If administrators get an email from the college president, they shouldn’t assume it’s authentic. It could very well be a cyber attack from an imposter.
That has actually happened at several community colleges.
In a recent incident at the College of Central Florida, (CCF), a hacker knew President James Henningsen was out of town, says Henry Glaspie, associate vice president for information technology. The hacker sent an email to another vice president posing as the president that said his credit card was stolen and needed someone to wire him money.
There have been other cases where a hacker, pretending to be the president, sent an email asking an employee to open an attachment, thus introducing a virus into the system, or clicking on a link and providing their user name and password.
Those requests often include the college logo to make it seem authentic but usually come from a Gmail or Yahoo account, which should tip off recipients that it’s not actually from the president.
Those types of attacks are known as “spearfishing,” as they target one individual, Glaspie says, rather than “fishing” attacks sent broadly, like “throwing a net in the water.”
To safeguard against employees taking the bait, CCF tags all outside email with the word “external” in all caps in the subject line, he says. That alerts the recipient that the message didn’t come from the college’s email system.
“Community colleges here in Florida are under constant attack,” Glaspie says.
That’s because they maintain lots of personal records. “We teach and employ thousands of people and maintain student transcripts and other records for 20 years or more,” he says. Community colleges serve a transient population, and have to retain information on students even if they take one course.
To protect themselves, Glaspie says, “community colleges spend millions of dollars a year on technical controls, antivirus and anti-spyware software and security for its student information system, network and wireless network.”
The most important way to prevent breaches is through user education to “shape the security information culture,” Glaspie says. CCF staff are trained in network security at least once a quarter.
Fishing is still the cheapest way to break into a system, Glaspie says. “It only takes one human to click on a link and gave up their password for a fishing scheme to succeed.” Employees who make a mistake are instructed to immediately contact the help desk and have their user name and password changed.
CCF also put in place two-factor authentication for employees who log in when they are off campus. In addition to a password, they need to answer a security question or type in a random security code received as a text on their phone.
Training is critical
Sinclair College in Ohio also has been hit by spearfishing attacks involving fake emails from the president asking for personal information, says Chief Information Officer Scott McCollum.
“People are falling for these things because they look so real,” McCollum says.
Sinclair has not had a major breach but “we’re constantly bombarded with attempts,” he says. “They come from everywhere, many are from other countries.”
In the old days “it was more about hackers injecting computers with viruses as a practical joke. Today, it’s big business, with organized crime behind some of the big ransomware attacks,” McCollum says.
There have been minor incidents at Sinclair, such as instances where an employee was hit by a ransomware attack that corrupted data on a single computer. The one protection against ransomware is having a backup, McCollum says. Sinclair instructs employees to only store data on network drives, which have more protection than a local drive.
Sinclair implemented “sandboxing,” in which a link from an outside source is put into a protected environment where it can be tested before the recipient can open it.
In most cases people break into computer systems to steal information they can sell on the black market to the highest bidder, says Kyle Jones, an associate professor and chair of the computer information systems department at Sinclair.
A stolen credit card is worth about 25 cents, he says, but a stolen student record from a college – containing a name, address, bank account, past work record and data on everything submitted to the registration office, can fetch $2,000.
The college has been designated a National Center of Excellence in Cyber Defense, a program jointly sponsored by the National Security Agency and the U.S. Department of Homeland Security. To achieve that designation, a college must have a robust security plan that details how the network should be updated, how students should log in, and how the help desk should operate, among other issues.
According to Jones, “social engineering” is the number-one way hackers get into a secure system. In one common example, a hacker calls the help desk pretending to be a student or faculty member who inadvertently got locked out of the system and needs a new password right away. They sometimes have the recording of a baby crying in the background to create a sense of urgency, he notes.
Those calls succeed 80 or 90 percent of the time, he says, so teaching help desk staff how to field and analyze calls is critical.
In another common trick, hackers call the help desk saying they’re having trouble sending an email. When a staff members tries to help and clicks on the email, they introduce a virus into the network.
Half of the annual training session is about guarding against social engineering and getting staff to understand that they cannot deviate from the policy no matter how urgent a caller sounds, Jones says.
He urges colleges to be especially vigilant to protect research data worth money on the black market. At Sinclair, Jones is working on a project for NASA to develop wallpaper made from a mesh fabric that can block wireless activity. Another project involves automation systems for autonomous vehicles for the National Science Foundation.
“That research needs to be protected,” he says, so it doesn’t get into the wrong hands.
Sinclair’s Cyber Defense Center has a closed-off hacking environment – where students learning about network information security can create a virus, release it, control it, contain it and delete it – without harming the college’s network.
Students learned how to replicate the Equifax data breach, which affected 143 million people last year, and correct it, Jones says. That failure, and other major breaches that affected Target and Lowe’s, happened because network patches weren’t updated. He compares a network that’s not regularly updated to “a sinking ship with duct tape used to fix the holes.”
Sinclair students also meet with FBI agents from local field offices once a quarter as part the InfraGard partnership, where they learn about recent cyber threats.
A wakeup call
A 2017 cyber attack at Cabrillo College in California last year was a wake-up call, says Irvin Lemus, a computer information systems professor who specializes in cyber security.
Cabrillo notified 40,000 students whose personal information compromised and offered them a year’s membership to a credit monitoring and identify protection service.
The affected data included names, passwords, dates of birth, addresses and emails of 28,000 students. The Social Security numbers of another 12,000 students also were compromised.
It isn’t known whether the hacker used or sold the hacked data, but even if it wasn’t downloaded, the hacker could have taken a picture of it on a monitor, Lemus says.
Since that incident, the college has contracted with an outside consultant to analyze what happened and how to fix it, implemented an information security plan outlining what to do if a breach occurs, developed an acceptable use policy for the college’s computers, and stepped up staff training. Cabrillo is also in the process of applying for designation as a National Center of Academic Excellence in Cyber Defense.
The computer information systems department set up separate networks and equipment for students to carry out “war games” where some students try to break into the system and others respond as if they are malicious actors, Lemus says. “So when a real attack happens, they will act swifter, if not prevent real damage,” he says.
Eastern Maine Community College (EMCC) has “definitely seen an increase in cyber threats,” says President Lisa Larson.
There was one incident where Larson has had her name attached to phony emails, but no one fell for it, she says. When college officials learned about that, staff were advised that the message was not from the president and that “we never ask for that information.”
In June, EMCC was hit by a major malware attack, requiring the college to notify 42,000 current and former students and employees and to take remedial actions. An employee inadvertently opened an email attachment, which infected the college’s network with the Emotet malware, which the Department of Homeland Security says is “among the most costly and destructive malware.”
At first, the college’s IT team thought it was a normal virus, but it continued to change as it spread throughout the network, Larson says.
The college can’t prove that any data was compromised but because of the possibility that some user names, passwords, Social Security numbers and birth dates might have been accessed, EMCC is offering free credit checks from Experian to current and former students going back to 1998 and for employees going back to 2008.
After the incident, EMCC notified law enforcement, brought in consultants, initiated an internal security audit, required training for all employees and upgraded its technology infrastructure.
Now when questionable emails come through, recipients get a message stating, “this may be spam” and “please be vigilant.”
The cyber threats have “brought us to a new way of doing our work and how we communicate and engage with our students,” Larson says. “We can’t make the assumption that everything is safe.”
“Taking strong and effective security measures is vital,” she says. “It’s an investment every institution has to make.”