Cybersecurity at UCT
Since the beginning of 2017, over 1100 security incidents were reported to the UCT Cybersecurity and Incident Response Team (CSIRT). Fourteen of these were classified as high risk, while the rest were either medium or low risk.
Many of the incidents logged were resolved quickly, and had relatively no impact on the UCT community due to the intense security measures that are currently in place.
There are, however, some that caused a bit of damage…
During the early hours of 19 July 2017, unsuspecting UCT students received an email which indicated that their mailbox quota had been exceeded. They wouldn’t be able to receive or send email messages unless they downloaded the attached licence. While some were wary of the email and took no action, others followed the instructions provided and soon their email address was used to spread the phishing, resulting in many more people being affected.
As soon as the UCT CSIRT team discovered the security breach, they put a stop to the attack by blocking the infected accounts. Over 600 students had to change their passwords and have their devices scanned before they could once again use their mailbox to send mail.
Since then, similar phishing attacks have taken place, but more and more people are becoming aware of the risks and are taking the time to stop and think before acting.
Email spoofing
The UCT CSIRT was notified of an incident where an external person was receiving emails from a UCT email address. After investigating, it was determined that the email wasn’t sent by the UCT staff member. Instead, his email address was being spoofed. The mail server used to send the offending emails was traced back to Poland.
The UCT CSIRT reported the incident to the international blacklisting services and asked for the server to be blacklisted. This means that emails will no longer be sent via this mail server. UCT also recommended that the email recipient ensure their organisation’s SPF records be configured on their mail servers to ensure their organisation is protected. (SPF is a type of Domain Name Service (DNS) record that identifies which mail servers may send email on behalf of your domain.)
Strategy outlines the management of security incidents at UCT
Because cybersecurity incidents like these are becoming more frequent, UCT has developed a cybersecurity strategy that will enable the university to keep the UCT network and its systems secure. Based on the cybersecurity framework provided by the National Institute of Standards and Technology in Maryland, USA, the strategy provides a process to identify, protect, detect, respond to, and recover from cybersecurity incidents.
The UCT CSIRT assists with implementing this strategy, addresses all security incidents (regardless of size), and strives to implement the necessary processes.
ICTS has also enlisted the services of BitSight, Mimecast, and SANReN’s CSIRT to monitor, evaluate, and protect the systems and services in use at UCT.
While the key focus is to protect the university’s information assets, the university also aims to help other universities and associations with setting up their security measures. ICTS’s Executive Director, Sakkie Janse van Rensburg, has presented at numerous conferences and forums highlighting the steps that UCT took to get to where we are today.
In addition, he also hosted the inaugural Cyber Security Symposium Africa at UCT earlier this year. The event brought together security experts to share information and form collaborations. After the conference, he also hosted the first ASAUDIT Cybersecurity Special Interest Group (SIG). This half-day session saw representatives from South African universities working together to establish a Higher Education Computer Emergency Response Team (CERT). Thereafter, the group looked at developing a strategy and governance structures for the SIG.
Cyber threats are a rapidly-growing concern, and with strategies and initiatives such as these, UCT aims to be a cybersecurity leader in the South African Higher Education sector.