Now defunct, Lincoln College had outlived the Spanish flu of 1918, World War II and other challenges to see record enrollment and dorms at capacity by 2019, its leaders say. But along with the ensuing pandemic, something else — a ransomware attack in December — proved to be the final straw.
By the time the private institution with fewer than 1,000 students regained access in March to critical data for admissions and fundraising, its financial position had eroded and there was little time left to recruit for fall.
Lincoln's demise is a chilling reminder of the growing danger such attacks pose to workplaces generally, including academic institutions, cybersecurity experts say.
Among those experts is a lead Schneider Downs analyst, David Murphy, whose focus is in digital forensics and both defending against and responding to cyber attacks. He has an Air Force, intelligence and national security background.
Mr. Murphy, with the firm's Pittsburgh office, spoke to the Pittsburgh Post-Gazette about the risks and what employers, including colleges, can do to help keep them safe.
The interview has been edited for space and clarity.
PG: Lincoln's attack shows the high stakes for a college. But has the pandemic encouraged more such attacks against all kinds of companies and, if so, why?
A. Definitely. COVID-19, in general, resulted in an increase in attacks going on. And that has a lot to do with, you know, the remote workforce and securing those folks. A lot of organizations that I've run into were somewhat unprepared for that remote workforce capability.
PG: Explain a bit more about what happened once Lincoln officials learned their systems were effectively shut down, and they were locked out of critical information.
A. They went through some sort of forensic investigation to verify what happened and how they got there. Basically, what data was taken or potentially taken. They later mentioned that there was no personal identifying information exposed, which is good.
I think there's details out there that say they did pay $100,000 worth of ransom, which in my experience is fairly low. Usually, when threat actors are asking you to pay, they do some sort of homework to verify what you're capable of paying. And so that was kind of surprising. The other angle is, if they paid, what did they get in return? You know, that part's pretty unclear.
PG: The pandemic had already hit Lincoln's enrollment, so what was available to them financially to respond?
A. That's one angle that I don't fully understand, for them, but also just generally speaking for other colleges: what cyber insurance do they typically get. Your typical business insurance is not going to cover an attack like this — and the (remediation) required, recovering the data and the tertiary effects that might come from it.
That's one thing that all colleges really need to address — to make sure that they have a cyber insurance policy in place — and that it covers all the various effects, not just the ransom itself, because a lot of the policies will mention, 'Hey, we'll pay the ransom.' But you need to include all the data recovery efforts and the forensics and legal counsel that you would need to fully address the breach.
PG: Are there institutions that, by size and resources, are more vulnerable than others — in particular colleges?
A. I think every place is vulnerable. You know, it's a difficult business to secure every single outlet of your organization. Those that implement early warning, early detection systems that can catch some of these activities early in the process are super beneficial. There's a lot of schools that have the resources available to implement some of the systems. Obviously, some don't. And so those would probably have to rely upon accepted risk and fall back on some of the cyber insurance policies that are needed there.
PG: What kind of perpetrators engage in ransomware attacks, and are there hackers with motives specific to colleges versus other organizations?
A. There is different threat intelligence that talks about the attackers and the types that go after specific colleges. But honestly, any threat of attack — at least with ransomware — is financially motivated.
They're mostly foreign actors. I'm sure that it's difficult for the FBI. They investigate some of these things and try to bring some level of action against these attackers. But it gets difficult, obviously, unless, of course, (the perpetrators) traveled to an extraditable country. The (attackers) aren't afraid to go after targets that might not pay as much as some of the bigger groups
PG: What is a typical scenario?
A. It often occurs in a (far off time zone ) — sometimes, like 3 o'clock in the morning (here). You'll initially get the first alerts when everybody's sleeping, unfortunately. For some reason, it always happens on a Thursday or Friday. I don't know why.
It really matters what alerts you'll get initially and how quickly you're able to respond to that. So if you're a smaller organization and you don't have the resources, you might not notice it until you go through your routine checks in the morning when you first get in. But even with alerts, you still have to do some level of root cause analysis and understand where the threat is coming from and how destructive it is.
PG: And after that?
A. In a targeted ransomware attack like Lincoln went through, you're dealing with, g with. All we have is a note on desktops, explaining who to reach out to to pay the ransom and get the key to unlock all the files."' And so you're struggling from that point on, basically from a data recovery perspective, trying to bring systems back online if you have the capability. And, you know, working through the forensics to understand what happened and where and trying to plug those holes because (otherwise) they'll come right back
PG: In addition to being brought in after an incident, does your firm do front-end risk prevention work?
A. The largest part of our practice is the preemptive stuff. And that's obviously where we want to help people the most. So that includes everything from penetration testing: Pretending to be the bad guy and then giving them results and helping them understand where the vulnerabilities exist. There's a lot of alerting and detection tuning. We also do IT audits. So we're looking at the organization as a whole.
PG: What's your advice to employers, be they companies or colleges?
A. Everything starts with a kind of a good vulnerability management system. Being able to patch systems on time, making sure you have a good asset inventory, and understand what's in the environment, what needs to be patched and when. Cyber insurance is important to have.
©2022 the Pittsburgh Post-Gazette. Distributed by Tribune Content Agency, LLC.
