Case Study: Ransomware fears drove cyber security investments at Flinders University

“We were sitting ducks.” That was the blunt and direct assessment about the risk to Flinders University from ransomware that chief information security officer Kim Valois gave to her board shortly after she took up the role.

The previous year another Australian university, ANU, was hit by a sophisticated attack initiated by a nation-state actor, an event that provided a wake-up call to Australia’s university sector, she told Digital Nation Australia. 

ANU published a very detailed account of the attack, however, it did not, and has not subsequently attributed the attack to a nation-state actor. Media reports at the time quoted unnamed intelligence community sources attributing the attack to China.

• Subscribe to Digital Nation Australia's twice-weekly newsletter

Now, after a very significant investment in new systems, and after inculcating the university’s cybersecurity team with a zero-trust mindset, Valois says her team has the tools to respond to attacks that will inevitably come.

Valois’ views about ransomware were reinforced after attending a briefing with a colleague on industry threats which convinced her things had to change.

At the briefing, she says, they learned about the rise of ransomware operators, or what the cyber security industry has taken to calling the big game hunters.
 

“Big game hunters refer to criminal gangs and ransomware operators that are out for big attacks, big payouts. They know their job really well, they get into your infrastructure, and they are looking for a big payout.”

“The rise of the ransomware gangs required us to do different things in terms of protecting the university's infrastructure."

In the year since that briefing, ransomware crossed a kind of threshold, as criminal gangs, often with formal and informal links to national governments, accelerated their attacks on critical infrastructure.

“We've seen a number of universities hit by ransomware attacks. And so although ransomware attacks seem to hit, you know, the large supply chains late last year, in the USA, I read utilities we had here in Australia at all got hit a couple of times with attacks last year, these things really put this on the forefront. It's not just happening overseas, it's also happening here.”

Universities are an especially attractive target firstly due to the use amount of personal information they handle, but also because of the deep links into the business community through industry collaboration.

“We’ve changed our view of how we protect against these things.”

With over 26000 students and another 2300 staff accessing university systems, Valois says, “We now know that we can't be cavalier about that. Any access that a bad guy has can do us harm. We have to look at those small elements.”

“And that's why things like multifactor authentication are so important. It doesn't protect against everything, but it buys us time."

Amplified risks

The dramatic acceleration towards remote work and remote education due to the pandemic only amplified the risks.

According to Valois, as staff and students bunkered down at home in response to government lockdowns, “We had a whole heap of different types of challenges and problems.”  

Perhaps the bluntest was that students and staff would all now be accessing the university using whatever PC or laptop they had at home.  

That is especially problematic given how most incursions occur.

The most recent quarterly report from Coveware, a Norwalk, Connecticut based business that provides analytic, monitoring and alerting tools to help companies prevent ransomware incidents, reveals that weakly configured Remote Desktop access (RDP) and email phishing remain the primary methods of initial ingress to corporate networks.

For Valois and her team, the world of almost entirely remote working created a very practical set of questions. “How do we ensure that they are able to log in safely and securely into our enterprise when that happens? And how do we make sure bad guys don't take advantage of it.”

Valois says that in some ways the pandemic just accelerated the shift to remote working, a business need that was already on the rise.

New boundaries

The boundaries of organisations have been changing for some time, from physical boundaries that have guards and gates into virtual boundaries defined by IT networks and systems.

“The boundary today is the people,” says Valois who is reminded of this constantly by the message she wrote on her own whiteboard, “The boundary is wherever our people go.”

That new reality demanded a mindset adjustment which has also led the university to operate more along zero trust principles, a concept Valois concedes feels buzzwordy, but which she also necessary.

“Technically zero trust is, ‘I'm not going to trust anyone, I'm going to require them to demonstrate to me that they are authorised or are worthy of my trust.”

Open by design

For Valois who was doing defence work before joining the university, the mindset shift may not have been too challenging, but for others, in the academic setting, it could well have felt like an assault on orthodoxy. 

“This is a really interesting concept for a university. I literally parachuted into an area where my mantra every single day for months was ‘the University is open and diverse by nature.’

"I had to remind myself it's [that way] by design, that things can be shared. [That was] after coming from an environment where, by design, things are set up not to be shared. And they're set up to be secured or segregated. “

Valois likens zero trust to a world of not knowing.

“We can't see the person that is stepping into the office. We hope that the person that's logging in with their user ID and their password is who they say they are. We hope that their laptop hasn't fallen into the wrong hands or that their smartphone hasn‘t fallen into the wrong hands. We hope that someone hasn't intercepted their communications and inserted themselves in the middle where we hope they aren't syphoning off all the data. "

For the cybersecurity team that meant finding technology that can identify when these things are happening. 

To tackle the problem Flinders University has invested what Valois describes as “a six-figure dollar amount plus more’ over the last year uplifting its security controls.

Key to that strategy was an investment in a solution from Crowdstrike, a California based cybersecurity business that provides cloud workload and endpoint security, threat intelligence, and cyberattack response services.

“That's a huge investment that we took to our board, and asked them to fund.”

Asked by the board how she believed the university needed to prepare she says she advised them, “We need a really good tool on our endpoints that can recognise and stop it in its tracks”

“Putting that in place and making it work for us was a huge game-changer for us,” she says.

"We know some people that are pretty close to us in terms of industries [who] have the same tool. And they've actually since seen attacks halted. We ourselves have seen an attack halted recently."
 

Resistance

But it was not always an easy row to hoe.

“[There was] huge resistance within our business. A lot of people who had been here a long time thought it was going to be too much work for them, it was going to be difficult.”

She praises the work of the project manager and the technical team but also acknowledges that it took a lot longer to deploy than she originally hoped. 

It took about three months. It is probably a solution that could have been put in place for one [month]. But we had a lot of people who were afraid it was going to break something. So we had to do things by steps, and make sure [we] demonstrated it didn't. But the protection it gives us is huge.”

There is still more to be done, she says.

“We will probably have the third year of that maturing next year. It's a very deliberate program to look at our risks and be able to choose the correct things to invest in, to be able to improve, but it's all-around visibility.”

Clarification: An earlier version of this story incorrectly described the ANU attack as a ransomware attack. It was not.