“Each network has its weak spots, including ours”
Martin Romijn, Chief Information Security Officer (CISO) at TU/e, already warned against ransomware attacks back in 2016, and also proposed measures to increase the defensibility of the TU/e network at the time. Some of these measures have been implemented, but others still feature on a wish list. “Hackers look for weak spots in a network, and they found them in Maastricht. But our network has such spots as well. We need to reduce the risk as much as possible,” Romijn says.
The digital misfortune that befell Maastricht University in the last few weeks proves that the threat of cyber attacks continues to be highly topical. Only last Tuesday, GWK Travelex was confronted with a ransomware attack. TU/e Executive Board spokesperson Ivo Jongsma says that the board doesn’t want to make any comments on how the university manages its cyber security at this point, and whether any developments are currently under way in this area. He says that the board decided to remain silent because it doesn’t want to make cyber criminals smarter than they already are.
Therefore, Jongsma can’t say whether TU/e is prepared for an attack with Clop ransomware, which shut down a large part of Maastricht University’s network. Jongsma: “What we can say, however, is that the situation in Maastricht led us to look critically at our own safety devices, and made us consider where and how we need to improve our protection measures. Obviously, we will take into account the lessons learned from Maastricht. We don’t want to speculate on the factual circumstances of the cyber-attack in Maastricht, we leave it to Maastricht University to comment on this.”
Open institution
As long ago as March 2016, CISO Martin Romijn already told Cursor that TU/e is “a very open institution” and that it should most certainly remain one to a certain extent, “but that attitude does make the university’s network very vulnerable.” At the time, Romijn advised the university to reconsider whether certain employees should still have administrator privileges on their work pc, and whether it shouldn’t set up more protected learning and research networks that would be accessible only to those who are directly involved.
Nothing has changed during the last four years as far as that first advice is concerned, Romijn concludes. “That group of employees with administrator rights, which allows them access to the pc and laptop of others, should be made smaller as far as I’m concerned. This involves a group of staff members who are employed by the university and who can be trusted, but that group would be easier to manage if you were to make it smaller. So, this is an issue I would like to raise within the foreseeable future.” He says that four years later, the university did however manage to centrally update the security of the programs on many of the pc’s and laptops used by TU/e staff members and students.
Osiris and Canvas
Romijn says that the introduction of Osiris and Canvas has also contributed to a safer cyber environment, “because the responsibility for the digital security of those systems now lies with the companies that offer them. That’s why we regularly consult with these companies. It also led to clear divisions in our network, which makes it impossible for hackers to infect the TU/e network in its entirety.”
As an outsider looking at the situation in Maastricht, Romijn believes that Maastricht University handled the recent crisis well. According to him, SURFcert, the team within SURF that deals with security incidents, played an important role with advice and support. Romijn: “Hackers are constantly on the search for weak spots in networks, and they found them in Maastricht. Bad luck for them, but weak spots like that can also be found in our network, which is why we need to reduce the risk as much as possible. And that could mean having to make your institution a bit less open in that area.”
Handing in hardware
Another important aspect when it comes to strengthening cyber security, is the responsible disposal of old hardware. That is why Information Management & Services (IMS) calls on staff members to always hand in obsolete hardware at one of the ICT service desks. It’s also possible to have someone collect old hardware at the workplace. However, a great deal of depreciated hardware isn’t properly disposed of, with the risk that private data ends up on the street. According to IMS, many people think they have deleted all data from the system, but it’s almost always possible to retrieve it. That is why it calls on people to hand in old hardware so that it can be disposed of in the proper manner.
Discussion