Wave Systems Corp. (fka WAVXQ)

[Genz2]

Hackers broke into university networks in just two hours

https://www.zdnet.com/article/hackers-broke-into-university-networks-in-just-two-hours/?ftag=COS-05-10aaa0g&utm_campaign=trueAnthem:+Trending+Content&utm_content=5ca6820400e48b00017e0be6&utm_medium=trueAnthem&utm_source=twitter

Penetration testers testing university networks were able to use phishing emails to gain administrator access and access personal data, financial information and confidential research.

Ethical hackers testing the security of university networks found they were able to breach networks and access high-value data in under two hours in every single penetration test they performed.

Almost 50 universities across the UK were a part of the test and ethical hackers working on behalf of The Higher Education Policy Institute (HEPI) and Jisc, a not-for-profit digital support service for higher education, were able to successfully use spear-phishing attacks to gain access to sensitive information.

In some cases, it was possible in under an hour; in others, universities were compromised across multiple campuses.

Penetration testers were able to gain complete access to system information by acquiring domain-level administrator access to control systems. That enabled access to personal information about students and staff, information about financial records, and even the ability to hack into databases and networks containing sensitive research data.

A common tactic in spear-phishing attacks targeting universities is for cyber criminals to spoof an email to look as if it comes from a senior member of staff and send it to people they're known to work closely with. These messages will send victims to websites that attempt to steal credentials, or contain attachments which will drop malware.

The public-facing nature of universities often means it's easy for cyber criminals to conduct reconnaissance on the departments they're targeting, as staff will be listed on the university website.

The findings have been laid out in a research paper and it comes following a series of high-profile hacking campaigns targeting universities over the course of the last year.

A North Korean advanced persistent threat group targeted individual academics with spear-phishing emails designed to trick them into downloading a malicious Google Chrome extension, while last summer an Iranian hacking operation was detected targeting universities around the world in an effort to steal intellectual property.

"Cyberattacks are becoming more sophisticated and prevalent and universities can't afford to stand still in the face of this constantly evolving threat," said Dr John Chapman, head of Jisc's security operations centre and the author of the report.

"While the majority of higher education providers take this problem seriously, we are not confident that all UK universities are equipped with adequate cyber-security knowledge, skills and investment. To avert a potentially disastrous data breach, or network outage, it is critical that all university leaders know what action to take to build robust defences."

The report lists a number of things universities should do in order to help protect their networks from attacks. They include knowing where data is stored and who has access to it, and ensuring systems and software are patched and up to date to prevent attackers exploiting known vulnerabilities.

It's also recommended that staff and students are trained in security awareness to help them spot phishing emails and provide information on how to report suspicious incidents or suspected attacks.

Jisc also recommends that universities should be performing regular vulnerability scans and that an incident response plan should be in place, should the worst happen.

"Universities are absolutely reliant on connectivity to conduct almost all their functions, from administration and finance to teaching and research. These activities accrue huge amounts of data; this places a burden of responsibility on institutions, which must ensure the safety of online systems and the data held within them," said Professor David Maguire, chair of Jisc and vice-chancellor of the University of Greenwich.

"Developing strong cybersecurity policies is vital, not only to protect data, but also to preserve the reputation of our university sector," he added.
==================================================================
The Wave Alternative and Wave VSC 2.0 could have a tremendous, positive effect on the universities cybersecurity posture. Relying on education as a means to stop the effects of spearphishing seems to carry a fair amount of risk when a 2FA solution like Wave VSC 2.0 could drastically lower the risk.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card

https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management

Excerpts:

Key Features:

Strong Security
• Authenticate securely, encrypt email, and prove integrity of the device with one management console
• Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
• Provide centralized enforcement of custom policies
==================================================================
https://www.wavesys.com/wave-alternative

Excerpts:

You have to start with the device

Wave has an alternative: security that’s built into each and every device.

We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.

We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.

Security that’s confirmed, not assumed

With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.

A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.

Do we need to say that with Wave, compliance is no problem?

Please see the rest of the Wave alternative link for more....
=================================================================
https://www.wavesys.com/ is a site that summarizes what better cybersecurity could be for a LOT of organizations!!!