The COVID-19 pandemic has seen the world of work move online. Wherever possible, people are working from home and accessing everything through the Internet. This, says Dr Renier van Heerden, head of the South African National Research Network (SANReN) Computer Security Incident Response Team (CSIRT), has made cybersecurity relevant in ways no-one could have imagined a few years ago.
“It is amazing how technology has allowed this shift to work from home,” says van Heerden. “But it means that the importance of cyberinfrastructure has increased by orders of magnitude, and with that, the importance of defending that infrastructure.”
Online systems are by their very nature vulnerable to attack, because they are accessible all over the world. The more complex a system is, the more likely there is a vulnerability somewhere through which criminals could access the system. And a final factor is how many people use the system - the more people, the more vulnerable your system becomes.
This makes large organisations, like universities, easily susceptible to cyber attacks.
Present and future cyber attacks
“Ransomware attacks are one of the most common forms of cybercrime affecting South African institutions,” explains van Heerden. This is when criminals attack an institution’s systems and then demand a ransom to return access or not expose the stolen data.
Because universities and research institutions tend to be home to a great deal of valuable and sensitive data, from research data, to intellectual property to the confidential details of students, they are a prime target for ransomware.
The prevalence of Bitcoin has also made ransomware attacks easier to get away with as it is very difficult for law enforcement agencies to trace cryptocurrency.
“The second threat,” says van Heerden, “which has started to affect higher education institutions in Europe and America, but not yet in South Africa, are Distributed Denial of Service (DDoS) attacks.”
“In higher education at the moment, these DDoS attacks are the modern-day equivalent of pulling the fire alarm to get out of an exam,” he says. Noting that the prevalence of DDoS attacks tend to increase significantly during test season as tests increasingly move online, or semi-online through automated systems.
“Most online systems are quite vulnerable to DDoS attacks,” he says. “A good way to think about it is to imagine if you get a phone call every second, even if your phone just rings once, every second, it will become completely useless as a communication device.”
The same principle applies for DDoS attacks. Cybercriminals may control computers all over the world, thousands or even millions of computers. If they then set it up that each of those computers makes a connection to a server, even if it is not a full connection, the service will not be able to handle it and the system will go down.
“We see accidental non-malicious denial of service events all the time,” he says. “For instance when the ticketing system collapses for a particularly popular concert, or when a retail outlet can’t handle the demand of Black Friday demand and their site or payment systems go down.”
Of particular concern, says van Heerden, is that DDoS is actually sold as a service.
Another threat to higher education and research is a more difficult one to pick up and respond to, but fortunately less common due to its sophistication. We refer to these as advanced persistent threats, which correlates to old-school spying. This may be used if criminals want to get their hands on some valuable intellectual property, they place bugging devices in computers and systems which then gather valuable data.
Responding to cyber threats
“Cybersecurity is everyone’s responsibility,” says van Heerden. We need to always be vigilant.
While it is of course the role of Information Technology (IT) departments to keep cybersecurity infrastructure up and active, they cannot do it alone.
“Education about cybersecurity is also an important responsibility of IT departments and anyone knowledgeable about information security.”
He says basic practices like ensuring, wherever possible, two-factor authentication, not repeating the same passwords for different systems and to never trust emails requesting your password and username. You should also be very cautious with requests for other personal information, such as your ID number or bank account details.
“But probably the most important advice,” says van Heerden. “Is to make sure that when it happens to you, you can recover.”
He stresses the importance of keeping up-to-date back ups off all your data, and making sure those backups are kept on a separate physical medium.
“It does not help if you keep your back-ups on the same laptop or computer you use everyday. Better to keep them on a hard drive or in the cloud. And most importantly, test your back-ups regularly to be sure the data has not been corrupted in some way.”
SANReN CSIRT
The SA NREN team (distributed between TENET and SANReN) works with higher education, science councils and other research institutions to both prevent and respond to cyber attacks. This service is through the SANReN CSIRT which provides a number of services including:
- Alerting services: keeping track of various threat intelligence feeds to pick up suspicious traffic that may indicate vulnerable or misconfigured systems as well as indicators of systems that have been compromised by malware. The SANReN CSIRT will then send relevant alerts to subscribed institutions.
- Vulnerability assessments: this involves conducting a scan to uncover exploitable weaknesses in network devices, servers and systems. From 2022 the SANReN will again be offering free vulnerability assessments.
Annual cybersecurity challenge
The SANReN CSIRT hosts an annual competition in which cybersecurity students from different universities compete against each other on a number of cybersecurity tasks including penetration testing, incident response, digital forensics and cryptography. The competition is structured in an attack versus defence style as teams hack into each other’s systems but also fix vulnerabilities in their own applications.
“It is a wonderful initiative that sees a lot of interest every year,” says van Heerden. “The aim of this challenge is to stimulate interest in cybersecurity in general and specifically in the field of network security within South African tertiary institutions.”
The eventual aim is for SANReN to sponsor the winning student team to compete at an appropriate international competition, such as the European Cyber Security Challenge or the BRICS skills challenge.
“South Africa is home to a hub of information security expertise,” says van Heerden. “This is going to be an increasingly valuable skill and it is important to do what we can to ensure we have the expertise to combat cybercrime.”