Leading the Institutional Cybersecurity Awareness Campaigns - Top ICT Issue?
Most vulnerabilities that happen and/or reported are either due to lack of security awareness by end users (i.e., students, faculty, staff) or systems administrators’ failure to update the software an institution is running? for example:-
In June 2017 we read about WannaCry, an example of what is called ransomware attack, that affected organizations in more than 100 countries (including Kenya). I hope the stories alarmed some of you into action and that you now have a campus cybersecurity team. In a ransomware cybersecurity attack, hackers demand payment of a ransom of about Ksh 30,000 paid in equivalent bitcoin Internet currency in order to release your enterprise data (e.g., ERP data containing student records). Note that bitcoin payment is anonymous just like cash and cannot be traced to the hacker. In the Kenyan context, it would be equivalent to a traffic policeman being paid a bribe without the risk of being caught!) The hacker or hacking group behind WannaCry were gaining access to enterprise systems through vulnerabilities arising from outdated Microsoft Operating System and Software (e.g., Windows XP) that had not been updated with security “patches”. We know of only one KENET member who was affected by WanaCry ransomware.
KENET hosts websites of about 70 member institutions but the websites are administered and updated by the webmasters of the member institutions (i.e., KENET simply provides a private hosting environment as well the Internet bandwidth for accessing the websites). Sometimes, an institution's website will be hacked (and defaced) because of either using outdated Content Management Systems or the use of weak Content Management Systems (CMSes) with many security vulnerabilities (e.g., WordPress). KENET recommends the use of open source Content Management Systems that are prone to much fewer vulnerabilities (e.g., Drupal). However, CMSes must be updated by institutional webmasters on a regular basis (it is a full-time job to monitor alerts and update the software to ensure there are no open security vulnerabilities). Do you have a full-time security team that checks that CMSes and other software systems are regularly updated against known security vulnerabilities?
KENET recommends that each institution implements a network firewall that incorporates vulnerability database updates provided by the firewall vendor as a subscription. These firewalls are often pricy but it is more expensive to lose data. However, KENET encourages member institutions without network firewalls to install the open source firewall pfSense that has been quite effective in mitigating attacks and only requires a simple server machine. The pfSense appliance device with vendor support is also affordable. We installed pfSense in some of the 11 institutions that benefited from our Direct Engineering Support (DES) services (In general, Institutions that benefit from KENET DES normally do not have a budget for expensive network firewalls). The institutional ICT teams could easily install the firewall on their servers with online support of KENET engineers and enable inbuilt automatic vulnerability database updates for the intrusion detection systems. Firewalls protect campus networks from external attacks, not attacks launched from end-user computers or laptops inside the network.
Strong firewalls therefore cannot protect institutions against end-users. For example, the end users could bring their own devices that have been hacked probably because they do not have effective anti-virus installed (e.g., laptops under Bring Your Own Device arrangements) or users could click on suspicious e-mails used for phishing attacks while inside your campus network.
Institutional Cybersecurity Awareness is therefore an essential strategy for reducing the chances of a security attack. Although a few member institutions have invited KENET to train a few of their end-users, this is not a scalable solution – an online awareness campaign for all users, with campus workshops facilitated by campus security teams, is necessary. And you need to know who is on your network (wired or wireless).
The KENET Cybersecurity Emergency Response Team (CERT) website contains a lot of security advisory information for member institutions (see https://cert.kenet.or.ke/ ). Note that our Community Cloud Infrastructure is well protected and secure and the KENET CERT has a high degree of preparedness and competence in the event of an actual attack. In addition, KENET also collaborates with the National Cybersecurity Coordination Center (KE-CIRT/CC) for any additional technical support.