Don't Take the Bait
Oct. 1 marked the first day of National Cyber Security Awareness Month, which this year celebrates its 10th anniversary. The number of threats colleges and universities face has grown exponentially during that period, and although breaches still occur, information security officials say institutions are more prepared than ever to protect their resources and the people who access them.
“Every single day, we get an average of 12 to 15 million attempts to get unauthorized access to our network,” said Peter Murray, vice president and chief information officer for the University of Maryland at Baltimore. Those figures don’t include the nearly 30 million weekly spam e-mails that are caught by the institution’s filters. “It’s just an amazing amount of garbage.”
The Higher Education Information Security Council, for which Murray serves as co-chair, was founded in the summer of 2000, and since then cybersecurity has “absolutely, radically changed,” he said. “Ten years ago there wasn’t any anti-spam applications or software anywhere. Institutions didn’t buy it -- they didn’t need to.”
Today, institutions spend hundreds of thousands of dollars to protect themselves. Some are hesitant to disclose the nature or number of malicious attacks, as hackers can take that information and launch more effective security workarounds. “One little crack in the foundation, and believe me, a spammer will get through and get access to the resources on your campus,” Murray said.
Hackers care little about the term structures of American universities, and although several universities this summer announced network breaches -- including the University of Delaware and Stanford University -- that does not mean hackers had been lurking in the digital shadows, waiting for students to head home for the break, said Murray.
The University of Delaware declined to comment for this article, and a spokeswoman said the institution will not discuss the technical details of how it has changed its security processes. Stanford University did not respond to a request for comment.
The surge in cybercrime across the board is staggering in and of itself. In 2012 alone, computer security company Symantec estimates the total number of targeted attacks increased by 42 percent over the previous year. Despite these developments, Murray said he is optimistic about the higher education industry’s ability to respond.
“You can never be 100 percent foolproof in blocking everything -- it’s just going to happen,” said Murray. “The bottom line is, as an industry, we’re doing very, very well.” While 12 million daily attacks is by no means a small number, he said hackers have been even more relentless in their attempts to breach financial institutions.
Universities usually have a series of safeguards in place to protect their networks, including filters that identify spam and firewalls that block intrusions attempts. In case a hacker slips through the cracks and takes control of a computer connected to the network, the next line of defense often involves isolating it before the hacker can cause any major damage -- like compromising student account information.
Yet IT offices can only do so much, and it can only take a single careless click and login attempt for someone at a university to give away their credentials. The scam is known as phishing -- a spammer will send an email from what appears to be a trusted source with a link that appears to lead to one site but navigates somewhere else, like this: http://www.insidehighered.com (hover over the link to see where it actually goes). The rogue site will mimic a familiar website -- like a bank or a university -- and ask visitors to divulge their username and password.
Temple University is one of many institutions participating in the awareness month, and phishing is one of this year’s themes, said Seth Shestack, associate director of information technology.
“Like all universities, we’re both scammed and attacked on a regular basis,” Shestack said.
Temple will also spend October reminding students to protect their online activity and practice safe social media use. Those messages will be broadcast through PowerPoint presentations on flat screen TVs across campus. Like any self-respecting university-sponsored event, there are freebies: a mug that reads “Don’t Take the Phishing Bait.”
Even with these programs in places, there is no piece of software to protect against user error. Hacking has become somewhat of a catch-all term for any security breach, especially among teenagers and students active on social media. An unattended device that can access Facebook or Twitter can be used to prank followers by posting updates under someone else’s name, and once discovered, the owner often exclaims, “I’ve been hacked!”
“We’ve got two categories: a user error category and a dummy-you-shouldn’t-have-shared-your-password-with-a-roommate-or-boyfriend category,” Shestack said. Most cases fall into the latter category, he said, as many students would rather cry hacking than admit they let someone else access their account. “We have a specific slide for boyfriend-girlfriend issues, because it’s such a big one.”