University Times

Want to guess how many malware “events” per week an average educational institution experiences? Here’s a hint: retail organizations typically get about 800 per week, while the financial sector fends off 350.

Educational institutions? More than 2,330 each week.

You are the target. You are the solution.

CSSD invests significant resources and effort in designing and continuously improving the technology that protects the University: network firewalls; real-time monitoring for malicious activity; the use of central accounts; and other advanced security measures. Unfortunately, you might play a key role in allowing a bad guy to bypass all of it.

“I would never do that!” you say. Of course not — not intentionally, anyway.

But the bad guys are masters of “social engineering.” That is, they’re skilled in getting you to perform some action you wouldn’t otherwise perform, and they do this by tapping into your human nature.  The most frequently used tactic for making you an inadvertent Trojan horse is to deliver a cyber threat through a phishing email.

Phishing campaigns regularly attempt to exploit Pitt users. Sometimes they promise “the iPad sale of the year” or urge us to “Check on that UPS package” or warn us to “Act now to ensure your account doesn’t expire.” All are calls to action that trick you into giving away your credentials or downloading an attachment that turns out to be malicious.

And what’s worse is that you may not even realize what you’ve done.

Walk away from phishing scams. Signs of a phishy email include requests for personal information, poor spelling or grammar, or a call to action (click, download, verify, etc). No one who’s trustworthy will ask for your password — ever. Your best defense is to assume every email is potentially fraudulent.

Research security and the IRB

In addition to deploying technical defenses and enlisting individual efforts to protect data resources at Pitt, CSSD also partners with researchers and others who generate sensitive data. The role of electronic data in research has grown, particularly as web-based and mobile app tools increasingly are used to collect, transmit and store data involving human subject participants.

We meet with large or small groups of faculty and researchers to provide general information about security guidelines and best practices. In conjunction with the Institutional Review Board (IRB), we review and approve data security plans for specific research protocols and work closely with IRB staff so that they know which protocols present the greatest risk and therefore need a data security review.

We have worked with the IRB to create guidance documentation for researchers so that researchers can think of data security issues prior to submitting protocols for approval, and understand what information must be provided to facilitate a quick and easy review.

We are happy to sit down with research teams before they submit a protocol to the IRB; a growing number of research groups have found it very helpful to meet with us on what they need to do to secure their data so that the approval process moves quickly.

Research contracts

Data security language often is part of federal government research contracts; if the contract’s security controls are not met, the researcher could face breach of contract charges. Nobody wants that.

When a government contract includes data security language, the Office of Research will ask the researcher to request a security review. A CSSD security analyst will contact the researcher to review the work being done under the contract, who will have access to the data and where the data will be stored. This information is compared to the contract language, and the analyst then will determine whether the University is in compliance or whether additional steps are needed to reach compliance with the contract language.

Security partnerships

We also partner with IT leaders at the school level to strengthen and build additional layers of protection.

In 2014, CSSD began using the recently published National Institute of Standards and Technology (NIST) cybersecurity framework as a risk-based approach to analyze our enterprise cybersecurity program. The framework includes standards, guidelines and practices for the protection of critical infrastructure and management of cybersecurity-related risk.

Now we want to apply that same risk-based approach at the unit level.  We have begun working with the Swanson School of Engineering to guide them through this process. The results of this collaboration will be a roadmap to increased security in the Swanson school and the development of a self-service cybersecurity risk evaluation tool that CSSD can provide to all Pitt units.

We also work closely with the School of Dental Medicine, a HIPAA-covered entity, on information privacy and security issues. CSSD’s security team gives an annual presentation to School of Dental Medicine faculty, reviewing the latest risks and ways to protect against them.

We routinely work with dental medicine staff on practical but enforceable security standards, and we coordinate with Associate Dean Heiko Spallek on security issues related to dental medicine’s research and clinical operations.

October: national cybersecurity awareness month

Have you fallen for a phishing scam? Many people do. We’re not going to judge you, so please report it to helpdesk@pitt.edu. A cyber-secure University is our goal and our mission, and when you enlist our help, you’re making Pitt more secure.

CSSD security staff can speak to your department about best practices or sit down with a smaller group and talk through any security challenges you’re facing. We’re committed to working together with everyone at Pitt to keep the University secure.

In the spirit of that commitment, we hope you will attend CSSD’s Oct. 26 cybersecurity symposium in the William Pitt Union Assembly Room (see technology.pitt.edu/cybersecurity). The symposium will include interactive sessions focused on security topics applicable to Pitt faculty and staff. We also will have cookies— the safe kind.

Sean Sweeney is the University’s information security officer. He can be reached at 4-5595 or sweeney2@pitt.edu.