Improperly secured IoT devices represent a significant threat to the integrity of IT infrastructures of campuses across the country.
On December 30, 2016, administrators at Los Angeles Valley College (LAVC) discovered that several of their IT systems had been infected by a cutting-edge ransomware variant known as “Spora.” According to the Los Angeles Times, the ransomware “locked the campus’ computer network, as well as its email and voicemail systems,” and encrypted hundreds of thousands of the college’s files just days before students returned from winter break.
After consulting with an outside cybersecurity expert, LAVC officials opted to pay an unidentified group of hackers a $28,000 ransom in exchange for a set of decryption keys that would allow them to regain control of the school’s files. The keys served their purpose, but the college’s student newspaper, The Valley Star, reported that “the costs to restore the computer systems at Valley College are expected to exceed $250,000.”
LAVC is not alone. From Bigfork, Montana, to Myrtle Beach, South Carolina, to Calgary, Alberta, ransomware attacks on schools big and small have become all too common in recent years. As Foothill-De Anza Community College Vice Chancellor of Technology Joseph Moreau told the Washington Post, “Ransomware has rapidly risen…to be one of the foremost threats we’re facing in information technology anywhere, let alone in higher ed.”
According to University of Denver Professor of Cybersecurity Chuck Davis, campus IT teams’ mismanagement of physical security infrastructure like surveillance cameras and access control systems is at least partially to blame.
“Video surveillance systems, just like all systems that are part of the Internet of Things [IoT], are actually computers,” Davis points out in a recent interview with Campus Safety. “They have operating systems and they will have vulnerabilities, and if we don’t take our proper due diligence…and really apply cybersecurity best practices, we put them at risk of being attacked.”
As Davis highlights, if not properly secured, any IoT device represents an opportunity for hackers. This includes everything from security cameras and communications equipment to automated lighting and HVAC systems.
For example, in 2016, white hat hackers provided a nightmarish proof-of-concept for a ransomware attack on an IoT thermostat. “It heats to 99 degrees and asks for a PIN…which changes every 30 seconds,” one of the hackers explained. “We put an IRC botnet on it, and the executable dials into the channel and uses the MAC address as the identifier.”
This exercise epitomizes just how easy it is for bad actors to use a seemingly innocuous IoT device as a backdoor — or as Davis calls it, a “pivot point” — into a campus’ IT infrastructure. By infiltrating a poorly protected device and using it as their entryway into a network, hackers are able to circumvent the firewalls and other peripheral security measures they’d normally have to overcome in a traditional brute force attack.
Fortunately, there are several precautionary steps campus IT teams can take to secure their physical infrastructure against costly ransomware attacks.
First, strategic network segmentation ensures that a breach of a single IoT device doesn’t serve up an entire IT infrastructure on a silver platter. There’s no reason for a server housing a school’s HR data to be in constant contact with a server housing its financial data, and keeping these systems as isolated as possible goes a long way towards stymying hackers’ efforts.
Second, campus IT administrators must ensure that employees and students are using complex, regularly updated passwords. In some circumstances, this might mean requiring passwords that include entries from several different character sets (uppercase letters, lowercase letters, numbers, special characters, etc.); in others, it might mean utilizing two-factor authentication. It’s also worthwhile to consult with manufacturers about best practices for configuring their devices securely.
Finally, a growing number of schools are turning to cybersecurity experts like Turn-key Technologies to help them evaluate the integrity of their IT infrastructures. In fact, according to SSI’s 2017 Physical-Cyber Security Survey, 52% of respondents considered hiring a managed IT services expert in 2017, a 9% increase over the previous year.
Ultimately, as Davis concludes, institutions of higher education need to “get in the mindset of understanding that [physical systems] are now part of our IT infrastructure.” The IoT holds immense potential for organizations of every kind, but if we fail to adapt our cybersecurity practices to its unique demands, these devices’ costs will end up far outweighing their benefits.