Prevention is always better – lessons learned from the University of Maastricht attack

When you are running a business, you do not want the additional stress of an imminent data breach. Yet, we all know that criminals are lurking in the shadows of cyberspace, actively searching for weak spots in private and corporate networks to lock, ruin and steal data, and often demanding a ransom before they unlock, repair or return these data. You cannot afford waiting for your organisation to be their next target – to ease your mind, you need proactive action.

On the evening of December 24, 2019, the University of Maastricht in the Netherlands suffered a ransomware attack after an employee opened an Excel file with a macro that gave Russian criminals access to the University’s data. The University had no other choice than to pay the requested ransom of $200,000. Furthermore, the situation caused significant damage to the University’s national and international reputation.

Identifying weaknesses

What made the University an attractive target for internet criminals? According to their own response , the main issues were outdated software and low user awareness. They have been working hard to improve in these areas and prevent future attacks. And they are not alone. More and more organisations set up employee awareness programs to train users to recognise potentially harmful files and links. They also ensure software is up-to-date to have all necessary patches that close potential security gaps. Very important, especially in these times of increased remote working. In addition, they implement internet security programs to recognise and stop attacks the moment these are happening. But is this enough?

Exploiting the criminals’ own knowledge

Many internet activities that cannot bear the light of day take place on the infamous dark web, a part of the internet for censor-free communication and privacy protection. Unfortunately, this makes it also a place where, for example, drug dealers, child abusers, and hackers get a clear run at exchanging illicit content, goods, and services. With regards to cyber security, this includes information such as software vulnerabilities not yet known to the vendor (zero-hour or zero-day vulnerabilities) and information about security gaps, credentials, and user rights. Furthermore, criminals may communicate here about their ideas and plans, sometimes in terms of specific organisations and users. Frightening? Absolutely, but the good news is that we can turn this murky situation to your advantage.

Three-dimensional, proactive approach

Skopos approaches an organisation’s cyber security from three different angles:

  • Skopos scans the dark web non-stop for new software vulnerabilities, while also ‘tapping’ conversations and exchanges between hackers. This may even include specific security information about an organisation and its users. The scans result in the Skopos Exploitation Score, which is the probability that hackers will exploit a given software vulnerability, account or user in the next 12 months.
  • Skopos runs smart, light agents on an organisation’s servers and workstations. These agents take regular snapshots of each device to get an overview of the software status. Combined with the Skopos Exploitation Score, this provides valuable information based on which Skopos can advise an organisation to update or delete certain software.
  • Skopos regularly measures the cyber awareness of employees. If it is too low, Skopos can help to train them in recognising attack attempts, such as phishing and ransomware. But what is more, Skopos combines these three dimensions into one proactive assessment. For example, an administrator with many user rights and little cyber awareness who works on a pc with outdated software that is a hot topic on the dark web, is a potential and probable point of entrance for criminals. In this case, Skopos would immediately send a high alert to the organisation’s security experts, and advise them how to put an effective defense in place. Proactively.

Could Skopos have prevented the attack on the Maastricht University’s data? The user who opened the Excel file worked on a device with outdated software  the vulnerability at issue has a Skopos Exploitation Score of 65,7%. Obviously, this employee did not recognize the e-mail as a phishing mail due to low cyber awareness. So the answer is yes, Skopos would have diagnosed this situation as high-risk before the attack happened. And chances are that Christmas 2019 in Maastricht would have been much merrier and more peaceful.
If you want more peace of mind, too, contact Skopos at