Learning from mistakes in data security

Ransomware attacks the focus of TRU’s third annual Privacy and Security Conference

TRU’s third annual Privacy and Security Conference was host to over two hundred attendees and multiple vendors. (Wade Tomko/The Omega)

Coinciding with international Data Privacy day, TRU hosted its third annual Privacy and Security Conference in the Grand Hall on Feb. 1.

The conference, which presented the opportunity to teach TRU about privacy and data security, began with a message from university president Alan Shaver.

“Today’s level of interconnectedness is a wonderful tool for universities. Instant connections between students, faculty and staff, instant access to libraries, databases, research labs and anything else you can imagine. This is all viewed as essential now to our mission,” Shaver said.

“At first we took this wonderful openness for granted. Now we know that criminals, corporations and governments are listening.”

Shaver’s opening remarks would set the tone for much of the conference, which largely focused on the dangers to the personal data and privacy of students and staff at institutions like TRU.

The event, which hosted just over 200 attendees and a dozen vendors according to Hugh Burley, TRU’s information security manager, officially started with a presentation on the University of Calgary’s ransomware attack last year.

Ransomware is a kind of malicious software attack that holds data hostage, threatening to destroy or exploit it unless the user gives in to demands for cash.

Linda Dalgetty, UoC’s VP finance and services, was at the center of the university’s ransomware attack when it happened last May.

Dalgetty said that despite UoC’s strong information security infrastructure, gaps in their defences were found and exploited. A lot of the devices that were affected by malware in the attack were never loaded with protection against such attacks, Dalgetty said.

“We found one device with over 2,000 malware signatures on it. It had never been loaded with any malware protection,” she said.

Many of the devices with high levels of malware infection were unmanaged by IT services or were hidden behind other devices like routers.

In addition to this, Dalgetty also claimed that some of the faculty and staff passwords for the UoC exchange email server hadn’t been changed in decades.

“Universities don’t like changing passwords,” Dalgetty said. “We had some people at the university, wearing it like a badge of honour, that they hadn’t changed their email password in 27 years.”

The attack, which wiped out the “exchange email of over 9,000 accounts, the active directory and Skype for business,” effectively disabled all of the UoC’s communication, Dalgetty said. Where they previously relied on email, the university now had to resort to using less instant forms of communication.

“A lot of people said the one good thing to come out of this was that we actually talked to each other,” Dalgetty said.

“We had interpersonal meetings. An email chain of 15 emails could just as easily be conveyed by a single phone call.”

The university would eventually end up paying the ransom of $20,000, and much of the lost data was returned. Despite this, much of what was restored was restored the old-fashioned way: with backups.

However, the attack gave the UoC the chance to learn from their mistakes and act as an example to other institutions who may face similar challenges in the future. Dalgetty cited the emergency response team set up in the critical hours after the attack, as well as external help from cyber security firm, IPS Deloitte, as two important components in achieving what success they did have.

“You need both a strong external firm, like Deloitte, that is looking at the dark web, complemented by a strong internal team that is managing the security of your environment,” Dalgetty said.

Most important though, is the education of your users, she said.

“Users are your greatest defence and your greatest weakness,” Dalgetty said.

“Boy, people like to click. That’s why we look for every avenue we can to get out there and get people learning.”