It seems every week we see new reports of information breaches at major companies and schools. The security risks associated with using the Internet to perform financial transactions, store sensitive data, and provide service are growing.
In recent news, Yahoo! confirmed that over 500 million accounts were compromised in an attack by an Eastern European criminal gang dubbed Group E, who have a reputation for selling stolen personal data on the dark web (encrypted/peer-to-peer Web content).
The Yahoo! breach, therefore, was most likely motivated by financial gain, and most attacks are – 75% of incidents involve stealing personal information and/or credit card data directly. An attacker wants their access attempts to appear either legitimate or invisible, so silently installed malware, credible phishing messages that appear as reliable services, and social engineering are some of the most common forms of attack we see in Information Security.
The education sector, you’ve likely heard, has become a target for cyber criminals in past years, as it often houses sensitive data about its community members and is sometimes not as strongly regulated or resourced as the private sector. In 2015, there were 254 confirmed security breaches in education.
Is Emerson at risk?
Most Emerson community members are familiar with phishing messages they occasionally receive – messages that appear legitimate enough to pass through our filter and pose as a reputable service (like the Emerson IT Help Desk!) and ask the user to enter account information. In more sophisticated attacks, they send the user a link to a malicious website that looks identical to an Emerson site, such as eCommon or Emerson email.
While a great deal of business is conducted via email, it’s still a relatively insecure technology. Messages are unencrypted by default, it’s easy to pose as different users, and sophisticated attackers are constantly re-drafting their communication to get around filters.
Looking at Emerson’s spam metrics, we find that 84% of all email sent to Emerson is blocked as spam (nearly 100 million messages). 7% is newsletters or solicitations (annoying, perhaps, but not malicious), and only 9% (about 10 million messages) are legitimate email. In other words, the vast majority of messages sent to Emerson College (and most institutions) is malicious, and blocked before it’s ever delivered.
Similarly, our campus firewall, like most organizations’, fends off against millions of unauthorized access attempts from around the world. Think of it like a criminal turning every door knob in the neighborhood to see who left their door unlocked.
With a typical organization running hundreds of systems, managing thousands of users, and hundreds of thousands of devices, attackers are playing a numbers game – something or someone inside the environment is bound to be vulnerable.
What’s Emerson IT doing to mitigate these threats?
Without going into too much detail on a public blog, Emerson IT has launched a number of initiatives to fend against the top threats in Information Security.
Multi-Factor Authentication – starting with our cloud storage solution, Emerson IT will be enforcing multi-factor authentication on more services in the future, requiring that users verify they are who they’re logging in as by authorizing a physical device (such as a smart phone or YubiKey) at login. When passwords are stolen, this is one of the most powerful lines of defense.
Penetration Testing – Emerson is running both external penetration tests (hiring an outside firm to try to access Emerson data) and internal penetration tests (tests of our users’ ability to spot phishing messages and have strong passwords).
Improved Password Policy – Emerson IT’s Password Policy will now not only require 12 character passwords, but will prevent the use of common passwords and phrases to make a dictionary/brute force attack less possible.
User Education – 2017 will mark the third year in which Emerson IT provides comprehensive security training to all staff and faculty and students working for the college.
Backup and Disaster Recovery Testing – Emerson IT and the various business units of the college will run annual, coordinated system restores and verify that backup data is up-to-date and made available quickly.
Physical Asset Tracking – Emerson IT will be notified of devices that are assigned to our community members but off our network for long intervals of times, verifying that devices are still in the hands of their responsible owners.
Implement New Anti-Threat Services and Monitoring – resources permitting, Emerson IT will procure and implement emerging security tools to mitigate and more quickly identify threats.
In Information Security, there is certainly no silver bullet – no vendor product that can prevent all threat, no IT staff member talented enough to block all attacks, and no privileged user population who won’t occasionally make a mistake. As the Dread Pirate Roberts said in The Princess Bride, “Anyone who says differently is selling something.” Information Security work is about ongoing education (both for users and IT personnel, keeping current with emerging threats), mitigation, and scheduled, frequent review and testing of policies and processes.
If you have a question or concern about cyber security at home, at Emerson, or otherwise, feel free to contact the Help Desk at 617-824-8080, and they will be happy to connect you with either me or our Information Security Officer, Dennis Levine.
And don’t forget to follow us on Twitter (@EmersonIT) for tips and resources all throughout October! We’ll be using the hashtag #EmersonSafe. Happy National Cyber Security Awareness Month!
Director of IT Infrastructure