LOGAN — The Utah State network is attacked about 1 million times each day, says USU IT security analyst Bob Bayn. Hackers look at Utah State University’s network like they would a business’s network: They know if they infiltrate it, they will gain access to money, powerful computers and valuable information.
“Our network is always under attack by people who want access to either our computers for their own use or our data for money-making purposes,” he said. “We have the spider silk program, we have space research, we have infectious agent research and we have a certain amount of money. We’re just another business to poke at.”
Although USU computers need protection, the university’s network cannot be kept as secure as a business network because of the vast resources students need access to for their studies, Bayn said.
“Students have to have access to both of these environments here: The protected environment where we’re protecting your data, and the open environment where you can explore things, try things and look for information,” he said.
Allowing students more online freedom can make the university more susceptible to attacks, Bayn said. “When you have that kind of access to the internet it means the bad guys on the Internet have, in some ways, similar access to you,” he said.
Bayn and the university’s security team are constantly working to improve the network’s security, but they hope Utah State students will learn how to prevent, identify and combat attacks as well. The security analysts hope students will take personal responsibility for their own computer security to help keep their personal information — and the university’s — safe.
Student Ali Barrus was using her computer on campus one day when the screen froze. A notification appeared, saying the only way to fix the computer was to call the number on the screen. She dialed the number, and a woman picked up on the other end.
“It was some lady from, it sounded like India or something,” Barrus said.
The woman said she needed to see the computer screen to fix the problem. She asked Barrus to press a few buttons to grant her remote access. Barrus hung up the phone, and she’s glad she did.
“If I would have done what they told me, they would have been able to see my screen and get all my information,” she said.
Bayn says Barrus was smart. The Utah State sophomore had narrowly avoided a social engineering attack, a tactic hackers use to trick people to into making their computers less secure. “Basically, you’re telling your computer to do what the bad guy wants it to do,” Bayn said.
Social engineering attacks are fairly common at Utah State, and come in many different forms, said Jared Hill, a member of USU’s security analysts team.
“Sometimes you’ll get a notification that says, ‘You have a virus in your system, click here to eradicate it,’ and that’s actually a virus itself,” he said. “Sometimes the attacks will say, ‘Touch this screen’ or ‘Call this number to get help,’ and you’re actually calling people who are going to remote into your system and get access that way.”
Attacks also come in the form of email, Hill said. These are called “phishing” attacks. He said phish emails have enticing subject lines that can entice users to enter personal information into locations they are led to believe are secure. Bayn listed some of the subject lines of phish attacks that have been sent to USU students, faculty and staff this year:
- Review a published article that mentioned you and has many comments
- See your employee performance review [here]
- I have remitted payment; see attachment for confirmation
Phish attacks are usually random, Bayn said, but some target Utah State. He calls these spearphishing attacks, and they often include specific information about the university, which makes them more difficult for campus computer users to ignore.
For example, Bayn said a spearphish message sent to faculty members in 2013 said someone from Russia had logged into the faculty members’ Banner accounts. The message instructed faculty members to click on a link and log into the system to confirm their actual location, Bayn said. When faculty members clicked on the link, he said, they were brought to a page that mimicked Banner in almost every detail, but was actually a fraudulent site.
When the faculty members entered their information into the fraudulent Banner page, the attacker received the information. Then, the attacker logged into the real Banner page, found the faculty member’s direct deposit information, then filled in his own bank account information. Three faculty members were fooled by the attack, Bayn said.
Preventing and combatting attacks
Miles Johnson, the security analyst team coordinator, says that although the university is attacked millions of times every day, most aren’t phish attacks. Most of those attacks are highly automated and easy to combat. With a bit of security knowledge and common sense, students can easily avoid both automated and non-automated attacks, he said.
“Attacks are real, even if you can’t see them,” Johnson said, “but there are common-sense things you can do to protect yourself, so don’t panic.”
Among the most obvious common-sense strategies to stay safe online is password security, says Hill. He recommends creating long passwords with numbers, symbols and capital letters, and using different passwords for every online account.
“If you use the same password everywhere, if an attacker gets it he can access everywhere,” he said.
Hill recommends using a password manager, an application that makes and stores unique, complex passwords for every website.
Nicholas Stauffer, a junior who works at Utah State’s IT Service Desk, emphasized the importance of using a strong passwords in connection with email accounts.
“Email is a gold mine for an attacker,” he said. “If they can get access to an email account, they can start resetting passwords for other websites.”
Another way students can keep their accounts safe, Stauffer said, is by using two-factor authentication.
“When you enable two-factor authentication, a website will require an additional security step before you can log in,” he said. “One of the most common I’ve seen is cell phone authentication. A security code is sent to your cell phone and that code has to be entered on the website after typing your password.”
In addition to password security, Bayn said students should frequently update their programs to assure hackers don’t find ways into the system without their knowledge.
“Keeping your computer patched and up-to-date is essential, even though everything seems to be fine without the patches and updates,” he said. ”The bad guy’s goal is to get into your machine without bothering you. Keeping patched and updated helps to keep the opportunities closed up as much as possible.”
Bayn said students can download programs that will automatically install updates.
There are a number of other programs listed on safesurf.usu.edu, a website the security team created, that can help students choose reliable sites when they browse the web. Bayn hopes students will use the programs to avoid hackers and malicious sites.
Bayn encourages students, faculty and staff to watch for phish attacks and be “Internet skeptics.”
“[Computer users] form a continuum here, from the gullible to the paranoid,” he said. “If you’re too gullible, you’re going to fall for every scam, and if you’re too paranoid you won’t be able to take advantage of the information. Somewhere in the middle is the skeptic.”
Bayn said there are hundreds of Internet skeptics on campus who “recognize mischief and report it.” In fact, more than 300 students and faculty reported nearly 2,000 malicious email attacks to the IT security team during 2015, Bayn said in an email.
Everyone on campus is encouraged to become an Internet skeptic by reporting suspicious emails to firstname.lastname@example.org, Bayn said. He said students, faculty and the IT security team all need to work together to keep Utah State’s information safe.
“Almost all of the Internet attack issues can be effectively dealt with if you can get enough people working with the defense,” Bayn said. “Our biggest problem is when we think that it’s somebody else’s job.”