Ashland University network security: Behind the scenes
March 16, 2018
The Identity Theft Resources Center recorded 1,293 U.S. data breaches in 2017.
The breaches exposed more than 174 million confidential records, 21 percent higher than 2016. 8.8 percent of those records were from the educational sector.
Ashland University was one of the cyberattack victims.
SPEAR PHISHING
On February 9, 2017, all Ashland University students and employees received an email from Stephen Storck, Ashland University Vice President & Chief Financial Officer, stating that an unauthorized third party unlawfully obtained an electronic file containing certain employee personal information.
“We found out about the breach within a couple of days of it actually happening” Scott Stoops, Ashland University IT Security lead said.
The files involved included names, addresses, Social Security numbers, and information about wages for 2016.
The fraud that was used to steal the data is called phishing.
Phishing is the fraudulent practice of sending emails purporting to be from reputable companies or a dignitary in order to induce individuals to reveal personal information.
A week before the announcement of the leak, IT received an email asking for permission to access the information. The email seemed legitimate and from the general look of the email it did not raise suspicions.
It was not until few days later an IT employee became suspicious of the request and reported it to the management of the IT department, but mistakes were made.
“What followed from that is we determined we needed to get a good baseline of where our folks are actually at,” Stoops said. “We started evaluating, what happened here? And what can we do about it? Because it was not a compromise of a system, but a compromise of a data.”
In results of the data breach, the IT department wanted to run a mock phishing test to see how many people would click on the link.
On March 29, a phishing email was sent out to around 13 thousand people including faculty, staff and students.
“We wanted to know how many people will click the link and how many people will enter their user credentials,” Stoops said.
The Office of the President announced the aftermath of the phishing email. Five people replied to the email, 50 people called AU technical support center and changed their passwords, and 1,361 people out of 13,000 entered their user credentials; their password and username.
SECURITY
Seperate from individuals’ mistakes, the university is intensifying its data protection by creating prevention at multiple levels.
“We take a multi-layer approach to network security, so there is not one particular thing that is securing the network,” Stoops Said. “We have a firewall that protects the network from external traffic sources. Basically, you do not get in unless you are allowed to. We have a perimeter firewall, and it is not only protecting the main campus here in Ashland but the College of Nursing and Columbus and other locations too.”
The problem is that the perfect system does not exist. Bugs and vulnerabilities are a permanent problem and what is appropriate today may not be in a short time, discovered by weaknesses and flaws.
“The best way to test the network security is to attack the network,” Stoops said.
AU recently hired a third party to do a Penetration Testing. They were paid to attempt to exploit the vulnerabilities of the system to determine whether unauthorized access or other malicious activity is possible, and then report those vulnerabilities to enable the IT department to enhance security as needed.
“Do we have enough resources to secure the network?“ Stoops said. “We’ve got enough resources for that right now.”
Despite all the preparations, IT stills face challenges.
“The challenge that we have is the fact that the hacker is always one step ahead and that is true no matter where you at, it is not only the university,” Stoops said. “So we are always in the position of defending, so we have to make sure that we are not attempting to address the needs that we have right now, but looking down the road.”
ASHLANDUNIVERSITY VS. AUSECURE
AU campus has two Wi-Fi networks open for all students and employees, AshlandUniversity and AUSecure.
One of the clear differences between the two networks is that AshlandUniversity requires username and password every time students ask to access it, while AUSecure network asks once and installs a proxy profile on the device used.
However, the difference between the two networks is much deeper.
“AshlandUniversity is essentially an unsecured network. In this regard it is like the Wi-Fi access offered in most public places,” Stoops said. “AUSecure authenticates users with their AU credentials and provides a high degree of encryption of the traffic that is going over the wireless connection.”
In a poll conducted recently on 62 students, 63.3 percent of them rated AU network reliability as less than 6 out of 10. 83.9 percent of the students who took the survey said they usually use the AUSecure network. 79 percent of students think the network is safe.
“When networks are put in place, especially wireless ones, there is an assessment that is done that tries to project needs,” Stoops said in response to those numbers. “Ideally, a solution is put in place that will meet current and projected needs for both bandwidth and coverage for two to three years or so.”
Often, actual network usage goes beyond projections because more devices are put on the network and more content is being streamed at a higher quality.
A network is often seen as a single entity but it is actually many devices working together. When all of the devices are working well then the perceived performance is high, but when one starts to degrade or fail then perceived performance goes down, Stoops said.
“It is also important to remember that most of the devices that connect us to the websites and services we consume are actually outside of our control.”
RESPONSIBILITY
In an attempt to inform all students and employees of the university internet, IT sends an employee to the AU radio station 88.9 WRDL every month to talk about cybersecurity.
Also, they collaborate with students taking marketing classes to design marketing campaigns to get the information into the hands of students.
While IT bears a great responsibility for security, the reality is that they are only one of the parties responsible for it.
“It is easy to look at IT and say IT is the security people, we are not. We are only part of it. Students are part of the security. Faculty and staff are part of the security,” Stoops said.
Results of a recent poll showed that 22.6 percent of respondents shared their AU login with others. Also, the survey found that 35.4 percent of students are either not sure or do not know what phishing is.
That number is high, considering the letter from the president sent out explaining it and the efforts of the IT department to spread awareness about phishing and other cyber attacks.
To assure the security of the network and the devices students use, IT recommends installing antivirus applications; free for all students, faculty and staff through Ashland.onthehub.com.
No one thinks it will be them until it is.