As you know, we are increasing our focus on cybersecurity. If we need to be reminded why this is important, we can look at the University of Michigan. They started class this semester with their network cut off from the internet and none of their enterprise systems available to staff, faculty, or students.
On October 23, the University of Michigan released a statement on the cyberattack. They said that the attacker accessed SSNs, driver’s licenses, financial and credit card data, health information for students, applicants, alumni, donors, employees, contractors and research study participants. They are paying for credit monitoring for all the victims, contracting for a call center, plus whatever fines are imposed by the various regulatory agencies. The financial cost to the institution will be millions of dollars. I know that Penn State’s breach in their College of Engineering cost them $10 million and 40,000 staff hours. I don’t believe MIchigan knows the final cost yet.
How (we think) Michigan got compromised
Through unsubstantiated sources I have heard disturbing and familiar reports of how this happened. An account password was compromised that had access to key parts of a unit’s infrastructure. Their security team detected the attack and told the unit to immediately reset all passwords. The unit leaders thought that it would be too disruptive and declined to do so. The attack subsequently spread throughout the university, allowing the attacker to access the above sensitive information and precipitating the need to disable internet access for the campus during the first week of class..
Units cannot accept risk for NYU
During the UCIO Council meeting yesterday, the question arose about a hypothetical case in which a dean decides not to enforce security standards because of the impact on the mission. Rich and I reiterated that deans and VPs cannot accept risk on behalf of NYU. They typically don’t have the background and experience to fully understand cyber risk. Michigan is a great example of why they cannot. If there is a mission impact, work with GOIS. Compensating controls can usually be found that address the risk without severe impact on the mission.
Our Incident Response Plan
Cyberattacks are a fact of life. When they happen, it is critical that we react as quickly as possible and in a coordinated and methodical manner. Incident Response plans are the best way to ensure we know what to do and how to do it. Consistency matters. Incidents can rapidly escalate into large-scale crises. It is crucial to have a response plan that can scale with the incident to ensure an effective response. GOIS has implemented incident response practices and protocols to facilitate efficient responses, including threat identification, containment, and coordination of necessary steps for system restoration.
Attackers move laterally through a system
Don’t underestimate the impact of cyber incidents. They seldom occur in isolation. Attackers move through our network establishing a persistent presence while elevating their privileges searching for valuable information. NYU must use a systematic approach to incident response and analysis in order to comprehend the scope of the intrusion and react appropriately. We must fully contain and eradicate any compromise
Familiarize yourself with our plan before you need to use it
Best practices in incident response have evolved over time. NYU’s incident response plans ensure that we adhere to these best practices for containing threats, safeguarding our systems, and promptly reporting issues when required. Be familiar with the plan and use it when suspecting an intrusion.
IR Plan: https://www.nyu.edu/servicelink/KB0020062
IR Quicksheet: https://www.nyu.edu/servicelink/KB0020039
(reminder: you have to be logged in to see the article)
Also, reporting phishing emails to phishing@nyu.edu has been instrumental in helping NYU detect email-based threats and enhancing our ability to block malicious content and files. For non-phishing incidents, please email security@nyu.edu.
Please checkout our year-long City Smart, Cyber Smart campaign and our media tool kit for ways you can help educate your community about the importance of best practices and their personal responsibilities so we can strengthen our protection against attacks.