Michael Hites, Sr. Associate VP & CIO, University of Illinois System
How can you prove who you are when your identity can be stolen? In the 90’s I had my ID stolen by someone who took the data from my checking account off a personal check (name, address, checking account number) and created a new driver’s license with his picture on it. When he went to the bank, he tried to deposit a $5000 check and withdraw $1000. Fortunately, the people at the bank knew me, so my money was safe. Today, it doesn’t take much for someone to Photoshop a set of documents that show you in a completely different context.
"Practice makes perfect, so keep training, and keep talking about cybersecurity in your institutions"
In a university environment, it is important for you to prove your identity. Many organizations are using two-factor authentication to accomplish that. The two factors are something that you know and something that you have. What you know is your username and password and what you have is your smart phone. The combination of these two factors adds a significant amount of security because you need to know your credentials and be in possession of your phone to login. Two-factor is available at banks and email services like Google, so if you use a free email account for e-commerce you can use two-factor authentication to verify that you are the correct person using the account. On a personal level, many people use the same username and password for either several or all their e-commerce accounts. This means that if someone gets a single username and password for you, they can access many sites. It is better to use a password manager application so that you have a different password for all of your accounts. I use Last Pass, which uses a long passphrase to unlock all your other credentials, but there are many other applications on the marketplace.
There is phishing and then there is spear phishing. With regular phish, a mass email is sent to many people to get at least a few people to give up their personal and login information. So, what can a criminal do with your information? If they take a credit card number, they can charge something to an e-retailer and have it sent to someone else. They could login to a university account and change the direct deposit information. If this happens at your university, do you have a policy that explains who is at fault? Is the employee at fault because they voluntarily gave up their login information, or is the university at fault because the university allows an online method to make changes?
In spear phishing, it is a targeted message. The attacker knows that your President goes by Billy and not William, and they create a message asking to transfer funds or route a purchase request in a hurry. This type of message looks real enough and it can be forwarded between employees without realizing that it is a fraud. Most of the time, someone in the food chain recognizes it is fake. If not, it could be costly.
At our university, we also train employees by fake phishing them. Every so often, we send a message to a small group of people using only information publicly available on the internet. We also do URL rewriting within the body of the message to prevent people from clicking on a link that says one thing, but goes somewhere else. Finally, we also encourage managers to thank people when they don’t fall for a spear phish.
When you hold something for ransom, you have taken it without someone knowing and then you offer a trade for the owner to get it back. It’s the same with data ransoms. Ransomware can be installed through vulnerability or through a phishing attack. Either way, software is installed on your computer without you knowing, and it encrypts your files so that you cannot view them. You must pay the attacker, and they will give you an electronic key to unlock your own files. The FBI recommends you don’t pay, but sometimes you may feel like you do not have a choice. Typically, having a backup copy of your files will let you restore them. But what if the ransomware knows that your back up your files and throw away the backup every 30 days? What if you go on vacation for a couple of weeks and end up not viewing your files for over a month? In these cases, you can’t get your data back, and the only recourse you have is to live without the data or pay the criminal. In this so-called industry, the year-over-year return on investment is in the double digits. Meaning that, if ransoming other people’s data were a private company, you might consider investing in it. Criminals have found that enough people will fall for a phish or click to ransomware to make it economically feasible. Do you have a policy regarding ransomware? Are your files backed up on a regular basis and do you have both local and offsite copies for the most important files? While there are many sophisticated backup software packages for enterprise data, there are some simple ones like Crashplan and Apple’s Time Machine that also work for personal computers.
We’ve reviewed how criminals my influence your own employees to give up university data and here are some additional actions that should be in place to be as safe as possible.
• Your operating systems, applications, malware software, and virus software should be licensed and up to date to prevent vulnerabilities. When it comes to phishing, rewriting website addresses to keep people from accidently clicking to an insecure website is helpful. When your data is at rest, or when it is being transmitted through the internet, it should be encrypted, meaning that if someone got a copy of the encrypted data, it would be meaningless gibberish and not your actual data.
• Your contracts with vendors should adhere to your standards and policies. Companies that store your data should be held accountable for keeping your data as if you were handling it yourself--or better than you would do.
• If there is an incident, you need to know how public affairs, the IT professionals, law enforcement, the president’s office, and other administrators will respond to an event. This is an area where a simulation or a tabletop exercise would be beneficial.
A cybersecurity program is cyclical because it is an ongoing process. It starts with security awareness, meaning that you have made it a priority and you make a point to involve others and train them. Then, classify your data so that you know what types of data you have and how to protect it, followed by having systems, network, and physical security that adhere to your requirements. Ensure that you have the personnel to implement the program, and remember that cybersecurity is everyone’s responsibility, not just the IT professionals or security officers. Lastly, just like everything else, practice makes perfect, so keep training, and keep talking about cybersecurity in your institutions.