Institutions of higher education continue to have problematic password policies, lack multifactor authentication (MFA), and have a plethora of open ports — despite suffering dozens of ransomware attacks and targeting by attackers focused on stealing student information and university research, according to a new study published Tuesday.

An analysis by cybersecurity services firm BlueVoyant of publicly reported cybersecurity incidents involving higher education found that over the past two years, about 9% of the passwords on a common list used by attackers matched those used in combination with a university-assigned e-mail address. Meanwhile, about two-thirds of universities had no DNS-based e-mail security protocols in place, and 38% of all universities had at least one open database port.

While universities have traditionally seen the same types of attacks that other organizations do — and perhaps more nation-state espionage attacks because of their research, especially those institutions focused on COVID-19 — their openness and vulnerability puts them at greater risk, says Austin Berglas, former head of cyber at the FBI's New York office and global head of professional services at BlueVoyant.

"The risks that we outline are not impossible to remediate," he says. "However, especially in COVID times when you have an already-understaffed and underfunded IT team whose primary focus is to make sure that everyone has a working laptop and camera for remote learning ... it is daunting."

Because educational institutions are focused on access to learning and freedom to exchange knowledge, security is often a difficult prospect. In the US, almost every student — 97% — used their own laptop for at least one course and 89% used their own smartphones, according to an October 2019 survey conducted by the EDUCAUSE Center for Analysis and Research. A UK study found similar usage, with 93% of students using their own laptops and 83% using their own smartphones.

The combination of students using personal systems with the difficulty in enforcing security policies undermines many of the potential protections. When online textbook service Chegg suffered a compromise in April 2018, about an eighth of the 40 million subscribers affected by the breach used their university e-mail addresses as passwords, the BlueVoyant report states.

Those credentials, combined with password reuse and weak security policies, make such breaches a significant threat, says Berglas.

Looking at a subset of 30 public universities, BlueVoyant's analysis found an "across-the-board lack of basic e-mail security and a lack of multifactor authentication," he says. "This makes phishing, for example, a huge vulnerability."

Passwords continue to be a large issue, especially because MFA has not made significant inroads at schools. 

BlueVoyant collected billions of credentials from publicly available username and password lists, so-called "combolists," and compared those credentials to a list of 14.3 million popular passwords — the RockYou.txt file. Of the credentials that used an e-mail address from a .edu domain as a username, about 9% had passwords on the RockYou.txt list, the company found.

The problem extends beyond just gaining access to student e-mail messages, says Berglas.

"There is a massive amount of password reuse going on," he says. "Students and staff use their .edu accounts not just for school stuff, they use it for everything. And they often hang onto them long after they graduate. And so we see the reuse of those passwords be really critical with credential-stuffing attacks and brute-force attacks, and with allowing the bad guys to utilize those credentials for multiple other accounts."

Such weaknesses make attacks easier for the top higher-education attacker — ransomware gangs. With most schools offering virtual learning during the spring semester, they are particularly vulnerable to the operational disruption used by ransomware attackers to ensure payment, Berglas says.

"When they had on-site learning prior to the pandemic, if a school got hit with ransomware, maybe they could make the business decision to not pay the ransom because they could fall back to old-school learning," Berglas says. "But when 100% of your students are remote learning, and then you get hit with ransomware and the network goes down, it is forcing the hands of these universities to pay the ransom."

The company advised universities to adopt long passwords and implement MFA across all sensitive accounts, including e-mail access. To enforce these requirements, the organizations should monitor authentication attempts for anomalous activity and lock accounts that have nontypical behavior. In addition, password strength should be checked using blacklists, strength tests, or machine-learning algorithms designed to spot weak passwords.