The recent attack on a Dutch university demonstrates much of what IT organizations shouldn’t do to avoid an attack.
According to Michiel Borgers, Chief Information Officer at Maastricht University, their network was the target of a phishing attack in October of last year that gave cybercriminals access to their network. The attackers “spent the following weeks exploring the systems and gaining credentials to access more secure parts of the infrastructure,” said Borgers. And in December, the university paid a ransom $217,000 to decrypt files.
Sounds like a pretty standard cyberattack story… until you hear all the things that went wrong.
- Security solutions didn’t stop the phish – even with solutions in place, phishing emails made their way into a user’s Inbox, making the user the last (and, in this case, the least effective) line of defense.
- Users played the role of the victim - as always, a user was tricked into clicking on malicious content within an email, setting the campaign in motion.
- IT wasn’t paying close enough attention to detail – after the initial phishing email was discovered and the malicious link blocked, no additional steps were taken to ensure subsequent emails used the same URL and that the university wasn’t under a targeted attack.
- There were too many alerts – Alert storms are all too common. Too many red flags mean IT teams are paralyzed, not knowing which alerts to follow up on. And with the bad guys apparently moving laterally around the network leveraging compromised credentials over a period of months, there must have been quite a few.
A report on the attack, what should have been done, and what the university plans on doing moving forward was published this month.
The challenges above experienced by the university demonstrate how the problem only gets worse over time. The place to stop an attack is where it’s easiest – when it’s a matter of a single email and a single user. No thousands of potential alerts, no campaigns of emails to deal with… just one user and the decision of whether to click on an attachment or not.
Security Awareness Training is one of the needs outlined in the report. The university sees this training as the key “to reduce the number of successful malicious attempts to attack.”
Lots of things can and will go wrong with IT’s ability to respond to a cyberattack.The one factor that IT generally has no control over is the user.By putting Security Awareness Training in place, IT organizations regain a measure of control by engaging with the user to play a role in organizational security.