It only took hackers two hours to break into the university networks through phishing emails to gain administrator access and see your personal data, financial information and confidential research. These ethical hackers were testing the security of university networks where they were able to breach the network and access high value data in every penetration test they performed.
Over 50 universities across the UK were part of this test where ethical hackers working on behalf of The Higher Education Policy Institute (HEPI) were able to successfully use spear phishing attacks to gain access to sensitive information. This process only took around 2 hours while some of the cases gained access in under an hour. The penetration testers gained complete access to system information by acquiring domain level administrator access to control systems. After gaining full access, the hackers could see all personal information about students and staff, info on their financial records and even the ability to gain access to sensitive research data.
The most common tactic in spear-phishing attacks is for cyber criminals to spoof an email to look as if it comes from a senior member of staff and send it to people to they’re known to work closely with. Once the message is opened it will direct the victim usually to a website in an attempt to steal credentials or contain attachments which will drop malware. This whole process is made easier dealing with universities since all the staff is usually listed on the university website.
There are several things universities should do to protect their networks from attacks. You should know where your data is being stored and who has access to it, and ensuring system and software are patched and up to date to prevent attackers exploiting known vulnerabilities. It is also highly recommended that staff and students are trained in security awareness to help them spot phishing emails and provide information on how to report suspicious incidents.