Responding to cybercrime in SA’s higher education and research community

To help South African universities prepare for and respond to cyberthreats, TENET and the SANReN group established a sector CSIRT.
Responding to cybercrime in SA’s higher education and research community

Universities house a treasure trove of data for cybercriminals: sensitive research data, intellectual property and the banking details of thousands of staff and students. This, in addition to being large and distributed organisations with decentralised governance structures, makes them both attractive and potentially easy targets for cyberattack. In a recent survey in the United Kingdom, 35 out of 103 responding universities admitted to having suffered a ransomware attack in the last five years, and one of those, Sheffield Hallam University reported 42 attacks since 2013. South African universities are not immune to these attacks.

While some universities are sufficiently resourced to have established their own cybersecurity teams, not all universities have access to the necessary skills and resources. To help South African universities prepare for and respond to cyberthreats, TENET and the South African National Research Network (SANReN) group, established a sector Computer Security Incident Response Team (CSIRT) to provide both proactive and reactive services to the higher education and research community. After consultation with the community, the team was formally established in March 2016. The CSIRT is affiliated with the international cybersecurity community, as an accredited member of Trusted Introducer and the Forum of Incident Response and Security Teams (FIRST).

At a national level, the Department of Telecommunications and Postal Services established a Cybersecurity Hub in 2015 to create a co-ordinated response to cybercrime in South Africa. Its goal is to be a central point for collaboration between industry, government, and civil society on all cybersecurity-related incidents in the country. This Cybersecurity Hub recognises the various CSIRTs in different sectors, including the SA NREN CSIRT in the higher education sector.

The nature of cyber-attacks in higher education

“Most attacks are now driven by financial incentives,” says Roderick Mooi, head of the SANReN CSIRT. “Ransomware attacks are currently common, this is when attackers take down an institution’s systems or encrypt their data and then demand a ransom to return access to the institution or not expose their data.”

Disturbingly, as institutions become savvier to this behaviour and are able to prepare for these attacks with adequate back-ups and other measures, cybercriminals are starting to sell, or threatening to sell in the hopes of a ransom, sensitive data stolen from universities. While the attackers themselves may not have any interest in the information, it is never difficult to find a willing buyer.

There is also great potential reputational damage to an institution who has suffered a cyberattack, as they are viewed as responsible for allowing that information to be compromised. Since the commencement of the Protection of Personal Information Act (POPIA) in July, there is now a legal obligation to disclose the breach to affected parties. Once the transitional arrangements fall away in mid-2021 organisations could be penalised for not disclosing and face other repercussions.

Information security is a collective responsibility, and the existence of a sector CSIRT does not relieve institutions of that burden. However, the SA NREN team (distributed between TENET and SANReN) works with higher education, science councils and other research institutions to not only prepare for and prevent such attacks, but also to respond in the most effective manner should the worst-case scenario occur.

CSIRT services

The SANReN CSIRT provides a number of proactive services intended to prevent the occurrence of cyber attacks in the first place. These include an alerting service, training, and vulnerability assessments. Together with TENET, the team also provides incident response support and coordination.

Alerting service: law enforcement, security companies and other anti-cyberattack groups deploy devices that listen for unexpected or unexplained traffic. These sensors will pick up both vulnerable or misconfigured systems as well as indicators of systems that have been compromised by malware. This information is communicated in what is known as threat intelligence feeds and is used by law enforcement, CSIRTs and other organisations to counter current or potential cyberattacks. The SANReN CSIRT subscribes to a number of these threat intelligence feeds and sends relevant alerts to subscribed institutions.

Training: a critical service provided is training of higher education and research ICT staff interested in establishing or looking to mature their own security teams. The TRANSITS (Training for Network Security Incident Team Staff) curriculum was developed for and is used by NRENs and CSIRTs around the world. In the training offered by the SANReN CSIRT, certain modules of the curriculum are contextualised for South Africa.

TRANSITS training is held annually (although COVID-19 meant the postponement of the 2020 training) and equip attendees with a minimum base knowledge of cybersecurity issues in higher education, as well as an understanding of the value of a dedicated CSIRT and provides the resources and material needed to establish one. These training workshops are also a valuable networking opportunity and go a long way to building a CSIRT higher education community in South Africa. Once level one is completed, there is a level two training available.

Vulnerability assessments: these can be requested by an institution, and are always done with prior approval in an ethical way. This assessment involves conducting a scan to uncover exploitable weaknesses in network devices, servers and systems. The results are manually verified and then compiled into an easy-to-read, actionable report. These vulnerability assessments should be regularly scheduled, along with penetration testing, to help institutions identify security weaknesses in their IT infrastructure before they are picked up by cyberattackers.

The SANReN CSIRT also keeps the community up-to-date with a weekly summary of relevant articles to ensure that IT and other staff involved in information security remain up-to-date with cybersecurity trends and developments.

The importance of cybersecurity in a post-COVID-19 world

Cybersecurity risks have been further exacerbated by COVID-19 and global lockdowns as all elements of higher education, including teaching and learning, have moved online, opening up new vulnerabilities. As many are predicting that education is unlikely to return to in-classroom only, and COVID-19 lockdowns have changed the world-of-work forever, institutions need to assess their cybersecurity vulnerabilities with new vigour, and do what they can to stay one step ahead of the cybercriminals and attackers.

“Cybersecurity can be likened to an ever-ongoing chess game,” says Mooi. “You have to keep a close eye on what the attackers are doing so you can know how best to respond. It is a rapidly changing field in which falling behind can result in major financial and reputational damage.”

The SA NREN CSIRT is a responsive service, and beneficiary institutions who need support for a cybersecurity incident or are looking at implementing proactive measures to avoid attacks are invited to contact the team.