Spates of high profile data breaches, including the recent Optus, Medibank and Vinomofo hacks, has highlighted how vulnerable our personal data is to cyber attacks. Attacks on data-rich universities are also on the increase. According to the Australian Cyber Security Centre (ACSC), education and training providers are now the fourth most targeted sector for cyber-attacks, more desirable even than State, Territory and Local governments.
UNE have, in a 30-day period, blocked over 14,000 spam emails, 750 malware programs, 167 malicious processes, 26 malicious links, 17 untrusted executables and prevented 171 credential thefts. During this period eight worms were detected and contained and one high-risk code injection blocked.
To learn more about cyber security, Pulse spoke to Rob Laurie, UNE’s deputy Chief Information Security Officer and project manager of the Rapid Uplift Program – a massive undertaking aimed at increasing and strengthening our cyber security capabilities.
Background and experience
A software developer by trade, Rob has over 17 years’ experience in enterprise security architecture. He has previously worked in large government information systems and regularly deliver expert talks at international cyber security conferences such as Cyber Security Asia 2022, held in Kuala Lumpur, on a variety of topics including insider threat and developing cyber resilience. Rob is a committee member for the Australian Information Security Associates (AISA) and a member of the GIAC Advisory Board. At the time of writing Rob was on his way to Dublin, Ireland to speak at COSAC 2022.
Are organisations more vulnerable to cyber attacks now compared to two or even five years ago?
Yes and no says Rob.
“Before migrating to the Cloud, and especially before COVID-19, working at UNE was similar to being safely in a fort. UNE had a strong external perimeter that protected the vulnerable interior. With the onset of the pandemic UNE went from having a single fort with physical security controls, e.g. where people would arrive at the university and log on to their computer on campus, to many micro forts with information travelling between them as people began working from home. Instead of one hard border, we had a set of micro borders and had to rapidly evolve and put in place security controls to allow staff to work from home, which was a challenge even for an online university,” Rob said.
Instead of making his job more difficult, Rob sees moving to the Cloud and developing a hybrid working model as a natural evolution in the cyber security life cycle.
“I see cyber security as a risk, similar to financial risk. When you quantify cyber security as a risk, you realise there is also a positive element to it. Positive risk is something we describe in terms of opportunity, for example, UNE, like most other organisations, was thrown into the deep end in having to work from home but the move opened up opportunity to recruit staff from further afield. It means we’ve gained capability, especially in cyber security, that wouldn’t otherwise be available on campus in Armidale or even Sydney.”
How do you plan for risk?
In planning for risk, Rob considers the nature of the risk: whether it is a positive risk presenting an opportunity or a negative risk combing a threat, a vulnerability and negative impact, essentially a triplet of boxes to tick.
“We don’t want to treat a risk that doesn’t have an impact or we don’t want to treat a risk that can’t be realized because there’s no vulnerability. So, if there is a threat to UNE, we quantify those risks in terms of negative impact or positive impact to the university and plan and act accordingly.”
Quantifying risks is an emerging field which Rob compared to Sun Tzu’s The Art of War in his recent keynote address in Kuala Lumpur.
“Sun Tzu talks about opportunity and the importance of strategy and planning which is still relevant today. One of the cheapest ways to actually deal with cyber risk is to build a strategy and plan around it, which is what Sun Tzu was saying two and a half thousand years ago.”
What can we do to minimise the risk?
Two recent data breaches at Australian institutions highlighted universities’ desirability as targets. A data breach at the University of Western Australia compromised the personal information of current and past students through unauthorised access to information. Upon investigation it was discovered the hacker was someone working at the university. And while police are still investigating the attempt looks to be deliberate.
In another incident at Deakin University, student information held by a third-party vendor was hacked.
“While UNE doesn’t have student data sitting on a third-party SMS Gateway we do have other vulnerabilities,” says Rob. “One of the best, most cost-effective, ways to protect our personal data is through awareness training for both staff and students, i.e. to essentially create a human firewall. Other safe guards include UNE’s single sign on process and multifactor authentication.”
Anything else you want to share with Pulse?
“Cyber security is not a problem until it’s your identity that’s stolen. By then it’s too late to turn the ship around. If your identity has been stolen, your credit is destroyed. There’re good examples of people ringing the credit agencies with the police report saying their identity was stolen and the credit agencies had no capability to undo the damage. There was no process to repair and the impact is significant.”
“People should also know that cyber crimes are easier to implement. Attackers don’t need to be an elite hacker or know anything about cyber security to leverage and attack. They can buy ransomware, deploy it at an organisation and earn money by selling the data. Selling stolen personal information is a booming industry and the number of attackers that are operating in that area is growing. As a result, we’re seeing a prolific increase in the attacks on our university.”
“One of our best options is to strengthen our human firewall by ensuring our employees are aware and knowledgeable about cyber risk. We’ll be offering five-minute training courses towards the end of the year and I encourage everyone to complete it.”