In May 2019, the University of Duisburg-Essen (UDE) was able to prevent a ransomware attack just in time. For the Cyber Security Month 2020 initiative, GÉANT contacted Marius Mertens, CISO of UDE, to learn how the university managed to prevent such attack and talk about the main challenges in the area of cyber security.
Marius, what are the crown jewels of UDE?
The answer depends on the person who’s asked to answer this question. Our IT infrastructure is highly decentralised and our scientists will mainly view their own (research) data as critical. I myself see 3 important crown jewels: in the first place, all the personal data we keep. As a result of the GDPR, violations can cause not only serious financial damage, but also reputational damage. In addition, anything connected to our central IT infrastructure, given that the unavailability of these systems would have a major impact on our business continuity.
Finally, I also consider our HPC systems to be one of our crown jewels. Our HPC infrastructure was among the top 500 supercomputers in Europe launched in June 2016, we ‘hire’ this infrastructure to other scientists as well. If anything goes wrong, the cost of repairing it would be very high due to the required support from the manufacturer and the complexity of the system. In addition, a downtime would entail huge costs when converted to the price tag of the lost CPU hours. For example, losing CPU hours for one week would cost us € 75,000.
What are the main threats to you in terms of cyber security? And how do you mitigate the risks?
Externally, everything sent via e-mail poses a great risk. We also notice that these e-mails are becoming more sophisticated and the attackers quickly change their strategy if something turns out to be unsuccessful. Even when we take countermeasures, they stay one step ahead of us. In addition to masses of phishing attacks, we are also regularly confronted with other forms of social engineering. Recently, several people in our organisation were the target of an attack in which they received an e-mail from their alleged head of department asking them to urgently buy some gift cards as a business gifts on their behalf. Those e-mails looked very professional and everything looked right, down to the smallest details. The hackers used some standard techniques to trap people, such as the authority of the sender and the urgency of the question. Also, from outside, we regularly must deal with DDoS attacks. To mitigate these, we call on the services of DFN.
Internally, patches that have not been implemented correctly, and other vulnerabilities, pose a potential risk. This also applies to users who have only recently started working with a PC and do not know how to do so safely.
In order to mitigate the risks, we focus on a combination of training/awareness for users on the one hand and better security of our systems on the other hand. The latter serves as “damage control”.
What do your awareness initiatives involve?
In terms of awareness, we combine various initiatives. For example, our IT department regularly disseminates information to our users, including via the UDE website: how to recognise false messages, what are the current vulnerabilities, etc. For the past three years, we have also been providing training courses to our users. These are recorded and can be watched again afterwards via our website. Currently, we are preparing training courses for small groups. The challenge is to attract the right people and not just those who are already well informed.
We tailor our information to the profile of the users: for our administrative staff, we focus on the safe use of existing tools. For them, we formulated 10 golden rules for good, basic cyber hygiene. For employees who have admin accounts, this information is superfluous. We mainly provide them with technical tools and make sure, for example, that they know how to configure a tool in a safe way.
In addition, our university has a hotline that acts as a SPOC for our users. They can report security problems or ask questions about information security there. The hotline is ‘operated’ by students during their work experience. Whenever they cannot answer they forward the query to second-line support. We notice that many users at UDE are very aware of cyber security.
Exchange of information and knowledge is also very important to us. DFN shares information about leaks with all member organisations. For example, if we notice that an e-mail account has been hacked and is being used to send spam, we will ask the user to replace their login details immediately.
How do you support these measures at a technical level?
For passwords, we require a certain length and combination of characters. Replacement on a regular basis is currently not mandatory. We adjust the password requirements according to the criticality and risk of the application in question. We also recommend that our users work with a password manager.
In addition, we monitor the frequency of outgoing e-mails. In case of any deviations, we take immediate action. For incoming e-mails, we use a spam filter, which we manually supplement with user reports.
Last year, you faced a cyber attack that was able to be averted just in time. What exactly happened?
The hackers used Emotet, a piece of malware that can take over victims’ e-mail communications and spread. Emotet is also the carrier for the ransomware; the hackers intended to lock data out in exchange for ransom money.
The original infection usually occurs via macros in outdated file formats (such as .doc, .xls, .ppt) sent as e-mail attachments. An alarm bell went off in May 2019 when we noticed that certain PCs in our network had started sending automatic replies to e-mails they received. In the end, 5 computers turned out to be infected. Presumably, malware was installed on these PCs via phishing e-mails. The attackers thus gained access to the e-mail addresses and contacts of the affected employees. Their infected PCs sent false replies to previous e-mails they had sent to their contacts. This, in turn, allowed them to infect other PCs.
As CISO, I received such an e-mail myself at one point. We then realised that something suspicious was going on. With hindsight, this phase was a preparation for carrying out the actual ransomware attack. Further investigation also revealed that the attack had most likely begun in 2019. So it took almost half a year for us to find out.
What actions did you take?
We immediately placed a warning on our website and alerted our admin accounts. In half an hour, we managed to warn all our admins not to use admin credentials on the infected machines.
We were also able to quickly identify the infected PCs. The accounts of the users involved were all re-set and the users were given a new workstation. We were fortunate that our users and admins themselves responded very quickly – this is the best proof that it is important to create an awareness-raising culture at your organisation!
Finally, we immediately decided not to allow the receipt of outdated Office document formats, in order to increase security for our users. This is because, in 99% of cases, we notice that attackers choose ‘old’ formats to spread macros/malware. These kinds of Office files look “safe” to users, and with such formats, one can’t see if they contain a macro. New Office formats can, of course, still be received by our users.
What are the most important lessons learned?
We decided to hone our cyber security strategy, both on the technical and the awareness front:
- We took a series of technical measures, such as improving our Active Directory (the aim is to prevent attackers from taking over the entire system)
- We are even more committed to raising awareness about phishing by teaching our users how to distinguish ‘good’ e-mails from ‘bad’ ones. We also expressly ask them to contact our hotline in the event of the slightest doubt or question.
- After the attack, we shared our experience and knowledge with our stakeholders. We gave a presentation on the case at last year’s DFN conference. We also shared our experience in the security working group in which several German universities are represented, and which is facilitated by DFN. In this private community, we can share confidential information with each other. We also shared our information with the DFN CERT.
What advice would you give to other organisations in the R&E community?
First of all, get ready! It is not a question of whether you will be attacked, but of when. Make sure you limit the damage of successful attacks. And try to get rid of legacy Office formats as soon as possible, as these only benefit hackers.
About the University of Duisburg-Essen and Marius Mertens
The University of Duisburg-Essen (UDE) has existed in its current form since 2003 and is the result of a merger of 2 universities. With its 43,000 students and almost 6,000 employees, UDE ranks among the top 10 largest universities in Germany. In addition to education, research is an important task at UDE. For example, the university has its own HPC centre where both internal and external researchers can make use of the computing power of a supercomputer. The university is connected to the German research network DFN and houses a core node of the DFN network in Essen, through which other R&E institutions can also connect to DFN.
Marius Mertens is the Chief Information Security Officer (CISO) at UDE and advises management on IT security and works closely with network engineers from the IT centre.
Read more on the GÉANT Cyber Security Month 2020: https://dev.connect.geant.org/csm2020