șÚÁÏÍűâs digital police are constantly on the beat, battling potential attacks from hackers. We asked them what to watch out forâand how we can protect our digital identities at home and on the job.
By Michael Blanding
Illustrations by Jason Zehner
A gang of criminals has invaded every corner of America. They are casing neighborhoods, trying windows, rattling doorknobs, looking for any way inside to further their epidemic of lawlessness and theft. What this band is looking to steal, however, is more valuable than moneyâthey are after peopleâs very identities.
To those who fight it, this international ring of criminals is known simply as the adversary. The battleground on which they fight is not the streets, but on the computers and networks that we use every day.
âBy some estimates, there is an attempted breach on an outward-facing network every 5 seconds,â says Bob Eckman, șÚÁÏÍűâs chief information security officer and a member of the leadership team in the Division of Information Technology. âThatâs equivalent to a bad guy going up and down the street jiggling the handle on every door.â
Mr. Eckman is in charge of safeguarding șÚÁÏÍűâs computer network from cyberattack, along with a team of cybersecurity agents who constantly identify and fight hackersâ attempts to break through walls to steal private information.
âIt isnât as though there is a single weapon or a single group,â says John Rathje, vice president for Information Technology and chief information officer. âThese bad actors often work in concert to identify exploits and leverage them for their cause, whatever that might be.â
On the most basic level, these cybercriminals are looking for bits of information on individuals that they can use for malicious intent.
Sometimes, their target is șÚÁÏÍű itself, using the university as a launching pad to attack other organizations.
âInternet traffic originating from a higher education institution might be just enough for bad actors to bypass weaker security controls anywhere aross the globe, gain entry to those more vulnerable organizations and then commit bad acts,â Mr. Rathje says.
In some cases, these adversaries might not even attack a site right away. Rather, they insert themselves into a vulnerable spot and then sell access to the network or other information on people to criminals on the so-called dark web, a shadowy network not accessible through traditional browsers.
âActual credit card information is not what it used to be,â Mr. Eckman says. âBanks have gotten much better at protecting card information. But hackers see a dollar sign above every personâs head now.â
Big ticket items are usernames and passwords, private health information, social security numbers and other personally identifiable info that hackers can use to build a complete profile of a person, which they can then use to apply for credit cards or break into their bank accounts.
"Hackers see a dollar sign above every person's head now."
Bob Eckman,
șÚÁÏÍű's Chief Information Security Officer
Rattling Doorknobs
The adversary uses multiple approaches to try and gain entry to systems in order to acquire information. The least sophisticated is âbrute force,â by which they try trillions of combinations of usernames and passwords in an attempt to find one that works.
Another technique involves stealing packets of information from users of public Wi-Fi networks who send sensitive information or download financial transactions.
More commonly, however, hackers look for a way to get users of a network to let them in voluntarily. Social engineering, the act of attempting to trick people into divulging confidential information, can take many forms.
Phishing False or âphishingâ emails claiming to be from a legitimate source, such as a bank, trick recipients to click on a link that will insert spyware onto their computer or take them to a fake website where they are asked to âupdateâ their information.
âPhishing is the bane of our existence,â says Tom Mahon, șÚÁÏÍűâs manager of digital training and outreach, who says the threat is only getting worse. âWeâre seeing an increasing number of attacks month over month, year over year,â he says.
And these are not the stereotypical badly written emails from a supposed Nigerian prince asking for a recipient to transfer money into his bank account.
âWe intercepted one last week that was very convincing,â Mr. Mahon says. âIt had the name of a real person on campus, who had sent a DocuSign document for you to sign. The English was polished, the graphics were great.â
Emails might impersonate a personâs bank, asking them to log into their account, or a professor asking a student to log into their Blackboard account, says Kambiz Ghazinour, assistant professor of computer science and director of KSUâs Advanced Information Security and Privacy Lab, which researches cybersecurity.
Others might target international students, who might be less familiar with US rules and regulations, Dr. Ghazinour says. âThey might try and scare them by saying, we are from the IRS and we are going to deport you from this country.â
Though networks are constantly developing algorithms and spam filters to block phishing emails, hackers keep finding ways to get them through, Dr. Ghazinour says. âItâs a cat-and-mouse game, of who can come up with a better way to protect a network, and who can come up with a better way to bypass that protection.â
Often, the prize they are seeking is a username and password, equivalent to a key to the front door of the house, which they can use both on KSUâs server and throughout the web. The sad part, Dr. Ghazinour says, is that the password someone uses for their account at șÚÁÏÍű might be the password they use for their bank, as well.
Once in possession of a password, the adversary can use automated bots that try the same username and password combination on thousands of other sites online until it finds a match.
âTheyâll try a thousand services,â says Mr. Mahon, âknowing they are going to fail 99 percent of the time. Theyâre playing a numbers game.â
Many institutions employ multi-factor authentication, a method in which a user is granted access only after successfully presenting two or more pieces of evidence to prove oneâs identity, such as a bank card, PIN number, SMS Text code sent to the userâs cellphone and biometrics such as a fingerprint or eye iris. But no form of authentication is 100 percent secure.
Pretexting In a technique called âpretexting,â cybercriminals impersonate, usually over the phone, someone with perceived authority, like a utility company, police officer, or clergy to trick a target into giving them confidential information, which they then exploit.
Bolder cybercriminals actually go to peopleâs houses. They may pose, for instance, as a gas company representative and say they can save the homeowner money on their gas bill. In order to compare rates, they ask to see a current bill, which they secretly take a picture of and use to acquire the personâs name, address and account number.
Baiting Another approach, called âbaitingâ involves putting a USB flash drive or other device that secretly contains malware out in a public space, such as a parking lot.
âA certain percentage of the public is going to say, âOh, itâs my lucky day, I just found a 64-gig jump drive, and Iâm going to take it home and put it in my laptop,ââ Mr. Mahon saysâafter which it releases its deadly payload into their system.
Bolting Doors
While șÚÁÏÍűâs cybersecurity experts wonât say exactly what șÚÁÏÍű is doing to secure itself from cyberattacks, for fear of giving away information criminals can exploit, they do say that the university has inserted controls both on the outer perimeter of the network and on individual devices.
The average student at șÚÁÏÍű might have six or seven connected devicesâincluding desktops, laptops, cell phones, tablets, printers, smart TVs, and other âsmartâ devices such as refrigerators and toasters.
KSU has implemented its own local area network (LAN), which essentially walls off internal traffic from the wider Internet, and has put in place automated processes to identify suspicious log-ins, even if hackers are using a VPN (virtual private network) to disguise their locations.
The Division of Information Technology is continually reviewing security tools and solutions that help the university identify and deal with cyber threats.
It also runs a web page devoted to cybersecurity and digital privacy, www.kent.edu/it/secureit, which includes tips, tricks and tutorials for users to improve their own security practices.
If students or staff think they have received a phishing email, for example, they can send it to phish@kent.edu, where campus administrators will evaluate it and block the sender if it turns out to be malicious.
Practicing Cyber Hygiene
No matter how many barriers administrators put up to block attacks, however, they still struggle to close a big loophole that adversaries can exploit.
âThe biggest threat to any cyberspace system is the people using it,â says Dr. Ghazinour. âNo matter how perfect a system you design, if the user is getting sloppy or doesnât follow the rules, then they will compromise the safety and security for the entire system.â
On the other hand, the huge amount of power individual users have also creates a huge opportunity for security. âSomething like 90 percent of cyber breaches could have been thwarted if users just showed good cyber hygiene,â Mr. Eckman says.
"The biggest threat to any cyberspace system is the people using it."
Dr. Kambiz Ghazinour,
Director of KSU's Advanced Information Security and Privacy Lab
To make sure the șÚÁÏÍű community understands cyber hygiene, for the past five years all new students and their families receive training in basic digital security at face-to-face workshops through Destination șÚÁÏÍű (DKS), the universityâs orientation program, says Tom Mahon, who does much of the digital training and outreach. At the workshops, he tells participants that the most important thing users can do is protect their accounts with a good password. And he warns them to be careful of how they manage social media.
Passwords âUse a strong password, donât share your password, and donât reuse the same password,â Mr. Mahon says. âThose are the three things. Thatâs it. If everyone followed those rules, they could reduce their risk online tremendously.â
By now, most of us are familiar with tips for creating strong passwords, using a mix of letters, numbers, and symbols. For the strongest protection, however, experts recommend using a passphrase instead, stringing together several words separated with symbols.
Even better than choosing a common phrase is stringing together a bunch of random words. âThe likelihood of random words appearing together in a searchable database is nil,â Mr. Mahon says.
While not sharing oneâs password may seem obvious, it is more common than youâd expect. At every DKS training, Mr. Mahon tells the story of âTimmy and Susieâ (based on a real example), about a student who shared his password with his girlfriend; after a bad breakup, she used it to reroute direct deposits for his student loan into her bank account.
âWhen you voluntarily give someone your password, there is a tacit permission to use it,â he says. âYears later, weâve had students tell us, âThe thing I remember most from DKS is the story about Timmy and Susie,â so we know it sticks.â
The most difficult message to get through to people is to use different passwords for different websites. In a world in which the average person regularly uses 200 different websites requiring passwords, remembering unique combinations of letters and numbers can quickly become overwhelming.
Mr. Mahon recommends breaking down websites into groups; for example, social media, online shopping, email and bankingâand using different passwords of increasing complexity, so if some sites are compromised, others will remain secure.
âWhile we canât remember 50 passwords, we can probably remember five,â he says. But donât list your passwords on a document labeled âPasswordsâ that you keep on your computer.
Mr. Eckman also recommends using a password keeper app to assist in remembering passwords; for example, Lastpass or Appleâs password manager, iCloud Keychain, which stores credentials in the userâs iCloud storage.
However, he recommends not including the whole password in those systemsâleaving off the last few numbers, for instance, so even if the system is breached, an adversary wonât get all your logins.
Social Media Another mistake people commonly make is oversharing on social media. âYouâd be surprised at what adversaries can put together about you from what you say on social media sites,â Mr. Eckman says.
One example Mr. Mahon uses in his trainings is a photo of a high school graduate in cap and gown, standing next to a car with Congratulations, Class of 2005 written on the rear window. The carâs license plate is visible, and on the rear window thereâs also a sticker with the name of the high school. A brick house can be seen in the background.
From that bit of information, he is able to show how an adversary can use public records and online family history resources to piece together her address, phone number, parentâs mortgage documents and complete family historyâwhich can be used to answer common password challenge questions such as, âWhat is your motherâs maiden name?â
Despite the danger, however, many people are woefully lax in their management of social media. Along with a graduate student, Dr. Ghazinour conducted a research study in which he broke students into groups depending on their privacy settings on Facebook.
They found that more than a third of students made most or all of their information open to the public.
âEspecially if they are using their phones to post pictures, they take a picture and post it right away, and may not check privacy settings,â he says. âLater they regret it, and itâs too late.â
His advice is not to post anything on social mediaâprivate or notâthat you donât feel comfortable sharing publicly. âEven if you share to friends of friends, someone could easily post a photo publiclyâand the Internet is forever.â
The challenge posed by social media illustrates just how difficult it is to safeguard our privacy in todayâs world. After all, the entire purpose of the Internet is to connect with other people, and often people are putting photos and other information on social media in the first place because they want to share it with others and tally their âlikes.â
Even so, says Dr. Ghazinour, people need to consciously weigh their interactions online, pitting the value of sharing a photo on Instagram, or sending health information in an email, with the risk that information could be abused.
âOnce you choose to share something online, you lose control over it,â Dr. Ghazinour says. âYou need to ask, âIs this thing I am sending going to bring consequences, and am I ready for them or not?ââ
If not, then that information might be better shared in a phone call with a doctor or a face-to-face meeting with a friendârather than shooting it into cyberspace.
Just as we wouldnât leave our doors wide open for thieves to walk into our homes, we need to lock the doors to our virtual identities, as well.
Cyber Safety 12 tips from KSU experts on safeguarding your digital privacy.
- Change passwords regularly on all of your accounts so an old password canât be used against you.
- Lie when answering password challenge questions, saying your first car was a âblue Hondaâ instead of a âred Ford.â Better yet, come up with a complete nonsequitur that only you know, like âșÚÁÏÍű Rules!â
- Enable encryption on electronic devices like laptops and phones.
- Use secure erase features when erasing files.
- Protect your computer by enabling the firewall, turn on spam filters, install anti-virus and anti-spyware software.
- Update anti-virus protection regularly, and make sure you are up-to-date on the latest patches; turn on âauto updatesâ whenever possible.
- Delete personal data securely by overwriting data multiple times before disposing of a computer or phone.
- Read end user license agreements on apps you downloadâespecially free apps. You may be giving away access to the information on your phone without realizing it.
- Check for âhttpsâ instead of âhttpâ in the browser address whenever youâre entering personal data on a website, which signifies the site is secure. Also look for a closed lock icon in some browsers.
- Enable private browsing to disable standard tracking and data collection features common to most browsers and ensure that if your computer or phone is lost or stolen, your web history and passwords arenât stored locally.
- Frequently check your credit ratings or subscribe to a credit monitoring service, so you can quickly catch any signs of identity theft.
- Donât click links in unsolicited emails. Instead, contact the vendor through some other channelâphone, email or visiting their website to verify their legitimacy.