October is National Cyber Security Awareness Month, and Grinnell’s Information Technology Services (ITS) is hard at work to spread awareness about and improve cyber security on campus.
Information Technology Security Awareness Specialist Linda Ludwig said she has been making an effort to spread the word about cyber security during October. “I have been trying to do something each week of the month,” she said.
The activities included an event with brochures, information and example phishing emails at the Marketplace. In addition, ITS hosted “Scam Slam,” a talk by staffers from the Office of the Attorney General of Iowa with information about how students’ actions can impact cyber security. “They were building it to tell students how to avoid [scams],” Ludwig said. “There was a real positive interchange between the two speakers and the audience. … It was engaging.”
Ludwig also led a workshop entitled “Phishing: Don’t Take the Bait,” with additional examples and more in-depth analysis of the tactics used by phishing emails. Finally, ITS prepared an escape room for groups of students. “The focus of [the escape rooms] is to be fun, but to have a cyber security focus [as] a learning opportunity,” Ludwig said.
With such a great effort to raise awareness, what threats does ITS hope to preempt? Phishing scams are among the greatest threats to Grinnell’s cyber security, and according to Ludwig, “the human factor is the weakest link.”
Personally-targeted phishing scams can be remarkably convincing, and once an attacker gains access to a network user’s login credentials, they can use that account to further their malicious intentions. These can vary widely, from gaining access to other accounts at Grinnell, to obtaining information about personal accounts, such as those for banking.
“Most people think of it simply as, well, I gave up my email account, they sent some spam out, big deal; I regain control of my account, no harm no foul,” Information Security Technical Specialist Mike Pifer said. “The problem with that is, what information did you have in your email account? Did you have any banking information, anything in saved emails, passwords to anywhere else, links to logins, your contacts?”
Beyond stealing information from past emails, one step which attackers may take after gaining access to an email account is to use it to send more spam to more users; emails from another Grinnell account appear more legitimate than do emails from the outside. What is more, hackers can use social information, including past patterns of messages, to learn more about users and personally tailor attacks.
“It’s identity theft and social engineering; the more they know about you, the more they can socially engineer other compromises,” Ludwig said.
Given these scary possibilities, ITS is hard at work protecting the college network and its users. To maintain security, ITS staff were not willing to discuss specific software tools used to maintain cyber security. The College does employ an automated filtering system, which, according to Pifer, identifies 90 to 95 percent of all phishing emails, leaving only a handful of well-engineered scams for end users to identify.
“Ninety to 95 percent we should be grateful for, and we are, because that five percent can cause us a real headache,” said Rob Buchwald, director of information security.
Given all the hard work behind the scenes to eliminate scam messages before they reach users, what can students, faculty and staff do to stay safe? One longtime concern, methods for creating strong passwords, is currently being updated. Instead of complex passwords with special characters and random letters, the cyber security consensus increasingly recommends longer passwords which are easy to remember such as phrases or sentences. These are less vulnerable to a brute-force attack.
“The new term is the passphrase,” Pifer said. “It might end up being 27 characters long. Cracking that by computer method becomes very difficult and time consuming, but I can easily remember it, but I can’t remember that 12-character random-generated with special characters stuff.”
As far as detecting and avoiding scams, according to Ludwig, the best thing to do is to “think before you click.” Even taking a few seconds to consider the source and content of the message can help avoid a scam.
Pifer said that users should ask themselves, “‘Does this look legit?’ If you answer is ‘I don’t know,’ stop and go further into looking into the message.”
Simple precautions can go a long way, but Buchwald warned against a false sense of security. He said, “Don’t underestimate how much damage can be done if someone steals your identity or has your credentials.”
National Cyber Security Awareness Month does end with a warning, but also many strategies to avoid falling for scams. It is impossible to be too careful.