Battling Cyber Criminals
- By Michael Fickes
- 01/01/17
PHOTO © BOB MICAL
Computer hackers are everywhere these days.
They particularly like colleges and universities where
cyber security can be lax.
In one common hacking ploy, college and university students
hack into their professors’ files and change their own grades and
sometimes the grades of their friends. In the end, though, these
are minor-league hacks.
Two other groups of hackers are committing major-league
crimes, says Laz Anbino, supervisory special agent in the FBI’s
cyber outreach section.
The Heavy Hitters
First, there are criminals that steal personal information and
monetize stolen credit cards. These criminals steal identities with
names, addresses and phone numbers while also gaining access to
social security numbers and credit card and bank accounts. The
FBI refers to this kind of information as “personally identifiable
information,” or PII. Today’s tech-reliant college students routinely
maintain and use these PIIs online and they often don’t give much
thought to security. As a result, college students are often easy
targets for criminal hackers.
“The most attractive victims to hackers
are those with high levels of PII,” continues
Anbino. “The thieves will sell this
information to criminals that hang out on
something called the ‘dark web.’ If you can
find it, you can go to the dark web and buy
someone’s PII for about $5 and charge up
the credit card numbers.
A second group of hackers are backed
by nation-states seeking to steal proprietary
intellectual property, which abounds on college
and university campuses — particularly
on the campuses of research universities
with laboratories handling major government
research assignments, as well as sophisticated
research funded by corporations.
“Criminal enterprises and nation-states
target colleges and universities because
they have valuable data and don’t protect it
very well,” notes Anbino. “For example, an
engineering department may have a Ph.D.
student who sets up a server for a project.
He or she probably won’t be focused on
security. I’m not making a complaint when
I say this. This is the open, decentralized
nature of higher education. Colleges and
universities operate this way.
PHOTO © WK1003MIKE
A STRANGER IS WATCHING. The National Cyber Security Alliance (www.staysafeonline.org) advises a “Stop. Think. Connect.”
approach to keeping computers and their data secure. This approach includes keeping security software current.
Having the latest security software, web browser and operating system is the best defense against viruses, malware and
other online threats. Also, choose to automate software updates. Many software programs will automatically connect
and update to defend against known risks. Turn on automatic updates if that’s an available option. Be sure to protect
all devices that connect to the Internet. Along with computers, smartphones, gaming systems and other web-enabled
devices also need protection from viruses and malware. Encourage all Internet users to be more vigilant about practicing
safe, online habits; ensure that Internet safety is perceived as a shared responsibility.
“The problem is, this Ph.D. student’s
server will be connected to the university
network. It will have large bandwidths,
and the network will likely contain a lot
of PII, mostly adults with credit cards and
bankcards, which can be monetized.
“Most research institutions have lots of
R&D information on their networks; some
of it may be classified government work,
often for the Department of Defense. All of
this is very attractive to nation-state and
criminal actors,” continues Anbino. “A
nation-state might aim to steal classified
blueprints for a military aircraft from a
CDC, or cleared defense contractor, hoping
to leapfrog their military to another level.
“Knowing that nation-state actor wants
to steal their information, defense contractors
will block IP addresses from the
nation-states they are concerned about,”
Anbino says. “They block URLs used by
those nation-states.”
Great idea, but nation-state actors have
fought back by finding what the FBI calls
“pivot points” or “hot points.” One of these
points could be the university library, a
florist or other retailer doing business in
the university’s community. A nation-state
actor will hop on a retailer’s network and
from there move to the defense contractor’s
network — unsuspected.
“From the national security point of
view, the FBI believes the biggest risks are
on the higher end — the larger corporations
and universities handling classified
projects,” Anbino says. “They all too often
must deal with nation-states considered
advanced persistent threats, or APTs.
“An APT actor in a network is difficult
to defend against. They have armies of
people, literally armies, attacking networks
they want to break into. They have done a
lot of reconnaissance work on networks to
find vulnerabilities to exploit. If APT actors
want to get into a network badly enough,
they will find a way. They are statesponsored
and so have great resources.”
Another threat might come from professors
that publish negative articles about
other nation-states, Anbino says. Those
states may then attempt to retaliate by
hacking the professor’s email and breaking
into the university system.
“Spear phishing remains the numberone
attack vector used by adversaries,”
Anbino says. “It isn’t very sophisticated
but it works. I send you an email asking
you to click on a link. When you do, the link downloads malware into your system. Software has been
developed that monitors systems and helps prevent that kind of
intrusion from succeeding.”
Are There Any Solutions?
Anbino recommends making use of consultants versed in network
security policies and procedures to help you plan and create
cyber defenses.
There are several defenses for college and university networks.
The first is good network segmentation. “That’s what we generally
recommend,” says Anbino. “Classify your data. What is sensitive
and in need of protection? Segment your network in ways that the
sensitive data is not easily accessible from the Internet.”
Anbino says that segmentation involves creating firewalls, separating
servers with sensitive data and creating special credentials
and authentication routines to control access to sensitive networks.
PHOTOS © SOSNARADOSNA
SAFETY IN NUMBERS. Many universities, especially large ones with mature security
functions, post their high-level response plans on their websites. A simple Google search
for “incident response plan site:.edu” will return countless plans. IT professionals charged
with creating a response plan don’t need to start from scratch. “Browse these plans, pick
the parts that you like, the structure that you like, the format that you like and that work
at your institution,” says Michael Corn, deputy CIO for Library and Technology Services and
CISO at Brandeis University in Waltham, MA.
In the case of classified information, it should be isolated so
that it is never accessible through the network. “This is called
air-gapping,” explains Anbino. “We air-gap the classified networks
and so separate them from the Internet. In other words, these
networks are not on the Internet.”
Next, monitor weblogs. Most large networks have a publicfacing
webserver. When a user goes to your site, the URL, along
with the entire transaction, is recorded on the weblog.
One more defensive step involves practicing cyber hygiene by applying
software patches when notified and updating software regularly
to ensure that the versions in use contain all necessary patches.
Be Ready to Respond
“Finally, have an incident response plan in place,” says Anbino.
“The plan should be approved by senior leadership. While leaders
probably won’t understand the technical details, they should understand
that there is a plan that can be rolled into action should
there be an attack.
“As with any kind of emergency response plan, if the leader
doesn’t take it seriously, no one else will.”
Anbino also notes the importance of reading key members of
the organization into the cyber emergency response plan: the legal
department, CIO, CISO and so on.
“All the key players should understand the plan and rehearse it
on a regular basis.”
“In large cases that might involve a major criminal group or a
nation-state actor, call law enforcement, including the FBI, right
away so they can analyze the evidence while it is fresh.”
In a way, all of this together might seem like an overreaction
to cyber threats. To be sure, there is a lot to think about. Still, as
military people say, the best offense is a good defense. That’s as
true in cyber security as in military security.
The steps noted here can help you create an effective defense
against cyber intrusion and crime.
This article originally appeared in the issue of .