DIG22 reflections

05 December 2022 - DIG22 reflections

UCISA DIG22 Conference, Newcastle Hilton 11/10/2022 – 12/10/2022

Ian Richardson, IT Security Officer, Digital Services, University of Wolverhampton

 

I attended my first DIG conference in my role as IT Security Officer at the University of Wolverhampton. After the years of lockdowns and disruption caused by the pandemic it felt a little strange to be amongst people from all corners of the country once again.

Day one opened with introductory sessions followed by Cyber Security in Practice – Learning with Lego. Our team were mid-table in the final standings; the task highlighted that there are myriad cyber threats HE institutions face and many potential responses to them, proactively and reactively.

At the next session An Evergreen & sustainable approach to delivering storage services* we were presented with the fact that data centres use 1% of the world’s energy and that the amount of data produced is growing at a prodigious rate – by 2025 it is predicted the world’s data output will reach a whopping 175EB. I recall purchasing my first home PC in the late 90s equipped with a 6GB hard disk drive and thinking to myself “I’ll never fill that”, but of course I did! The implications of storing and accessing such vast quantities of data are that it places a huge strain on the environment so this session was aimed at outlining how this could be mitigated with the added bonus of hopefully reducing energy consumption, and therefore costs. It was also highlighted that in the public cloud versus on-prem storage conundrum that both options have their advantages and disadvantages.

The following session Next generation, sustainable cybersecurity for survivability in high-risk sectors* threw up the fascinating fact that the first ever documented Denial of Service attack occurred way before the computer age when in 1914, UK troops snipped German communication cables at the start of WW1 forcing the enemy to use radio for their comms which proved easier to intercept. Fast forward to 2022 and beyond, and the Threat Landscape Summary is dominated by such things as advanced persistent cybercrime, the weaponization of AI and the menace of dark web presence; Fortinet are also turning their attention towards Quantum security issues.

The session Digital Sustainability – exploring how you can make a difference* reiterated that institutions could have a significant technology footprint (e.g. waste) which is unsurprising given that knowledge is now almost all stored digitally (in 1993 the figure was 4%) and the Times league table now ranks universities on sustainability. I thought this was an interesting insight: knowledge does not diminish; it can be shared and grow unlike a consumer product.

A survey respondent quote: “If we create any kind of waste, we have to deal with its consequences” and the speaker concluded by asking the thought-provoking question “What is the true cost of unsustainability?”

The following session Surviving the journey to the public cloud – panel discussion* discussed the move to the cloud, one that is part of a trend seen at many institutions, including the drivers for going cloud-based; whether a full or split model works best; the opportunities arising from going cloud-based; in-house or partner migration? and how to manage the costs of moving to cloud.

How to reduce your Data Footprint to improve Sustainability and Survivability*

This is the “Age of data”. Its volume is ever-growing, services are more data-driven, diverse, and harder to manage, data is now fragmented in on-prem and cloud service environments, with GDPR, cost, and performance issues all to be considered.

Some statistics:

  • ICT will consume 8% of the world’s electricity output by 2030 (2% in 2020)
  • Storage alone is responsible for 10-15% of data energy consumption
  • Only about 32% of created data is ever used

 

Better data storage management can translate into a reduction of CO2 emissions and a reduced storage footprint costs less and is more secure (overnight backups more likely to complete out of hours meaning less disruption to services).

The session Operational Resilience is a journey not a destination* offered a view from outside the sector.*  offered a view from outside the sector.

Key characteristics of operational resilience: Prevent – Adapt – Recover. Operational Resilience (OR) attempts to pre-empt incidents in contrast to Business Continuity (BC) which is geared towards detailing plans post-incident.

OR seeks to identify: critical services (what does the business do?); risks (identify key risks and track how they change); interconnections & interdependencies between people, processes, and technology; risks presented by Third Parties; intelligence-led testing and prepare and frequently review Business Continuity and Incident planning.

Day one concluded with the interesting real-world story Don’t panic in which the speaker’s previous organisation (not HE) were the victims of a ransomware attack – how it unfolded, what they learned from the experience, how they recovered some but not all their data and services. Once again, an issue was highlighted wherein users have no idea what their own data contains. One (unintended) benefit from the incident was that quite a lot of older servers and systems ended up being decommissioned or removed allowing the organisation a clearer view of their assets.

After a lovely meal at the venue, followed by a few drinks, day two kicked off with a session entitled Preparing your institution for a cyber attack* in which again the speaker’s organisation found themselves victims of a cyber-attack in March this year. An unused alumni account was used to access RDS and proceeded to scan file shares, obtain local shared admin account to access multiple servers and obtain domain admin allowing lateral movement across the domain. The resulting loss of data entailed a huge scale of restoration plus legal issues (solicitors reviewing contracts). The presenter shared the experience to help minimise the risk to other institutions, reduce impact of future attacks in HR and also as some means of closure for affected colleagues.

As with the previous session’s outcome, as well as increased security post-attack they were able to get rid of several bespoke un-needed systems and clean up their remaining IT systems.

The next session Evolving Cyber Security Trends in Higher Education and why having the right Threat Intelligence is so critical* posed the question: “Why is it important to have the RIGHT Threat Intel?” and concluded that attacks are certain to happen at some point; resources are finite; HE has a unique characteristic business structure of rotating users, all of which make different parts of their network attractive to myriad different types of attackers.

The NCSC has identified HE as a sector of concern which simply can’t function without its digital estate. The Threat Landscape is dominated by “The Big Four” state actors – China, Russia, Iran, North Korea – who all have different priorities.

Other insights included: insider threat becoming more prevalent; ransomware attacks rose by 148% in 2021; Ransomware as a Service (RaaS) now compounds the malicious insider infiltration vector; ransomware is now just another business in which its participants are trying to make money; one-third of UK universities have been victims of ransomware attacks in the past decade; and deciding to pay up in the event of such an attack initiates a negative feedback loop (ransoms paid help fuel future attacks).

The next session Looking back at recent incidents and how to prepare for the worst examined the notion that The Cyber Threat comes from various sources, including: cyber criminals, nation states; insiders, hacktivists and terrorists, all with varying motives to attack.

Preparations for attack should include: identifying critical systems and assets; prioritising and managing risk; and making incident plans (plan for different types of attacks).

The session Accelerating Sustainability Goals with Cloud* looked at sustainability trends and how they are increasing and being driven by a number of factors including: customer demand; governmental regulation; employee demand; impact investing; and sustainability as competitive positioning. AWS aim to go carbon neutral by 2025.

Next came a session introduced by my UoW colleague entitled Cyber Essentials: A Bumpy Roadmap to Compliance* in which steps taken before, during and up to the point of achieving certification were outlined. These included: establishing the need to get certified; establishing the team to work on the project; estimating the time and cost involved; establishing the scope; and a long ‘to do’ list.

Several policies were either written or revised covering areas such as: password management; server patching; application patching and updates; IT acceptable usage; BYOD; access control; and privileged access management.

Consideration of how different types of devices were to be treated was required, so University-managed laptops and PCs, AppleMac devices, personally-owned laptops and PCs and mobile phones and tablets were subject to a range of different controls and this required lots of deliberation and union engagement, extensive comms and prior engagement and introduction of a service to enable exemptions so that users could continue using their own devices to gain access to resources when deemed appropriate.

The presentation concluded with the question “Was it worth it?” to which a few of the responses included: Achievement of CE is necessary to attain and retain some government and research contracts; many outdated Info Sec policies were reviewed and updated; certification does NOT equal protection; and further work is required to maintain compliance with ever-changing standards.

Next up came Cyber Security Panel session which asked panellists a number of cyber security related questions such as: Security is a journey. Where are you currently?; How big is your Info Sec team?; How to protect from internal threats? What’s the thing that is under-rated in terms of InfoSec?

DIG22’s final session was Defacement’s Not Dead – the tale of Bandar Togel* in which the presenter regaled the tale of a website being taken over by a hacking team because of a missing patch which allowed the hackers to gain access. In the Bandar Togel event, a now unused subdomain was taken over (it was originally set up for a research project which had since closed, but the subdomain remained accessible but forgotten about until the attack took place). Amongst the lessons learned from the attack were: searches reveal it’s a common problem and an easy mode of attack for adversaries. The attacker’s motivation was examined and found to be largely financial as online gambling was banned in Indonesia (the website was hijacked and used to host an illegal gambling site).

Furthermore, traditional security tools such as SIEM, pentesting, vulnerability scans and security tooling were of little help in this case; but such measures as DNS clean-up; better procedures for managing sub-domains, CMDB of webservices, user awareness of the responsibility that comes with being given a sub-domain and knowing your assets and risks.

*Denotes recording available via UCISA website

Take-aways from the conference (SustainabilITy thread):

  • Fortinet and AWS speakers highlighted their organisations have set themselves ambitious climate-related targets
  • Data storage and manipulation consume vast quantities of energy and resources

 

Take-aways from the conference (SurvivabilITy thread):

  • Cyber-security is integral to all activities, not a bolt-on activity and can drive growth and innovation. Interesting analogy: the design of the Japanese bullet train started with the braking system…. confidence in the brakes ultimately allowed the trains to run faster
  • HE differs from the commercial world in its collaborative approach to tackling cyber-security issues: we learn from each other’s trials and tribulations via UCISA and Jisc
  • Good housekeeping is essential for cyber resilience – how can you expect to protect your assets if you don’t know they exist at all?
  • Cyber-security depends on cultural and technological factors (modern, top-quality technologies are only of use if implemented properly and embedded in a suitable culture)
  • Data is now considered a valuable commodity in itself, hence the interest in it from cyber criminals
  • Cyber-security should be considered a business issue not just something IT departments focus on, and this requires the highest levels of leadership in institutions to be engaged with it
  • CE certification (or similar) may be regarded by some as a ‘tick box exercise’ but it does help concentrate minds regarding cyber-security issues
  • Accreditation should not lead organisations to become complacent over cyber-attacks – we still need to be vigilant
  • Institutions need to ensure they have playbooks to deal with major incidents and the scenarios need to be game-tested periodically
  • Back-ups need to be maintained and should be tested periodically to ensure data loss is minimised in the wake of a cyber-attack
  • Cyber-attacks can be very damaging (financially, reputationally) but they also offer opportunities to learn from the experience to better defend against future incidents or better recover from attacks
  • The cyber threat landscape is very different today compared to ten years ago and is certain to look completely different again in another decade’s time