NORMAL — Illinois State University is working to address several potential cybersecurity weaknesses identified in its most recent state audit. The changes come as universities across the country are working in a constantly evolving cybersecurity landscape.

The audit from the Illinois Auditor General identified weakness associated with the formal information technology policies as well as more specific issues around the management of application accounts. Released May 26, the report covers the period from June 30, 2020, to June 30, 2021.

Dan Taube, chief information security officer for the university, said ISU staff members are working to address the issues brought up in the audit, and to make continual efforts toward keeping the university’s networks safe.

Those efforts include formalizing updated IT policies, which are central to making sure all 60,000 accounts that interact with the ISU network are not becoming vulnerabilities, Taube said.

“The truth about cybersecurity is it’s everyone,” he said.

Other steps ISU has taken to address weaknesses include improving communication to delete accounts from some applications soon after an employee leaves the university or changes jobs.

Managing what accounts have access to certain data can help address the issue with measures such as limitations on what student accounts can access, FBI Springfield Computer Scientist Justin Harris said. Regular audits and control of accounts is vital, as is training the people using those accounts.

“I would say one of the most important things comes down to end-user training,” he said.

Improper management can result in accounts having access to data they should not be able to see, or accounts becoming avenues into the system for outside actors. Harris said he has heard of malicious actors using improperly privileged accounts to create new accounts that are harder to detect.

“Having account control management is essential,” said Maurice Dawson, assistant professor and director of the Center for Cyber Security and Forensics Education at Illinois Institute of Technology in Chicago.

A national problem

Regina Burris, FBI Springfield supervisory special agent for cyber, said the cyberthreat landscape in Central Illinois mirrors that of the country. Higher education presents a special target because research and development requires a collaborative environment, but also makes the schools attractive targets.

From Nov. 1, 2020, to Oct. 31, 2021, educational organizations made up 1,241, or 5.2%, of incidents where actors may have had access to internal information, according to the Verizon Data Breach Incident Report 2022. Education organizations made up 282, or 5.5%, of breaches where it was confirmed data had been accessed. Ransomware represents an increasing percentage of attacks.

Illinois Wesleyan University Chief Information Officer Leon Lewis has seen the same thing in his time working in higher education IT.

“In the last four years, higher ed and medical have become the new preferred targets. Colleges are taking it on the chin every day,” he said.

In Central Illinois, that impact can be seen in the cyberattack on Heartland Community College in fall 2020 and an attack on Lincoln College in December 2021. Lincoln College officials said the ransomware was partly to blame for its sudden closure, saying the lack of access to systems prevented the college from knowing enrollment projections for the fall.

Colleges collect a lot of information from students that is kept long after they graduate, making the institutions profitable targets for hackers, Lewis said.

“The whole profile of who a person is, is sitting here (in the network),” he said.

Cybersecurity firm Emisoft publishes a yearly “State of Ransomware in the US: Report and Statistics.” Its publication for 2021 said 62 school districts and 26 colleges and universities were hit by ransomware last year.

Furthermore, there's also a shortage of people working specifically in cybersecurity, and educational institutions cannot compete with private sector salaries, Dawson said. He tracks openings using cyberseek.org, which shows more than 714,000 cybersecurity job openings and 1.1 million people employed in the field.

"Even universities are struggling to keep cybersecurity professors," Dawson said.

A changing landscape

The biggest change to ransomware attacks in recent years has been that actors now sometimes steal data and then threaten to release it unless they are paid, so they still profit if the victim uses backed-up data to avoid the ransom, Harris said.

“As businesses and academia adjusted to the ransomware threat, (malicious actors) adapted their business model,” Harris said.

Higher education institutions can prove enticing targets for malicious actors who are willing to bide their time, Lewis said. College students may not have much, or any, credit history in school, but are likely to have good credit after leaving school — so hackers will hold onto their information for years. Faculty and staff information can be valuable in a shorter timeframe, though.

The source of the attacks has changed as well. State-sponsored actors, including in Russia, Iran and China, have expanded the types of of targets they attack, Taube said.

“Before this year, you rarely saw them go after just anybody,” he said. “(…) It’s like a fire-sale.”

In response to these changes, ISU has changed how it stores its backups, including using off-site storage and backups that cannot be changed once they are created, Taube said.

Globally, some recent ransomware attacks have infected not just the network, but backups as well, Taube said. The immutable backups keep that from happening, meaning the school's cybersecurity insurance could then go toward backup restoration rather than the ransom.

Besides being actively put onto backups, ransomware can also find its way there if it is already present when the system is backed up, Harris said. Spending a couple weeks in the system gives the actors more time to explore the network and find the potentially valuable information.

Phishing emails also have gotten more sophisticated, Dawson said. Phishers try to make their emails look like they came from inside the organization, even changing the grammar of their emails to fit local dialect.

COVID has changed the landscape, too, with more employees using remote access to work from home. Home networks rarely have the same level of protection that institutions have, Dawson said.

Eastern Illinois University declined to provide details about its cybersecurity approach and systems. However, a statement from spokesman Josh Reinhart highlighted how the changing threat landscape makes addressing the issue more complicated.

“Eastern Illinois University is proactive in defending against cyber attacks. Because of the dynamic and evolving nature of cyber threats and EIU's ongoing cyber security initiatives, the University is unable to share further details on any of its specific approaches,” he said.

Unique challenges

The nature of information technology at ISU also makes it difficult to manage and to make changes in cybersecurity practices, Taube said. There is a central IT office along with various IT departments at the school's colleges and departments. His challenge is to make sure all of the colleges, departments and users are following best practices for cybersecurity.

“It’s one network, it is a risk to our systems, our network, our data,” Taube said.

Recent steps taken at IWU include improving security for network access devices, adding multi-factor authentication for all university applications and updating the school’s IT standards, Lewis said.

IWU has implemented a university IT governance committee, which includes faculty, staff and students, to get feedback on the school's rollout of the new policies, Lewis said. The committee will allow IT staff to better communicate why they might need to limit certain applications or parts of the network, and other things that might bump shoulders with traditional approaches to academic freedom.

Overall, as long as his office explains the "why" behind the changes, faculty have been willing to go along with them, Lewis said.

“Nobody likes rules, but at least everybody’s informed about what’s happening,” he said.

Responding to the threat

Over the past two years, ISU has made cybersecurity more visible on campus. The chief information security officer position and office as a whole were created in 2020, with Taube stepping into the CISO role on an interim basis. He was hired to the permanent position earlier this year.

When he started, he had three full-time staff members and no student workers. He now has five full-time staff and 12 student workers, with plans to hire two more full-time staff soon.

“It’s expensive to invest in resources, whether staff or tools, and the university has done that,” he said.

ISU does not have a defined cybersecurity budget, but spends around $1.5 million for technology and staff, while also using no-cost services through state and local entities, Taube said.

At IWU, Lewis estimated the university spends around $800,000 a year on cybersecurity, which includes insurance.

Heartland dedicated $1 million to cybersecurity in June 2021. At the Heartland board’s monthly meeting on Tuesday, Chief Information Officer Scott Bross gave an update on the effort so far.

Part of the response has been to separate parts of the network that contain confidential information from the more readily accessible parts of the network. Bross connected this to the need to balance cybersecurity while avoiding undue limitations on academic freedom.

“We’re an educational institution; we really want a campus that is open and active and people are using all sorts of different software on campus (…) In order to provide that sort of openness, we need to segregate our data center,” Bross said.

Law enforcement involvement

The best time to involve the FBI in cybersecurity is before an attack happens, Burris said. She encourages institutions to sit down with the office to discuss best practices and the resources the FBI can offer ahead of time.

The public can file complaints of internet crimes and follow consumer and industry alerts at ic3.gov, Burris said. Each alert includes steps that people can take to protect themselves and their network. The FBI does offer another selective service for industry professionals that goes more in-depth, but it requires vetting before people can join.

FBI Springfield Special Agent in Charge David Nanz also emphasized that the best thing institutions can do is engage with the FBI beforehand and build relationships that will help if the institution is hit by a cyberattack.

Another cybersecurity tool that schools are considering is insurance, and it's something each institution needs to decide on its own, Harris added. Those considerations should include how the insurance will work with law enforcement.

ISU did not see its cybersecurity insurance costs skyrocket this year, in part due to steps it had already taken, Taube said.

IWU’s cyberinsurance costs have gone up around threefold, Lewis said. But going without it could be disastrous, he said.

Paying ransom should be less of a consideration, Nanz said.

“The FBI recommends victims do not pay ransom in a ransomware attack. The fact of the matter is ransomware would not exist if victims did not pay,” he said.

There also is no guarantee that if victims pay, the actors will actually release the system, he said.

Contact Connor Wood at (309)820-3240. Follow Connor on Twitter:@connorkwood

