By MARTY LEVINE
There are new cyber-scams to be wary of beyond email phishing, from Pitt Information Technology said at the latest Staff Council Spotlight session on Oct. 23.
These include:
-
Quishing (being sent a malicious QR code)
-
Whaling (phishing that targets the big fish in the executive suite)
-
TOAD (telephone-oriented attack delivery, which uses email to try to get you to call back with personal information)
While Pitt has tools to battle such attacks, the best weapon is you, they added during the session titled “Protecting the University from Cyber Threats.”
How can you help? “By becoming a human firewall,” said John Duska, interim chief information security officer at Pitt IT, who opened the presentation.
More than 140,000 devices are connected to Pitt’s network at any one time, he noted, “well more than one device per person,” including all of Pitt’s own servers and networking equipment.
“This is a large network,” Duska said. “This is like a Fortune 500 company. We’re barraged by unwanted malicious Internet traffic and e-mail. An attacker only has to be successful one time to create an incident.”
Each day, 27 percent of all incoming Internet traffic is blocked as malicious before it even reaches you, including more than 856,000 e-mail messages, which represents 52 percent of the average of 1.6 million daily e-mails.
Universities, he said, present an attractive target for scammers, because their networks contain a large number of personal devices, which are easier to attack. It is a high-bandwidth network, with high speeds and lots of capacity, which we all appreciate but “bad actors love this as well,” he added.
The University’s open environment is “conducive to education and research” but also opens the door to more attackers, looking for specialty items such as research data and intellectual property.
“These are no longer the days of some kid in his basement,” looking to create disruption, Duska said. “This is more the days of organized crime. Any data we have here is valuable ... and hackers think we would be willing to pay a ransom to protect it.”
Material stored in the cloud may be off-site but it is not invulnerable, he said. Vulnerabilities in software we don’t own but use from third parties also may be subject to attack. Eighty percent of higher education institutions have been affected by ransomware attacks and “we still consider it the number one threat,” he pointed out.
Even if the ransom is paid and the data is released back to a university, the extortionist hackers can try the old protection racket: “Why don’t you pay us once a month now, and we’ll protect you so those other organizations won’t attack you.” Or they can threaten to release your data on the “dark web,” where stolen information is valuable.
All of these hacks can lead to potentially serious consequences, Duska said, stemming from loss of confidence in Pitt’s ability to protect our assets. These include loss of annual government funding, government grants, donor funding or research participation, not to mention school time for students and work time for faculty and staff — and perhaps the addition of regulatory fines or increased costs of cyber insurance.
Realizing that his presentation of all those risks could be “a little depressing,” Duska turned over the mic to Trent Wissner, Pitt IT’s threat and incident manager, who detailed the many things Pitt is doing to defend the institution.
That includes employing the latest generation of firewalls, as well as the use by 75 percent of Pitt-associated devices of the software Microsoft Defender for Endpoint, which comes free with Windows but can also be used on Macs and Linux devices. It isolates infected users and can scan users’ software and update it if vulnerabilities are found. Defender also has versions that protect against malware and phishing attempts.
“We are able to pull them out of your mailbox” with Defender, Wissner said. “We are also able to block malicious links.” A version for identity protection will take note that you have suddenly logged on from California an hour after logging on from Pittsburgh, or tried to reach Pitt’s network from a known malicious Internet address — and these aren’t likely to be you.
Anne Heitke, a senior analyst with Pitt IT, ended the session by noting that humans’ vulnerability to social engineering was the biggest crack in any firewall. She explained that social engineering attacks are those that aim to manipulate people into sharing personal info, downloading malicious software or visiting malicious websites, sending money to criminals or making other moves that compromise their own or the University’s security. It exploits human vulnerabilities or errors, and is thus nicknamed “human hacking.”
Ninety-eight percent of cyber attacks employ some form of social engineering, as do 90 percent of malicious data breaches, she said. A human firewall, on the other hand, “exercises strong situational awareness and common sense” and “applies street smarts to protect Pitt, themselves, their family and friends,” Heitke said.
“When you’re getting a call from the help desk, it might not be the help desk” if they are asking you out of the blue for log on information, she said. And, of course, hackers can target you through the apps on your cellphone, she cautioned, so you ought to consider disabling ones not currently in use.
“The best security against social engineering is you,” Heitke said. “You can be the biggest security tool out there.”
Marty Levine is a staff writer for the University Times. Reach him at martyl@pitt.edu or 412-758-4859.
Have a story idea or news to share? Share it with the University Times.