James Burns
James Burns

Last week, US Ivy League University Harvard announced that it has, for the second time in four months, been the victim of a cyber-breach. In a prepared statement released on the university's website it is stated that an intrusion was detected on June 19th, impacting a number of the school's IT systems, in addition to those of the university's central administration. To avoid efforts containing the breach from being jeopardised, the University administration has only just informed its students.

The prepared statement indicates that not all University schools have been affected and that no research or personal data has been compromised. Students are being advised to change their passwords as a precautionary measure and have been told that it might be necessary to change them again in the future. The threat actor has not yet been identified.

Why target academic institutions?

University networks have become an increasingly more attractive target to both cyber-criminals and state-sponsored hackers of late. By their very nature, these networks have a large number of transient users, making it more difficult to detect and respond to incidents than it would be in a more tightly controlled corporate environment. Requirements to provide easy access for users do not typically allow for rigid access controls and further complicate efforts to monitor network traffic.

Harvard would be a particularly attractive target: the University attracts both the bright and the wealthy – the future, rising stars of the American dream. Harvard itself has produced more American presidents than any other academic institution. It is plain to see that any information gathered on students may not be relevant now, but may form very real, very useable human intelligence on notable individuals in the future.

Furthermore, wealthy students would be an obvious target for cybercriminals, whether they would want to target them with ransomware designed to encrypt their personal files or search for sensitive personal information that would give rise to blackmail attempts.

Ivy League universities are also typically at the forefront of academic, government and sometimes even military research. Although in the case of Harvard it is clear that no research material has been stolen or compromised, the value of research information processed by every university (and outside of education – pharmaceutical companies and technology manufacturers) may prompt a malicious actor to make attempts to obtain it. Arguably, in the context of academic institutions, intellectual property, alumni databases and even a database of car parking permits containing details of vehicle owners would present greater value to hackers than financial information.

Fish in a barrel?

Whilst academic institutions continue to hold such an enormous wealth of information, in large quantities that are typically (at least when compared to the wider, corporate world) insufficiently protected, then they will continue to remain very firmly in the crosshairs of able and dedicated threat actors.

As security professionals we continually discuss the internal threat represented by humans within an organisation with our clients, and a university contains thousands of such targets. Only one of them needs to be compromised to provide an attacker with a foothold.

Contributed by James Burns, technical consultant, Information Risk Management Ltd (IRM).