Cybersecurity takes everyone
Jinx Walton, Pitt’s chief information officer, spoke at this year’s Staff Association Council spring assembly on “Security: It Takes All of Us.”
Just a dozen years ago, Jinx Walton, Pitt’s chief information officer, said, computer security “especially here at the University was not something we focused on.” Pitt employed only a half-time computer security person, and “a lot of his responsibility was changing our door locks,” she said.
Today, Computing Services and Systems Development (CSSD) has 10 full-time people working on firewalls, security monitoring, spam and virus filtering and much more. Spamming and hacking have “become more malicious now … there are these very sophisticated organizations that are responsible,” she noted. “In the past few years the profits from cybercrime have exceeded the profits from drug crime.”
Walton’s keynote address, titled “Security: It Takes All of Us,” opened the Staff Association Council’s March 20 spring assembly, which had more than 120 people registered and also featured six sessions on ways to better use technology at work, covering the cloud, pitt.box.com, “student record mysteries” and other topics.
Universities are targeted because of the size and speed of their networks, Walton told the assembly.
Universities also often require open access, “so they quickly become … one of the first targets” for hacking. The number of new students gaining university accounts each year, and the large variety of uses to which a university’s network is put — academics, business and research — also make it more vulnerable.
All of Pitt’s 53,000 Internet user accounts were put behind network-based firewalls by January 2013, “and that is really the best defense,” she said. Last year Pitt blocked 364 million spam messages and 10 million viruses. Its 1,200 websites are the targets of web application attacks, “so our web infrastructure is constantly being scanned” by hackers looking for vulnerabilities. Last month alone there were 12,818 malicious attacks on Pitt websites and more than 384,000 scans by hackers, with 141,000 instances of potentially malicious traffic on Pitt’s residence hall network alone, Walton said.
Overall, there have been 219 network breaches of higher-education networks by hackers since 2009, with 113 of them employing malicious software, or malware, most recently causing the exposure of personnel or student records at Indiana University and the University of Maryland. Such breaches not only reveal personal information, Walton noted, they can damage an institution’s reputation.
Fighting off attacks
One common method hackers use to disrupt the business of a university is a denial of service attack, in which a network is overwhelmed by more traffic than it can handle, often shutting it down. Another method, termed hacktivism, may disable a network or expose its information to the public based on a political agenda. Walton said Pitt employees also have been subject to ransomware, which locks computers until a fee is paid — and sometimes even when the fee is paid.
Phishing attacks, which ask users to click on a site that purports to be from an important or respected institution, such as your bank or the University itself, are a current problem about which Pitt often is sending out alerts, she noted.
Email messages may contain embedded viruses, trusted websites may be compromised by hackers and turn into gateways for attacks, and free wi-fi services, now so common in shops small and large, often allow unencrypted traffic, making them easy hunting grounds for hackers hoping to snag personal information.
“There’s really not one security practice that is going to protect us,” Walton added. So the University has a multilayered approach.
Pitt’s network operations, located 10 miles off-campus in O’Hara Township, run around the clock all year long, with employees “looking for any type of anomaly,” blocking suspicious users and alerting departments about potential trouble. They look for suspicious activity such as multiple failed logins and simultaneous geographic logins (single accounts with attempted logins from several locales at the same time). They also limit the number of email messages an individual employee is allowed to send, to prevent hackers from using the University’s network speed to send spam or launch attacks on other networks.
Pitt also maintains central control over all its accounts, offering centralized email and web services and application monitoring, which Walton said is unusual for a large research university. This allows Pitt to enforce a requirement for frequent password changes, among other advantages. “Once we did that we really saw the number of compromises decrease,” she said.
CSSD also performs regular security scanning of the network, reviews security of Pitt’s third-party vendors and works with individual departments to review and create security plans and upgrade security controls.
CSSD also helps ensure compliance with federal security regulations, particularly those required by agencies that grant research dollars. Soon, CSSD is hoping to roll out multifactor logins — a password and a personal device— for those who have regular access to highly sensitive information.
What you can do
“The truth is, when we look at how we’re securing the University, we’re happy with that, but honestly it takes all of you to help secure this environment,” Walton said.
She warned Pitt employees to be aware of older documents that used Social Security numbers, from performance reviews to lists of students’ grades, which may remain on computers and be vulnerable to exposure. She asked that employees notify CSSD if such information is found on their own computers, and to use protective software available from CSSD. She suggested that employees also increase their computers’ level of spam and virus filtering and avoid clicking on suspicious websites.
“If you have the slightest hesitation about a website, you have to not go there,” she said. And if you click on a link that turns out to be a phishing lure, “one of the things to do is let us know as soon as possible. When we look at all of the risks out there and how busy everyone is, it’s really understandable how you could mistake one of these as legitimate.”
She recommended using CSSD-provided software for protection. Computrace offers theft recovery services for laptops, tracing the location of a stolen computer and even allowing you to erase its contents from a distance, should such a measure be needed. PGP Whole Disk encrypts a hard drive, Secure Zip encrypts files, Symantec Endpoint Protection blocks viruses and malware that make it through University-wide protections, and Identity Finder discovers sensitive data on your computer. CSSD personnel distributed copies of the last three programs to assembly attendees on flash drives, since Pitt is licensed to allow employees to use the software on their home computers as well.
Walton also suggested employees read CSSD’s regular column in the University Times, called Tech Corner, and request department-specific briefings from CSSD’s information security officer Sean Sweeney and colleagues.
Mobile devices present new security issues for Pitt that are “nowhere near” as pervasive as those on older networked devices but are increasing, Walton said. Although she noted that there are too many “immature devices” (devices still in their early stages of development) to make it worthwhile for Pitt to obtain or distribute security measures right now, she urged mobile device users to be cautious. Downloaded apps may contain default settings that allow them to access users’ personal information, emails or location. Walton recommends changing app settings, backing up your data regularly, keeping your operating system current and using passwords to protect your devices.
Ensuring the security of Internet devices “has become harder and harder to do …” as more and more things, even household appliances, become Internet capable.
“I won’t be the one asking you to upgrade the security on your toaster,” she said, “but that’s not too far-fetched.”
—Marty Levine