“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.” – Kevin Mitnick
On Saturday, May 28, 2016, the University of Calgary suffered a substantial cybersecurity breach, capturing the attention of mainstream media and security news outlets worldwide. Then on June 7, it was reported that the University paid blackmailers $20,000 in ransom demands “to ensure critical systems could be restored.”
Being my alma mater and local to the city in which I currently reside, this news really struck home. The University of Calgary is a world leader in research and student academics with total revenues exceeding $1.1 billion – one of the highest in Canada. I spent some time investigating to gain insight into what was going on at the University. What I discovered is not that surprising from my experience as a cybersecurity professional.
Initial Reports – The Breach
On the morning of Monday, May 30, 2016, CBC News reported that a malware attack crippled the institution’s Exchange email system, Office 365 email system, Skype for Business, secure wireless, and active directory system. (Active directory is used for authenticating users’ passwords and authorizing access to computer systems.) At that time, University officials issued a warning to students and staff to not use any school-issued computers.
By the afternoon, the University issued a statement on their website that the secured wireless network and Office 365 email system were once again operational and that “It is now safe to use UCalgary-issued computers to access available UCalgary networks and applications. There are a number of users who remain impacted by the malware and they will not be able to access any UCalgary systems.”
One Week Later – The Ransom
A week later, on June 7, the Calgary Herald reported that “The University of Calgary paid a $20,000 ransom in untraceable bitcoins to shadowy hackers after a devastating malware attack.” Linda Dalgetty, VP, Finance and Services of the University of Calgary, said, “University IT teams have been working around the clock for more than a week trying to fix the bug that affected email, Skype, wireless networks and other services. Users of university-issued computers were also advised to leave them off while under threat from the hackers.”
Dalgetty also stated that “officials found no indication that any personal information or university data was compromised, and that paying the ransom doesn’t guarantee all systems will be restored or lost data recovered. I think we, like other organizations subjected to these attacks, learned that continued vigilance is important.”
The University not only paid the ransom, but admitted openly to doing so. This is not a common practice. Dalgetty said they did it as “an effort to be transparent. We’re a public sector organization and we pride ourselves on our openness.”
History of Security Incidents – This isn’t the first time
“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.” — White House Cybersecurity Advisor, Richard Clarke
Less than a year ago, in September 2015, the University of Calgary made international headlines when their PeopleSoft Finance and Human Resources system was breached. Employee records were fraudulently accessed and banking records were modified. Linda Dalgetty was the Public Relations spokesperson for the media on this security breach as well.
In both security incidents, the Calgary Police Services’ Cybercrime Support Team were called in to investigate. Official details in both cases are limited. The police department is neutral on cybercrime ransom payments, leaving the decision to respond to the ransom demand up to the individual or organization.
Dark Days Ahead – Ransomware Attacks
The fact is, ransomware attacks are on the rise and growing exponentially. They are now considered to be the number one cybersecurity threat for 2016.
In March 2016, the Office of the Information and Privacy Commissioner of Alberta (OIPC) issued an advisory for ransomware to both private and public sector organizations in Alberta (https://www.oipc.ab.ca/media/687741/advisory_ransomware_mar2016.pdf). This advisory notifies organizations of their legal obligations under the Personal Information Protection Act of Alberta and how to respond to a ransomware attack.
The decision to pay a ransom to regain access to your own information can be difficult and the decision is often made under significant duress: the board room meetings, the emotions at play, the politics, the long hours of failed recovery, and the endless questions around “how did this happen to us” – the list goes one. The reality is that a ransomware attack puts individual jobs and livelihoods on the line. Not trivial stuff.
I feel a tremendous amount of sympathy for the individuals that had to deal with the ransomware attack at the University and for those who ultimately had to decide to pay the hefty ransom. That is not a decision I envy. That said, the reality is that those same individuals also had the opportunity to prevent these security events from occurring in the first place. Judicious security threat risk management is no longer optional and rigorous security management would have gone a long way to preventing some of this financial and reputational loss.
Sadly, the information we’ve received speaks to inadequate security controls which allowed numerous critical assets to be compromised in less than one year. The sheer number is staggering: two different email systems, Skype communications, authentication and authorization systems, secured wireless networks, over 100 user computers, research data, employee records, and payroll information. And that’s just what is being reported in the media.
“Security breaches usually entail more recovery efforts than acts of God. Unlike proverbial lightning, breaches of security can be counted on to strike twice unless the route of compromise has been shut off.” — FedCIRC
The good news is that some systems are back online and working, allowing the University to conduct normal business operations (sort of). The bad news is still pretty bad: After two weeks only some systems are back online.
The perils that the University of Calgary faces in the coming days and weeks are serious. They may never fully recover from this cybersecurity attack. Is this a risk they are willing to accept? They don’t have a choice in the matter as they are no longer in control the outcome and are now at the mercy of the malicious hackers. Will the decryption keys to unlock their data and systems work?
No one knows, even the University itself is skeptical. Is cybersecurity risk now at the top of their risk register, or even on it? I don’t know, but it should be.
After two high profile cybercrime attacks in less than a year, what does the University do now? How do they resolve their cybersecurity posture so they are not vulnerable in the future? The answer is simple – they need a robust Information Security Program and they likely need to hire a CISO or advisor to help them define, implement, monitor, and test it.
“One of the tests of leadership is the ability to recognize a problem before it becomes an emergency.” — Arnold Glascow