Cyber Analyst Q&A: Security Lessons from Lincoln College

In an interview with the Pittsburgh Post-Gazette, 一位来自会计和商业咨询公司施耐德唐斯的首席分析师讨论了网络攻击漏洞以及大学可以做些什么来减轻这些漏洞.


Now defunct, Lincoln College had outlived the Spanish flu of 1918, 第二次世界大战和其他挑战,到2019年,招生人数和宿舍容量将达到创纪录的水平, its leaders say. But along with the ensuing pandemic, 另一件事——去年12月的勒索软件攻击——被证明是压垮他们的最后一根稻草.

By the time the private institution with fewer than 1,今年3月,000名学生重新获得了入学和筹款的关键数据, 它的财务状况已经受到侵蚀,几乎没有时间为秋季招聘了.

林肯的死令人不寒而栗地提醒我们,这类袭击对工作场所构成的危险正在日益增加, including academic institutions, cybersecurity experts say.

Among those experts is a lead Schneider Downs analyst, David Murphy, 谁的研究重点是数字取证以及防御和应对网络攻击. 他有空军、情报和国家安全背景.

Mr. Murphy, with the firm's Pittsburgh office, 他接受了《bet9游戏平台》的采访,谈到了风险和雇主的做法, including colleges, can do to help keep them safe.

PG: Lincoln's attack shows the high stakes for a college. 但是,疫情是否鼓励了更多针对各类公司的此类攻击?如果是这样,原因何在?

A. Definitely. 总体而言,2019冠状病毒病导致袭击事件增加. 这与远程工作人员和保护这些人有很大关系. 我遇到的很多组织都没有为远程工作能力做好准备.

加兰:请多解释一下林肯公司的官员得知他们的系统被有效关闭后发生了什么, and they were locked out of critical information.

A. 他们进行了某种法医调查,以核实发生了什么以及他们是如何到达那里的. Basically, what data was taken or potentially taken. 他们后来提到,没有个人身份信息泄露,这是好事.

I think there's details out there that say they did pay $100,000 worth of ransom, which in my experience is fairly low. Usually, when threat actors are asking you to pay, 他们会做一些功课来验证你的支付能力. And so that was kind of surprising. The other angle is, if they paid, what did they get in return? You know, that part's pretty unclear.

PG: The pandemic had already hit Lincoln's enrollment, so what was available to them financially to respond?

A. That's one angle that I don't fully understand, for them, 但总的来说,对于其他大学来说,他们通常会得到什么样的网络保险. 典型的商业保险不会包括这样的攻击——以及所需的(补救), 恢复数据和可能由此产生的第三效应.

这是所有大学真正需要解决的一件事——确保他们有一个适当的网络保险政策——并且它涵盖了所有的各种影响, not just the ransom itself, because a lot of the policies will mention, 'Hey, we'll pay the ransom.“但你需要包括所有的数据恢复工作,以及全面解决漏洞所需的法医和法律顾问。.

PG: Are there institutions that, by size and resources, are more vulnerable than others — in particular colleges?

A. I think every place is vulnerable. 你知道,要保证你的组织的每一个出口都是很困难的. Those that implement early warning, 早期检测系统可以在早期发现这些活动,这是非常有益的. 有很多学校有足够的资源来实施这些系统. Obviously, some don't. 因此,这些可能不得不依赖于可接受的风险,并依赖于那里需要的一些网络保险政策.

PG: What kind of perpetrators engage in ransomware attacks, 黑客是否有针对大学或其他组织的特定动机?

A. 有不同的威胁情报,讨论攻击者和针对特定大学的类型. 但老实说,任何攻击的威胁——至少是勒索软件——都是出于经济动机.

They're mostly foreign actors. I'm sure that it's difficult for the FBI. 他们调查了其中的一些事情,并试图对这些攻击者采取一定程度的行动. But it gets difficult, obviously, unless, of course, (the perpetrators) traveled to an extraditable country. 这些(攻击者)并不害怕追逐那些可能不像一些大集团支付那么多钱的目标

PG: What is a typical scenario?

A. 它经常发生在一个(遥远的时区)——有时,比如凌晨3点(这里). 不幸的是,你会在大家都睡着的时候收到第一个警报. For some reason, it always happens on a Thursday or Friday. I don't know why.

重要的是你一开始会收到什么警报,以及你能多快做出反应. 所以如果你是一个较小的组织,你没有资源, 你可能不会注意到这一点,直到你早上第一次进来做例行检查的时候. But even with alerts, 你仍然需要做某种程度的根本原因分析,了解威胁来自哪里以及它的破坏性有多大.

PG: And after that?

A. 在像林肯那样的勒索软件攻击中,你面对的是. All we have is a note on desktops, 告诉他去找谁付赎金然后拿到解锁所有文件的钥匙."' And so you're struggling from that point on, basically from a data recovery perspective, trying to bring systems back online if you have the capability. And, you know, 通过取证来了解发生了什么和在哪里,并试图堵住这些漏洞,因为(否则)它们会马上回来

PG: In addition to being brought in after an incident, does your firm do front-end risk prevention work?

A. The largest part of our practice is the preemptive stuff. And that's obviously where we want to help people the most. 因此,这包括渗透测试的所有内容:假装是坏人,然后向他们提供结果,帮助他们了解漏洞存在的地方. There's a lot of alerting and detection tuning. We also do IT audits. So we're looking at the organization as a whole.


A. 一切都从一个好的漏洞管理系统开始. Being able to patch systems on time, making sure you have a good asset inventory, and understand what's in the environment, what needs to be patched and when. Cyber insurance is important to have.

