Technology (Innovations for Education)

Battling Cyber Criminals

  • By Michael Fickes
  • 01/01/17
cyber security: server

PHOTO © BOB MICAL

Computer hackers are everywhere these days. They particularly like colleges and universities where cyber security can be lax.

In one common hacking ploy, college and university students hack into their professors’ files and change their own grades and sometimes the grades of their friends. In the end, though, these are minor-league hacks.

Two other groups of hackers are committing major-league crimes, says Laz Anbino, supervisory special agent in the FBI’s cyber outreach section.

The Heavy Hitters

First, there are criminals that steal personal information and monetize stolen credit cards. These criminals steal identities with names, addresses and phone numbers while also gaining access to social security numbers and credit card and bank accounts. The FBI refers to this kind of information as “personally identifiable information,” or PII. Today’s tech-reliant college students routinely maintain and use these PIIs online and they often don’t give much thought to security. As a result, college students are often easy targets for criminal hackers.

“The most attractive victims to hackers are those with high levels of PII,” continues Anbino. “The thieves will sell this information to criminals that hang out on something called the ‘dark web.’ If you can find it, you can go to the dark web and buy someone’s PII for about $5 and charge up the credit card numbers.

A second group of hackers are backed by nation-states seeking to steal proprietary intellectual property, which abounds on college and university campuses — particularly on the campuses of research universities with laboratories handling major government research assignments, as well as sophisticated research funded by corporations.

“Criminal enterprises and nation-states target colleges and universities because they have valuable data and don’t protect it very well,” notes Anbino. “For example, an engineering department may have a Ph.D. student who sets up a server for a project. He or she probably won’t be focused on security. I’m not making a complaint when I say this. This is the open, decentralized nature of higher education. Colleges and universities operate this way.

cyber security: baiting

PHOTO © WK1003MIKE

A STRANGER IS WATCHING. The National Cyber Security Alliance (www.staysafeonline.org) advises a “Stop. Think. Connect.” approach to keeping computers and their data secure. This approach includes keeping security software current. Having the latest security software, web browser and operating system is the best defense against viruses, malware and other online threats. Also, choose to automate software updates. Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option. Be sure to protect all devices that connect to the Internet. Along with computers, smartphones, gaming systems and other web-enabled devices also need protection from viruses and malware. Encourage all Internet users to be more vigilant about practicing safe, online habits; ensure that Internet safety is perceived as a shared responsibility.

“The problem is, this Ph.D. student’s server will be connected to the university network. It will have large bandwidths, and the network will likely contain a lot of PII, mostly adults with credit cards and bankcards, which can be monetized.

“Most research institutions have lots of R&D information on their networks; some of it may be classified government work, often for the Department of Defense. All of this is very attractive to nation-state and criminal actors,” continues Anbino. “A nation-state might aim to steal classified blueprints for a military aircraft from a CDC, or cleared defense contractor, hoping to leapfrog their military to another level.

“Knowing that nation-state actor wants to steal their information, defense contractors will block IP addresses from the nation-states they are concerned about,” Anbino says. “They block URLs used by those nation-states.”

Great idea, but nation-state actors have fought back by finding what the FBI calls “pivot points” or “hot points.” One of these points could be the university library, a florist or other retailer doing business in the university’s community. A nation-state actor will hop on a retailer’s network and from there move to the defense contractor’s network — unsuspected.

“From the national security point of view, the FBI believes the biggest risks are on the higher end — the larger corporations and universities handling classified projects,” Anbino says. “They all too often must deal with nation-states considered advanced persistent threats, or APTs.

“An APT actor in a network is difficult to defend against. They have armies of people, literally armies, attacking networks they want to break into. They have done a lot of reconnaissance work on networks to find vulnerabilities to exploit. If APT actors want to get into a network badly enough, they will find a way. They are statesponsored and so have great resources.”

Another threat might come from professors that publish negative articles about other nation-states, Anbino says. Those states may then attempt to retaliate by hacking the professor’s email and breaking into the university system.

“Spear phishing remains the numberone attack vector used by adversaries,” Anbino says. “It isn’t very sophisticated but it works. I send you an email asking you to click on a link. When you do, the link downloads malware into your system. Software has been developed that monitors systems and helps prevent that kind of intrusion from succeeding.”

Are There Any Solutions?

Anbino recommends making use of consultants versed in network security policies and procedures to help you plan and create cyber defenses.

There are several defenses for college and university networks. The first is good network segmentation. “That’s what we generally recommend,” says Anbino. “Classify your data. What is sensitive and in need of protection? Segment your network in ways that the sensitive data is not easily accessible from the Internet.”

Anbino says that segmentation involves creating firewalls, separating servers with sensitive data and creating special credentials and authentication routines to control access to sensitive networks.

cyber security: laptop

PHOTOS © SOSNARADOSNA

SAFETY IN NUMBERS. Many universities, especially large ones with mature security functions, post their high-level response plans on their websites. A simple Google search for “incident response plan site:.edu” will return countless plans. IT professionals charged with creating a response plan don’t need to start from scratch. “Browse these plans, pick the parts that you like, the structure that you like, the format that you like and that work at your institution,” says Michael Corn, deputy CIO for Library and Technology Services and CISO at Brandeis University in Waltham, MA.

In the case of classified information, it should be isolated so that it is never accessible through the network. “This is called air-gapping,” explains Anbino. “We air-gap the classified networks and so separate them from the Internet. In other words, these networks are not on the Internet.”

Next, monitor weblogs. Most large networks have a publicfacing webserver. When a user goes to your site, the URL, along with the entire transaction, is recorded on the weblog.

One more defensive step involves practicing cyber hygiene by applying software patches when notified and updating software regularly to ensure that the versions in use contain all necessary patches.

Be Ready to Respond

“Finally, have an incident response plan in place,” says Anbino. “The plan should be approved by senior leadership. While leaders probably won’t understand the technical details, they should understand that there is a plan that can be rolled into action should there be an attack.

“As with any kind of emergency response plan, if the leader doesn’t take it seriously, no one else will.”

Anbino also notes the importance of reading key members of the organization into the cyber emergency response plan: the legal department, CIO, CISO and so on.

“All the key players should understand the plan and rehearse it on a regular basis.”

“In large cases that might involve a major criminal group or a nation-state actor, call law enforcement, including the FBI, right away so they can analyze the evidence while it is fresh.”

In a way, all of this together might seem like an overreaction to cyber threats. To be sure, there is a lot to think about. Still, as military people say, the best offense is a good defense. That’s as true in cyber security as in military security.

The steps noted here can help you create an effective defense against cyber intrusion and crime.

This article originally appeared in the issue of .