When hackers and scammers try to con Ohio University students and faculty online, it’s up to the Office of Information Technology to keep devices and personal information secure.
“People often think of IT security as all of these cool gadgets and people in front of screens clicking away at their keyboards trying to beat the hackers,” Sean O’Malley, communications manager for OIT, said.
But at institutions like OU, the solution to combating hacking threats is usually less complex than one might assume — it just involves understanding basic human nature and how people can be fooled, O'Malley said.
The office’s security department, led by Ed Carter, senior manager of information security at OU, largely works to combat phishing scams directed at university email accounts. Those scams, which trick users into revealing personal information, come from all over, Carter said.
“Literally it’s from all over the world, 365 days a year,” he said.
The scams are typically external attempts to access someone’s login information for financial gain, and Carter said they are the most common internet security risk the university handles. The attacks typically come via email, where an attacker pretends to be a user’s friend or someone official and asks the person for his or her account information.
“With our lives becoming more and more digital these days, if someone steals my OU password, then they theoretically could log in and try to change my direct deposit right before payday,” Carter said.
“Literally it’s from all over the world, 365 days a year.” Ed Carter, senior manager of information security at OU
OU has protections in place to keep student and faculty information safe. Still, Carter stressed that it is not all up to those security employees to keep information safe.
With knowledge of how to recognize and report phishing scams, Carter said people can protect their accounts and devices from potential irreversibly damaging attacks.
“Security is everyone’s responsibility,” he said. “Think before you click.”
Phishing scams can target students, faculty and staff because university emails are publicly available; anyone can search the university’s directory, Carter said.
The security department receives multiple reports of such scams daily, he said, though the degree of actual compromises to university accounts has been minimal.
“We’ve had a small amount of compromises through the phishing,” he said. “You get a few people who fall for these things and give away their credentials.”
Alex Driehaus / Photo Illustration
Matt Sheets, left, and Haley Baker, security analysts at OHIO Information Technology, work on their computers at the West Union Street Office Center.
The attackers perform the scams because it is relatively inexpensive to do so, O’Malley said.
“They can use free or inexpensive mailer software and just plug in a list of addresses, spend a few minutes typing up addresses, and then they walk away from it, and it sends out the messages,” he said. “Really no account is too small. They use your account to send out mass emails to other people.”
Carter said some scammers try to access financial information, such as tax forms or bank account information, which could allow them to take out loans or credit cards in someone else’s name.
Risks are not limited to email scams, though. John Hoag, associate professor in the J. Warren McClure School of Information and Telecommunication Systems, said computers on OU’s network can be infected through distributed denial of service attacks, or DDoS.
Such attacks happen when a hacker takes control of multiple devices in multiple locations and uses those devices to launch a coordinated attack on a single device or network, O’Malley said. That attack prevents other people from accessing the website or device being attacked.
“Really, no account is too small. They use your account to send out mass emails to other people.” Sean O’Malley, communications manager for OIT
“Our devices can become infected, and in turn, become accomplices in these DDoS attacks,” Hoag said. “The university provides anti-virus (software) and provides the means for updating university-owned machines. But it’s hard to keep up.”
Hoag said his most pressing concern is what he calls “under-maintained or misconfigured devices” — computers that lack updated software or secure passwords and thus are more likely to be at-risk.
In addition, connecting devices with micro-USB cables, such as charging one’s phone through a computer’s USB port, is “very, very risky,” he said.
Hoag cautioned that OU is not that big of a target compared to other commercial organizations, such as banks, insurance companies and utilities companies.
“Most of the threats are economic in nature, and they’re directed toward significant organizations,” he said. “That’s not us. We’re not a high value target.”
To combat phishing attacks and viruses, OIT’s security department detects and deters threats across OU’s network with automated tools, and it provides anti-virus software for all university computers, Carter said.
“Our automated systems analyze approximately a billion data points per day for malicious activity,” he said. “And that can go up or down on a daily basis.”
Carter and the department’s security analysts monitor and respond to security threats each day, while helping students or faculty recover lost or stolen credentials, and investigating the incidents that are reported to the department.
The university has other precautions in place through its policies as well: Those with more access to classified university information — including network administrators or bursar, registrar or application administrators — have more security requirements for logging onto computers.
Students, faculty and staff are divided into different “risk levels,” according to the department’s policy, to reduce the possibility of hackers accessing classified information.
OU is certainly not the only university to have faced information security threats. Overseas hackers stole employees’ personal information from the University of Virginia in January, according to The Washington Post. NBC News also reported in September 2015 that universities across the country regularly dealt with cyberattacks.
For example, Miami University also regularly combats phishing scams, Joe Bazeley, information security officer at the university, said.
“In terms of what consumes the most time, it’s actually phishing attacks,” Bazeley said of the university’s security work. “We get about seven or so a week where they are successful and start blasting out more messages from a compromised account.”
Alex Driehaus / Photo Illustration
Similar to OU, Miami’s IT Services employees then help students and faculty regain control of their accounts.
Both Bowling Green State University and Kent State University also have similar policies in regards to responding to internet security incidents, according to their respective websites.
Bazeley said one challenge Miami faces is ensuring students and faculty know of security threats and how to respond.
“We’re not there yet,” he said. “Right now we’re having conversations to make sure all are aware.”
At Ohio University, though, the security department relies on “getting the word out” to students and faculty about staying safe, Carter said.
The department offers advice on best practices for computer security on its website, and the university hosts an annual IT security seminar each year, he said. This year’s seminar will take place Oct. 14 from 9 a.m. to 4:30 p.m. in Baker Center, O’Malley said.
He recommended students and faculty use strong passwords, avoid reusing or sharing passwords and never log onto unsolicited links or open unsolicited attachments in emails.
“OIT will never send an email that asks your for your username and password,” Carter said. “That’s what most phishing emails look like.”
OU also sends students and staff warnings about phishing scams via email. For example, OIT notified university employees March 17 that a “small percentage” of student and staff accounts had been compromised through phishing.
Hoag said another solution is to avoid checking email on a computer.
“I think that the best defensive thing you can do is to clear mail someplace else,” he said. “Clear your mail on your phone, which is much less likely to be infected. On your real computer, do every update that they ever offer.”
Carter said people should contact security@ohio.edu about any suspicious emails. His staff responds to reports each week.
“We’re starting to get people to realize that ‘I need to think about where I’m going online,’ ” he said. “User response is massive these days.”
Web Development by: Hannah Debenham / Digital Production Editor
Illustration by: Chance Brinkman-Sull / Graphics Director