Indiana University Needs IT Experts to Better Prepare for Cyberattacks

All it takes is one person to click one bad link in one of those messages to wreak havoc on the entire IU network.

by Herald-Times, Bloomington, Ind. / August 7, 2017
Shutterstock

(TNS) -- The odds are stacked against Brad Wheeler and Indiana University’s information technology staff.

At any one time, there are roughly 250,000 active IU email accounts. About 3 million messages are sent to those accounts over the course of a year. All it takes is one person to click one bad link in one of those messages to wreak havoc on the entire IU network.

“The organizational security people, we have to be right 1,000 out of 1,000 times,” said Wheeler, IU’s vice president for information technology. But the criminals? “They only have to be right one out of 1,000 times.”

While phishing emails are not new, they have become more sophisticated. No longer is the bait a Nigerian prince willing to share his fortune, Wheeler said. Now, the people creating these emails are reading social media posts, looking at organizational charts and watching the news coming out of a particular industry to craft messages that trigger an instant response.

“An email appears. It looks like it came from your boss,” Wheeler said. “It’s on a topic you’re expecting, so you’re anxious to get the result. You want to see it, so boom, you click on that link.”

If that link releases a worm, like the “WannaCry” malware that affected people in about 150 countries earlier this year, it could self propagate and jump to other devices on the IU network without anyone else falling for the phish.

It’s a scenario that could play out at the largest university or the smallest business. And the scary part is, the situation is only getting worse.

Global commerce

The internet was built for people who trust each other, Wheeler said. It was never intended to support global commerce.

The internet is also not one thing, but rather, a network of billions of devices, he said. New devices are joining that network every day with both new and old flaws.

There is no easy way to fix the internet. Criminals know this, and they’re getting better at exploiting these flaws.

Wheeler said he was already scared when he went to a cyber security conference in Tel Aviv, Israel, but came back terrified.

“The bad guys are industrialized; they are professionalized; and they are automated,” he said.

Intelligence organizations, such as the National Security Agency, have been creating tools to exploit the internet’s flaws for their purposes for some time. But those tools are now being leaked to the general public with increasing frequency.

This has created a cyber security protection racket for both illegal and legal enterprises.

Crime and security

Wheeler said in the world of cyber security, there are now two loops feeding off each other.

On one side is the exploitation loop in which criminals become aware of a flaw in a system. They then find a way to exploit that flaw for financial gain. For example, a criminal might use a flaw to gain access to sensitive information and threaten to distribute that unless a ransom is paid.

On the other side is the mitigation loop, where companies sell software or services to prevent the aforementioned exploitation.

“We have these two perfectly interacting ecosystems that both sides are the winners,” Wheeler said recently in a presentation to IU’s Center for Applied Cybersecurity Research. “The bad guys are the winner on one side, and we’re the perpetual loser in the middle, and the guys that are selling all this stuff, this is working for them.”

Mitigation software and subscription services can be helpful, but they alone are not the answer.

A layered approach

IU employs a layered approach to cyber security.

Mitigation services are used to help with things such as emails. For instance, only about 500,000 of the approximately 3 million messages sent are actually delivered to IU email accounts each year.

Despite preventing about 2.5 million spam messages from hitting IU inboxes, some phishing emails still get through. That’s why personal education is another important element in cyber security. For example, IU encourages the use of unique passwords for different accounts. Employees are encouraged to use a virtual private network instead of public Wi-Fi when accessing secure sites while traveling.

On top of all that, IU has a team of about 23 full-time security staff. These people perform a variety of services. For instance, when hackers made billions of usernames and passwords public in a huge file dump earlier this year, IU’s team scanned the files to determine they included some IU credentials. Most of the IU usernames and passwords were not active, but the team quickly scrambled the passwords for those that were.

IU was not specifically targeted in the hacks that resulted in the file dump. The information actually came from old breaches of companies such as LinkedIn, Dropbox, MySpace and Adobe. IU information ended up there because people used their university email addresses and passwords when registering for those sites.

Reacting fast

The quick response of IU’s cyber security team helped ensure that no sensitive university information was accessed as a result of the file dump. Time is key in minimizing damage in the event of a cyber security attack, but Wheeler has found universities aren’t sharing information about attacks fast enough.

Last year, a database containing more than 1,000 names and Social Security numbers of former University of Wisconsin law school student applicants was hacked. It was 33 days before the breach was made public and communicated to affected users.

“That is not very swift mitigation for everyone else to try to figure out how to lock down the defenses,” Wheeler said in the presentation to IU’s Center for Applied Cybersecurity Research.

To reduce mitigation time, IU has founded a cyber security operations center with four other Big Ten institutions: the University of Nebraska, Purdue University, Northwestern University and Rutgers University.

The idea is not unique to higher education. Eight big banks teamed up to create a cross-industry cyber security operations center. All those banks already participate in the financial services information sharing and analysis center, or FS-ISAC. Wheeler said ISACs were created after 9/11 for different industries, such as utilities and various manufacturing sectors. IU operates the Research and Education Network-ISAC.

“Notice eight big banks decided that was not enough,” Wheeler said. “They were going to form their own private club, because they needed to share information faster.”

IU’s efforts

Forming cyber security operations centers, hiring a team of cyber security professionals and subscribing to cyber security services are all part of IU’s efforts to mitigate the risks of relying on the internet for day-to-day operations. These things don’t make IU 100 percent secure, but they do make the university less vulnerable than other entities.

Unfortunately, every organization that relies on the internet is facing the same threats. It’s a dire situation for small businesses and even local governments in many small towns, Wheeler said. Those entities often don’t have the means to take the same preventive measures as an organization such as IU.

With cyber threats only expected to increase, the broader cyber security of the state is something Wheeler said is deeply troubling.

“It should be an area of immense concern for the state of Indiana,” he said.

©2017 the Herald-Times (Bloomington, Ind.) Distributed by Tribune Content Agency, LLC.