Just because students and faculty strengthen their cyber defenses during this month of cybersecurity awareness, doesn’t mean attacks stop for the rest of the year.
October was declared Cybersecurity Awareness Month in 2003 by the federal government to promote safe technological practices. Ohio University hosts some events to celebrate the month, such as the Data Security Day Conference, and a cybersecurity-themed movie and trivia night in Baker University Theater, featuring “The Great Hack,” on Oct. 29, at 7 p.m.
There are many kinds of cyber attacks bad actors can use to steal information or money and damage software or hardware. Hackers can employ malware like viruses or worms to get into computers through websites, downloads or corrupted hardware.
This is why people need to be careful about the sites they visit, the files they download and the hardware they use.
Avinash Karanth, chair of the school of electrical engineering and computer science assures the hardware of OU technology is secure.
“You want to be careful with your devices,” Karanth said. “You want to make sure that they have the right level of encryption so that you know people cannot get access to your sensitive information.”
Most notable vendors or developers’ products are secure, students simply have to make sure their devices are updated.
Shawn Ostermann, Associate Professor of electrical engineering and computer science, explained it is possible for malware to spread through small networks, but there isn’t a single university network connecting every computer remotely. If malware were to spread through the wifi, it wouldn’t get far because of firewalls the university has in place.
Tin Vuong, a junior studying advanced computing program, explained firewalls work by filtering requests being sent to a server so requests from outside a local network can’t be fulfilled. Most firewalls check for malicious attachments embedded into requests.
This is why an entire university database being hacked through a leak in a single student’s computer is impossible. Students don’t have to worry about being responsible for other people’s data, but they should protect their own.
One of the most dangerous cyber attacks isn’t the kind that slips through the back door, it’s social engineering, such as phishing. “The users are the most vulnerable attack surface, not the applications themselves,” Vuong said. Oftentimes, a phishing email tries to get the victim to click on a link that is actually malware.
There’s also a kind of phishing where an attacker impersonates an organization that needs the victim's information. For example, a phishing email could say, “Hello, this is your bank. Please input your bank account information or your account will be frozen.”
A more targeted form of phishing is commonly referred to as spear phishing. That kind of email might look like it’s being sent by someone the victim knows.
“I think (students are) more aware of the phishing attacks,” Vuong said.
The Office of Information Technology provides tips for how to identify phishing. The Phish Bowl, linked on their website, displays the latest high-impact phishing messages being sent to ohio.edu emails.
Students and faculty should be cautious with links they receive in emails because those links could be malware in disguise. Users can tell if a link is secure by whether or not it has 'https’ at the beginning.
The Data Security Day Conference at OU, which took place Oct. 9, explored how to deal with cyber attacks such as reporting phishing.
One of the best cyber defenses is Multi-Factor Authentication, which OU requires for all its users.
“That makes logging in to anything on campus quite secure,” Ostermann said.
MFA works by using not just a username and password to verify the identity of the person logging in but verifies their phone number or email address.
“If you know your username and password and you have your own phone, then it’s much more likely that you’re really you,” Ostermann said.
Ostermann said people should never reuse passwords. If a hacker manages to get someone’s password for one site, they can use that same password to get into any other account that uses the same password.
“Using a different password on everything makes a lot of those attacks less dangerous,” Ostermann said.
He recommended Password Managers. Password Managers recommend secure passwords and save those passwords so the user doesn’t have to remember them. Some people might be wary of a third party having access to their password, but it’s actually the safest thing they can do because those databases are encrypted.
Ostermann said the password managers in Mac Books and Windows are secure, as well as the one he prefers, called One Password. It would take much more computing power to break into those password databases than any hacker is going to waste on OU.
From Karanth’s point of view, not a lot of faculty members take the modules recommended on the Information Security Office’s website because similar content is taught in Electrical Engineering and Computer Science classes. The faculty in that department already know the basics of cybersecurity.
“Personally, I don’t think I have relied on any of the universities resources to learn about phishing,” Vuong said, discussing a students point of view. “The training is not mandatory, and so I think it’s the same with other students as well.”
The resources are there for students and faculty to use them. Perhaps promoting them for a whole month will be enough to get their attention.