Question

An Emerging Threat: Ransomware

The attack, expertly planned, was insidious. For six weeks or more, cybercriminals purportedly from either North Korea or Russia wormed their way into Monroe College’s computer systems, maneuvering undetected as they sought out weak points. Then, in July 2019, they pounced. Using an IT staffer’s pilfered password across platforms, hackers infected every server on Monroe’s two New York City-area campuses with a virus, effectively locking down administrative files, email, learning management systems, and website. “The college was a big house we were all locked out of,” says Marc Jerome, president of Monroe, a for-profit institution with 8,000 students. What’s more, as the campus reeled, hackers held Monroe’s tech infrastructure for ransom. They would restore it, they told the college’s leaders, in exchange for the Bitcoin equivalent of $1.6 million.
As Monroe students became instantly reacquainted with turning in assignments on paper, campus officials sprang into action, working feverishly to restore damaged systems. But without a policy for dealing with such attacks, Monroe was faced with few choices. After a couple weeks of failed attempts to use backup systems (which had also been infected) and with little hope of restoring its online presence, college officials decided to contact the college’s insurance company, as well as hire a law firm and a tech expert to negotiate with the attackers. In the end, Monroe paid them a considerably lesser sum than had been demanded in order to obtain the
T
• •

•   

• •


WITH SUPPORT FROM
decryption keys needed to eliminate the virus and bring the campus’s tech services back online. Monroe had been victimized by a ransomware attack — and it isn’t the only college that has had to face off with international criminal enterprises that have perpetrated such disruptions in recent years. Most attacks start with “phishing” expeditions. Cybercriminals send virus encoded emails in the hope that someone at a college — a professor, a staff member, a student — will open one and set in motion the virus or malware contained therein. The virus then replicates itself throughout a network. Some institutions have fended off ransomware incursions with security software or with the help of enhanced computer-safety training, while others have seen their systems disabled and their daily operations threatened. Some have devised policies for dealing with attacks, while others are in the process of considering them. Several institutions report that they have created policies but are not making them public. Doing so, they argue, might encourage such attacks or give cybercriminals an angle from which to start one. Such secrecy is far from rare. Many ransomware attacks are not reported. Colleges may not want the public to know that they have been successfully targeted. IT experts say such reticence leads some college officials to underestimate the threat. Because criminal enterprises, usually originating in China, Eastern Europe, North Korea, Russia, and Vietnam, typically demand payment in cryptocurrency to protect their anonymity, it has proved difficult to track them down or slow the rate of attacks. Law-enforcement agencies generally offer few answers. The onus on preventing ransomware attacks and policing tech systems falls on the institutions themselves. This, too, can prove difficult, given that colleges provide faculty members and students with wide access to their networks and content. The very openness that many institutions point to with pride can often become a security headache. While there is some question as to whether the threat of ransomware at colleges and universities is growing or flattening out, there is evidence that more higher-ed institutions are stepping up protection. More colleges now carry
insurance policies designed to pay them for the lost revenue and repairs that can result from cyberattacks. Several institutions have stepped up training of computer users and shored up security to forestall invasive tactics. And some have invited outside experts to look for potential vulnerabilities in their systems. Facing their seemingly built-in disadvantages, many colleges are devising policies that will make their campuses and systems safer, experts say, whether by preventing attacks, dissuading criminal enterprises from attempting them, or protecting themselves against loss. This Trends Snapshot outlines the latest efforts.   
The very openness that many institutions point to with pride can often become a security headache.
“No-Pay” Policies The FBI, among other law-enforcement agencies, urges colleges to refuse to pay ransoms. Many institutions, especially larger ones, have heeded the advice, devising a “just say no” strategy to deter criminals and make themselves less of a target. At the University of California at San Diego, two recent ransomware incidents did some temporary damage. But the university refused to cave in to demands for cash. Three years ago, the university lost access to its data during an attack, but because it had backed up both its data and its systems, it was able to recover them on its own within a week. About 18 months ago, a targeted breach centered on the work of one research faculty member. The researcher lost some data, though the loss wasn’t considered catastrophic. San Diego has since made strong efforts to persuade its research faculty members to back up their data in a safe place. The university created a website with instructions on how to do that. It also started a separate datamanagement plan for researchers to follow. Still, officials at some institutions who
an emerging threat : ransomware 3
have promised never to pay criminals admit that there may be some circumstances in which that stance becomes less absolute, such as when students’ medical information has been stolen and a threat has been made to publish it online. Even among institutions that have pledged never to give in to demands, there is a belief that there might, one day, be a particular case that offers a reason to pay out, especially if a college lacks insurance against ransomware attacks.
Many colleges have gotten the word out that, no matter how far down in the tech hierarchy staff members or students might be, they should be on the lookout for nefarious online schemes.
Training and Communications At several colleges, IT staffers run tabletop exercises for academic department members and students as well as administrators. The goal is to learn how much they know about the threat of ransomware, and to test their reactions to simulated ransomware-borne denial-of-service attacks. The websites of the University of Michigan and Pennsylvania State University offer examples of phishing expeditions, so that students know what to look for and how to respond. The Penn State site also includes videos of what people on campus can do to avoid allowing ransomware hackers to enter a system. Many colleges have gotten the word out that, no matter how far down in the tech hierarchy staff members or students might be, they should be on the lookout for nefarious online schemes. A chain of communication following an attack is also important, and has become a part of many institutions’ hacker-response strategies. Some colleges maintain an “escalation policy” that lays out in detail which campus officials should be contacting others, who receives certain kinds of messages, and in what order. Colleges
have also made contingency plans for when their email is down, such as using automated phonecalling, text alerts, and social-media blasts to reach staff members and students when a campus system is held hostage by ransomware.
Improving Security Several institutions report working harder to make their IT systems safe from attacks. At the University of California at Berkeley, a virtual private network was created with several safeguards. To remotely access it, Berkeley users must authenticate their credentials to get through several firewalls. Such measures, the university hopes, will make it much tougher for attackers to get through. Other colleges are doing something similar by expanding requirements that people on campus use multifactor authentication to gain access to networks. Larger universities frequently employ system patches, antivirus software, and common decryption keys that can free a system from ransomware. Others are beefing up their backup systems so they can replicate their main systems if ransomware takes them down. Many institutions report that they regularly test their systems against attacks. And some have taken the step of removing their campus directories, or at least parts of them, from webpages to make it harder for ransomware attackers to send infected emails en masse. Still, IT experts warn that many colleges, particularly smaller ones, aren’t availing themselves of modern cybersecurity solutions. Tech offices at institutions with budget trouble are especially vulnerable — something that could intensify as Covid-19 forces colleges to cut costs further, including by eliminating some security personnel.
Insurance While not protecting institutions against attacks, insurance policies typically can offer institutions a way back after one. After a college uses money from an insurance claim to pay off ransom demands, attackers usually remove the virus, freeing up an institution’s network. By law, if an insurance policy covers damage by
an emerging threat : ransomware 4
ransomware, insurers must respond to a college’s claim, even if that means paying it for damages. Cyber insurance companies have mushroomed in the past decade, according to one IT expert, who adds that more than $2 billion has been paid out in ransomware claims of all types (including colleges) in recent years. Purchasing a cyber insurance policy is the most common way colleges deal with possible ransomware, according to a survey of chief information officers and chief information security officers conducted by the Leadership Board of CIOs (LBCIO). The survey also found that 76 percent of higher-ed institutions now carry insurance against ransomware disruptions, up from 63 percent in 2018. Though such policies can offer a way out of danger, some experts worry that they also bring some peril. Cyberattackers who learn that an institution is insured might see it as a better opportunity. Buying insurance presents other caveats as well. For one, there is no guarantee that paying a ransom will result in the full return of an IT system. Colleges that negotiate with criminal enterprises are relying on them to be honest about the delivery of decryption keys, or the extent to which such keys will actually restore control of their original systems.
Outside Audits While most colleges rely on their chief
information officers and chief information security officers to make the technical calls to fend off ransomware attacks, some have opted to invite outside experts to assess their systems or provide continuing oversight. While on-campus professionals can develop plans and policies that make it harder for cybercriminals to commandeer a college’s computing and data systems, issues of campus culture can prevent those officials from creating and enforcing rules on how faculty and staff members and students should behave online. Some CIOs are regularly frustrated by faculty members who download unsafe software or who don’t report such actions to the IT office. Having an outside check on the system can lead to stronger, more enforceable policies, some college leaders believe. Outside experts can feel freer to monitor weak points in a system and make suggestions as to how to keep stakeholders in line with IT-security goals. In the past decade, the proportion of college-IT officials who have contracted with outside tech auditors has grown from 55 percent to 71 percent, according to the LBCIO survey. Among those institutions now planning to make third-party IT audits a regular part of their security regimen is Monroe College, which will soon retain an outside vendor in the hope that it can avoid the embarrassment and expense it suffered one year ago.

1. You are a consultant in charge of creating a Business Continuity Plan (BCP) for UALR. Based on the article what will be your focus, given the prevalent of cyber-attacks at institutions of education. Identify an area that you will focus on to prevent ransomware attacks and devise a plan so that when it happens you have a strategy to recover. Explain the reason for focusing in this area/ Explain why that area is important to institutions of education such as UALR (30 points)

2. Using paper and pen technology to store records and document process poses threats to Personally Identifiable Information (PII) . Identify 2 examples of PII and use the template below to perform a risk assessment of Personal Identifying Information (PII) stored by institutions of education, such as UALR. Using the template provided evaluate, and assess threats, vulnerabilities, risks, and Maximum Tolerable Downtime (when these PII will be inaccessible) (40 Points)
Threats : What an organization is defending itself against, e.g. a natural disaster, man-made disasters.
Vulnerabilities : The gaps or weaknesses in the IT infrastructure that undermine an organization’s IT security efforts, e.g. a firewall flaws that lets hackers into a network. Lack of employee training, ineffective BCP, flawed processes etc.
Risks : Calculated assessment of potential threats to an organization’s security and disruption of operations and the vulnerabilities within its information systems infrastructure.




Risk Assessment Template

Type of PII Threats Vulnerabilities Risks MTD

3. Based on your risk assessment and recommended Maximum Tolerable Downtime (MTD), make recommendation for Recovery Time Objective (RTO) and Alternate Processing Sites ( Cold, Hot, Warm, Mobile) to achieve the RTO . Explain why you selected that alternate processing site

Answer 1

Solution: Area that will I focus on to prevent ransomware attack is finance & administration.As customers who're local directors can knowlingly and unknowingly make modifications to their system that permits malware to get deep within Operating System.Even worse than making a consumer a neighborhood administrator, is adding the domain customers organization to the Administrators institution on the nearby laptop. Not simplest does the user have system-level get admission to to their device now, but in addition they have device-stage access to all computers on your community. Make certain you eliminate regular person bills from the neighborhood administrator’s organization. That includes your personal account. If you want administrator get right of entry to, use a second login.

A recovery plan: Actualize a Comprehensive Data Backup and Recovery Plan, Implement a Plan to Regularly Scan and Test All Networked Devices ,Keep Your Operating Systems and Software Up-to-Date With New Patches, Isolate Infected Devices Quickly, Filter for .Exe Attachments in Email, Disable Files Running from AppData Folders, Disable Remote Desktop Protocol (RDP), Protect Your Operating Systems and Apps, Train Your Staff and Test Readiness for an Attack, Implement a Comprehensive Data Backup and Recovery Plan.

Solution II Threat : UALR has vital arrangement for its understudies for progress likewise it will create and intergrate development and innovation into guidance to improve the understudy learning experience.

Vulnerabilities: They have publically displayed their organisation directory through which fishing emails can be sent to the respective department heads.

Risks :Maybe they can be using low cost phishing prevention tool which can lead to ransomware attacks.

RTO : depends upon the amount of data is there which is to be recovered.

MTO: if the data is on pen and paper then data is in the recovered state.

Cold Site: UALR have a cold site . As cold site is the most affordable kind of reinforcement site for an association to work. It does exclude upheld up duplicates of information and data from the first area, nor does it incorporate equipment previously set up.

Hot Site: A hot site is a copy of the first site of the association, ordinarily with full PC frameworks just as close total reinforcements of information. Constant synchronization between the two locales might be utilized to totally reflect the information climate of the first site utilizing wide region network connects and concentrated programming.

• Warm Site: A warm site is a trade off among hot and cold. These destinations will have equipment also, availability previously settled, however for a littler scope than the first creation site or on the other hand even a hot site. Warm locales may have reinforcements close by, yet they may not be finished or later.

Alternate processing site are used because they have a backup.