborate. ‘In order not to make the hackers any wiser.’
Sleeping easy wouldn’t be smart, he says. ‘I encourage everyone to change and be careful with their passwords and be prudent on what they click on. One small error can compromise more than you might think.’