[BreachExchange] Michigan State ransomware attack showed need for connection between IT teams

Wed Dec 8 11:34:53 EST 2021

https://edscoop.com/michigan-state-university-ransomware-attack-shows-need-for-connection-between-it-teams/

A lack of communication between Michigan State University’s physics and
astronomy department and the school’s central IT operation contributed to a
2020 ransomware attack that cost the university more than $1 million to
recover from, according to recent research by a National Science
Foundation-supported group.

Trusted CI, which is part of the NSF’s Cyberinfrastructure Centers of
Excellence program, explained in a webinar Monday that Michigan State’s
central IT employees faulted the physics department for not patching a VPN,
which allowed the NetWalker malware to infect its systems and destroy more
than a year’s worth of research. But the department’s internal IT team,
which is separate from the campuswide IT team, said that lapse occurred
because they lacked the resources and direction from the main office.

Trusted CI concluded the two teams failed to set up a “key dialogue”
through which the physics department could use some of the main IT office’s
cybersecurity tools, like vulnerability scanning and intrusion detection.

The webinar followed an Aug. 1 report by Trusted CI and Michigan State,
focusing on a growing issue in higher-education cybersecurity: how to
balance individual departments’ IT teams with campuswide operations without
losing sight of big-picture threats.

Michigan State centralized most of its IT operations years before the 2020
incident, but the physics department opted to maintain its own tech
infrastructure at the time, Tom Siu, the school’s chief information
security officer, said during the webinar.

“What I think this incident has proven is that it’s not so much about
sensitive information, although that was affected in this particular case,”
said Siu, who was hired last fall, after the ransomware episode. “You have
to look at the whole program now. Researchers need to know that your
information security team and your CISO and the like have a broader problem
because they are dealing with a larger scale of security threats than you
see. So the idea is to not let any gaps occur between the distributed
teams, as well as your security team.”

In the months since the ransomware incident, more academic departments,
including physics, have consolidated with the central IT operation, Siu
said. Running VPNs through the university’s main IT infrastructure and
becoming part of its central active directory offer more uniform
protections, including multi-factor authentication and restricted user
access, he said.

Von Welch, director of Indiana University’s Center for Applied
Cybersecurity Research and an author of the case study, said during the
webinar that a department choosing to work independently is “more rule than
the exception” in higher education.

“We can have debates about the level of autonomy that departments should it
have, but there will be be some level of autonomy,” Welch said. “What I
have found to be instrumental here is the careful balancing of carrot and
stick. So, on one hand, we want to make sure that departments fully
understand the risks that they are taking on when they go it alone, and
then also recognize their autonomy to go ahead to accept those risks. When
they do it, they may have some services that are just so core to their
particular model that they deem those risks to be worth it.”

The Trusted CI study was also conducted to show the effects of a ransomware
attack on a research organization and the importance of cybersecurity
professionals communicating with researchers. The NetWalker ransomware
weaponized personal information that malicious actors found in a physics
department directory, which also contained research data.

“There’s no evidence NetWalker knew they had research data,” the case study
reads. “They either didn’t care if they had research data or were simply
unaware, but that didn’t prevent them from having a serious impact on MSU’s
research productivity.”

Welch added that the case study is not intended to criticize Michigan
State, and he credited the university for being transparent about the
attack so others can learn from it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211208/76d0bb42/attachment.html>