Outdated Protocol Exposes University to Cyber Attack

The Network: A decentralized university with 34,000 students, dozens of departments, over 9,000 employees and hundreds of servers with assets to protect including student identities, commercially-funded programs, government-led research, and technology initiatives. System administrators use SSH, or Secure Shell protocol, for remote login to critical servers across the dispersed campuses.

The Expectation:  The university will protect student and employee identities and protect confidential and valuable intellectual property from unwanted access by insiders and external adversaries. Universities are common targets for cyber attackers looking to monetize data, hold it for ransom, or even conduct cyber espionage to steal research and development secrets. Attackers frequently target student identities and employee payroll information.

The Catch: The university is a Netsurion client with 24/7 EventTracker Security Operations Center (SOC) monitoring. The SOC analyst uncovered a large volume of login anomalies, all from a single IP address which can signal a cyber attack. These anomalous logins are known as brute force attacks or dictionary attacks because they often involve attempts to guess common passwords and passphrases to gain access to privileged user accounts and then move laterally within the organization.

The Find: The analyst at the EventTracker SOC detected over 125,000 brute force login attempts aimed at the higher education network using ssh v1, a weak remote access protocol. An ssh v1 vulnerability (CVE-2001-1473) was publicly disclosed in 2001.

The Fix: EventTracker promptly notified the university of the brute force login attempts. The EventTracker SOC analyst recommended several additional steps to protect the campus and its sensitive data:

  • Verify that OpenSSH on academic servers uses the more secure ssh v2 protocol.
  • Conduct periodic vulnerability scanning to identify security gaps that cyber attackers can exploit.
  • Ensure that patch management for servers and workstations is comprehensive and continuous.
  • Conduct security awareness training for both IT and security staff as well as the teaching staff.
  • Educate users on strong password practices.

The Lesson: More than 99% of successful cyber attacks exploit vulnerabilities that have been known and publicized for many months, if not years in the case of ssh v1. Security fundamentals and prompt patching are crucial and will protect organizations against more than 90% of attempted attacks. Consistent network monitoring is also crucial for visibility and advanced threat protection.