Member storyA blurred figure walks past rows of servers housed in cabinets.

Cardiff Metropolitan University: emerging stronger from cyber-attack

When Sean Cullinan, head of information services at Cardiff Metropolitan University, realised the university’s systems were under attack, it kickstarted a powerful working relationship with Jisc that transformed security.

The attack was unusual because, rather than trying to access data and files held on the Cardiff Met server, the hackers were instead using the server as a holding place for data stolen from a US organisation.

Cullinan explains:

“Because we are on the Janet Network, we have fantastic resources, network capacity and bandwidth, and so our servers had storage space on them.

“The attackers didn't take any of our data, they just used us as safe storage for other people's data. They'd been in there for three or four months without our knowledge.”

Top of Cullinan’s to do list was reporting the breach to the Information Commissioner's Office, the UK Crime Agency and Jisc, whose head of incident response, David Batho, stepped in to diagnose the problem and worked with the university to build better defences. That same day, David was on Teams with Cullinan working on the breach and spent the next few weeks explaining the story in detail.

The firewall was identified as the weak point. It used unencrypted passwords, including elevated access passwords, making it easy for someone in the system to access all areas. The hackers installed software on different servers that allowed them to move around the organisation, create tunnels and copy data between servers off and on site.

Cullinan continues:

“After we'd investigated the how, the where and the who, we arranged to meet with David to identify all the things that we had to do as a result of his discovery to start reinforcing the systems.

“We met dozens of times and together came up with a programme of work that took us to April 2021, with an initial plan of what we had to do in priority order to tighten up the various access methods, not least of which was keeping our patches up to date on things like the firewall.”

Cullinan also acknowledged the immense contribution of his team, who worked day and night to shore up their highest priority vulnerabilities.

Building a business case

A key step was to commission a penetration test from Jisc to find other weaknesses and benefit from advice on how to improve and update security more generally, which included the recommendation to work towards ISO 27001. Cullinan and Batho also worked together on the critical question of resourcing.

“The most significant thing of all was David’s ability to work with us in identifying how we used current resourcing to manage security within the university in order to bring us in line with other organisations he works with around the UK.”

Together they identified a clear package of what was needed to bring the university up to speed with its security and built a strong business case to present to the digital strategy committee.

“David presented from the investigation point of view, explaining how the breach had happened. I then delivered the business case for what we needed and had David's support throughout, which was amazing.

“To have that level of commitment and support felt like having another person in the team, but someone with the insight my team lacked at that point – we just didn't have that level of expertise in cyber security.

“What was absolutely invaluable was David’s breadth of knowledge and awareness of the rest of the industry. He has vast amounts of credibility and we learned so much from him.

“To be able to bring someone like that along with a business case asking for six more staff when everyone else was in the process of losing staff was a hard sell, but it was done in such a way that the organisation could see it was essential. We were fortunate that the hackers weren’t interested in any of our data this time so it was crucial that we learned lessons to protect ourselves as much as possible for the future.

“We got approval for those six staff, including the creation of a new IT security team of three. That’s still a relatively small team, but everyone in IT has a responsibility and a requirement to deliver security.”  

Cullinan is currently recruiting a head of security to build that new team. It’s taking longer than expected but it was unlikely to have happened at all without the breach and then the ongoing support from Jisc.

Ask for expert help

Having suffered an attack and emerged all the stronger for it, Cullinan has two strands of advice for the sector.

“Firstly, don't wait for a breach or an attack before you contact Jisc. We’d been aware of the Jisc services we could have purchased, but never felt we were in the right place to do so because we’d need to factor in time as well as money and time is the hardest thing to justify. With hindsight, I would have brought in those services many years ago.

“Secondly, we should be capitalising more on the experiences and knowledge of others. If people ask me questions from outside the university, I'm happy to help; I want to give them the benefit of our experiences. Sometimes I don't understand why we don't spend more time talking to those who have gone before – for good or bad. The bad can be just as valuable as the good.”