Published on March 19th, 2021 📆 | 8148 Views ⚑
0How a cyber attack shut a college
FE Week tells the inside story of the cyber attack that shut down one of Birminghamâs major colleges, and finds out what others can do to protect themselves from similar threats.
At around 3am last Saturday, an alert rang out around South and City College Birminghamâs key staff and managers that the server had crashed.
The news reached principal Mike Hopkins later that morning, while he was training to cycle this yearâs Tour de France for the charity Cure Leukaemia.
âWe went in to find out whatâs going on, to see all hell was breaking loose,â he told FE Week. He called it a âvery high-level, automatedâ attack, committed through an unknown âbackdoorâ into their system. The college believes it had something to do with administratorâs rights.
The hack was what is known as a ransomware attack â where criminals restrict access to computer services until the victim pays up â as it âeffectively encrypted all our systems and files, everythingâ.
This meant staff could not access services such as human resources and finance, so: âWeâve had to adopt alternative arrangements of systems to raise orders, pay bills, etc.â
However, it has not affected the collegeâs banking, and payroll has been adapted. No ransom has been demanded yet, but Hopkins has been told the perpetrators usually demand ÂŁ2 million in the cryptocurrency Bitcoin.
One of the first things they had to do was secure their computers from being infected, as âturning one on would have caused real difficultyâ.
SCCB is one of the biggest colleges in England, with eight campuses and centres across Birmingham, so it was a âweekendâs job,â Mike said, of staff racing around unplugging every machine.
Apart from that, there was ânothing at all we could do but shut down the collegeâ.
Without access to emails, social media was relied on to get the word out for its 13,000 students to not come to lessons on Monday morning and to stay at home for a week.
1/3 TEMPORARY CAMPUS CLOSURESâď¸The college has suffered a major ransomware attack on our IT system, which has disabled many of our core systems. Our campus buildings will therefore be CLOSED TO STUDENTS for a week from Monday 15 March to allow our IT specialists to fix the issue.
â @southandcitycol (@southandcitycol) March 13, 2021
Online provision has been able to continue as the college can access Microsoft programmes such as Office and Teams, and now their emails.
This week, the college has called in IT security specialists IP Performance and education technology experts Jisc to establish what has happened.
Action Fraud, the National Cyber Security Centre, the Information Commissionerâs Office and funding bodies have also been contacted.
The college is still not entirely sure how the hackers got in, and whether any information has been stolen. âThe key to begin with,â Mike said, âis making sure we get to the bottom of exactly what theyâve done where they have got into, and that you donât leave a backdoor inâ.
âItâs an absolute pain in the backside with Covidâ
From Thursday, a number of students came back on to campus, including those on practical programmes, those who cannot access IT due to a language barrier and some vulnerable learners.
A full return to face-to-face provision may not happen for many weeks, Hopkins warned. The college is continuing to give students laptops and internet dongles to rent but will be increasing the numbers of students back each week.
Hopkins praised neighbouring Birmingham Metropolitan College (BMet) for allowing SCCB to use its facilities for accountancy exams scheduled for this week.
âIf anybody thinks that colleges canât and donât work collaboratively, here is one of the best examples you can possibly get that we do.â
Hopkins is not sure when his college will return to ânormal,â as having asked this question on Tuesday, he was told âhow long is a piece of string?â
Firstly, the college has to establish what has happened, and each of their âtens of thousandsâ of machines has to be checked for infection â this first stage is expected to take until Easter.
âItâs an absolute pain in the backside with Covid,â Hopkins said, and their onsite coronavirus testing centre had to be put on hold and students were instead sent testing kits to use at home.
However, as an experienced college leader, Hopkins refuses to be intimidated by the attack: âI have this fundamental view thereâs no such thing as insurmountable problems.â
One downside is âIâm not sure there is anything to be learned from it,â Mike said, as after having analysed attacks at other institutions âwe thought weâd done everything that we couldâ.
âBut you canât stop everything because the very nature of the college is that weâve got, like most colleges, an array where our staff and students can access their user areas remotely.â He did, though, believe this attack was âdifferentâ, owing to the possible use of administratorâs rights.
âCovid, in some sense, has helped us because there has already been that massive shock to the system, so people are used to dealing with difference and are certainly used to working at home.â
Colleges âsometimes donât have a clue about their IT systemsâ
While Hopkins and his team were able to act quickly on their breach, other colleges have in the past been caught quite unprepared for a possible cyber attack.
Eighty per cent of further/higher education institutions identified a cyber security breach or attack in 2019, according to figures published by the Department for Digital, Culture, Media and Sport.
Stefan Drew, a marketing consultant to colleges, with experience working on related IT systems, cites one college he worked with where the staff did not know where their server was: not IT, not marketing and not the web developer.
âI actually found it, in the end, in a basement of the college on a table. It was above the line where it had flooded a month or two before.
âThat shows you how, really, people donât have a clue whatâs happening in their IT systems sometimes.â
He puts this under-preparedness down to a lack of knowledge and accountability for collegesâ computer systems.
For instance, there is a ânaivetyâ among colleges that think they would be better off designing a website in-house, rather than commissioning a dedicated company.
So, âwhen somebody in the college designs this bit of software, with no experience whatsoever, itâs designed with all the individualâs idiosyncrasies. If they leave, someone looks at it and says: âI havenât got a clue what they did with this, letâs start againâ.â
Meanwhile, a website designed by professional developers will be regularly tested, including by so-called ethnical hackers â who attempt to break into cyber systems to help inform the owner and others.
The plug-ins on a website, of which enquiry forms are examples, are also tested; but Drew warns that if these are not regularly updated after being installed, they can be used as a backdoor into a website.
âIf youâve got a backdoor into the website, the next question I ask is, what does that website connect to, and can that be a backdoor into other systems?â
Gathering data from the management information systems (MIS) is one risk he poses.
A good example he found was where a collegeâs website could read the MIS system, but as âread-onlyâ, so information cannot be sent out of the system.
Outdated software can also be a problem once a system has been hacked: another college Drew worked with was using a little-used content management system for its website, for which he could only find seven developers that could help if things went wrong. This means that the college âis over a barrelâ paying for help if the website breaks.Â
Plus, the system could be easier to hack into as it would be tested less frequently. Furthermore, if servers are not backed up âregularlyâ, he says, the data could become corrupted, or recent data could be lost if a back-up from before it was inputted needs to be used.
Drew recommends colleges have a process for checking their IT systems and for ensuring that process works as well.
Penetration testing, where companies are hired to try and hack into systems on a regular basis, is also recommended as although it is ânot that cheap, itâs cheaper than having some hacker get in and hold the college to ransomâ.
Ten tips to avoid cyber attacks
To help colleges avoid falling victim to hackers, FE Week asked Midlands-based IT experts Infuse Technology for their top tips on preventing cyber attacksâŚ
1. Define a starter process
Ensure that the appropriate and necessary permissions are granted for new employees and foster a culture of information security awareness.
2. Define a leaver process
This should include removal of all access rights in a timely manner for departing employees, including cloud access.
3. Patch your servers and PCs
âPatchingâ repairs a vulnerability or a flaw that is identified after the release of an application or software â they are intended to fix bugs or flaws that create security vulnerabilities.
4. Two-factor authorisation (2FA)
Two-factor or multi-factor authentication requires users to provide a secondary form of verification in addition to a primary form, such as a fingerprint or one-time passcode, before accessing accounts.
5. Implement an effective disaster recovery strategy
Failure to prepare for the worst can lead to irreversible damage.
6. Utilise device management to safeguard sensitive data
Limiting access to devices that hold sensitive data can reduce the risk of a cyber attack. As part of this, appropriate staff training and preventative measures should be put in place.
7. Review data storage
Whether your data is stored manually on premises, or stored digitally in the cloud, ensure employees are storing and sharing data in a secure, confidential way.
8. Remove generic accounts
Eradicate generic accounts whereby the password does not change, or multiple users have access.
9. Minimise access privileges to data
Review who holds login privileges, ensuring access is only granted to those who require it as a necessity.
10. Defend your email
Ninety-five per cent of threats infiltrate systems via email â one of the best defences in minimising such threats is by educating staff, ensuring they select strong passwords and know how to spot the signs of a phishing attack
Gloss