Facing increased cybersecurity risks, AU technology team acts proactively
Chief information security officer discusses University cybersecurity plans
Editor's Clarification: This article has been updated to clarify the University's continued efforts with cybersecurity.
After a ransomware attack forced Howard University to cancel classes for three days, American University’s information technology team continues its ongoing efforts to avoid potentially similar attacks on AU’s systems and information, including student information, such as grades and health records.
Chief Information Security Officer Cathy Hubbs leads an office of five engineers that monitor possible cyber threats against the University.
One strategy the University uses to test its cyber-defenses is called self-phishing, where the IT department sends out an email to faculty and staff, but not students, that mimics a phishing attack. These drills happen several times each month and increased in frequency once the University went online as a result of the coronavirus, according to Hubbs.
“We’ve been doing that for about four, five years now and we routinely, without telling the community, send out a phish email that has intentionally been designed to mimic some sort of threat and attack that’s going out,” Hubbs said.
Scammers use links and files in phishing attacks as a method of entry into computer systems. When someone interacts with the link, it allows attackers to insert malware or viruses into a network and gain access to sensitive information.
This phishing drill helps the IT team inform its cybersecurity policies and strategies. One of the ways it does this is by using data to show which departments are most vulnerable to phishing scams. Hubbs said that the increased use of links in some departments over others is one example of this.
“[Drills are] not punitive at all. The people click on it, then they get an awareness tip that says if you had clicked on this, it would have been a malicious link here,” Hubbs said. “The self-phishing has been one of the number one best improvements. We've seen a really good resilience rate for American University in terms of very low click [and] very high reporting.”
The IT team compiles a report annually that is distributed internally. This year, Hubbs said, the team hopes to also send a community message to “applaud” the improvement of staff and faculty since the beginning of the program.
The University also relies on software like Cofense that detects and deters phishing. Cofense blocks malicious or spam emails and sends the data to administrators. According to Hubbs, the information gathered through Cofense is not released publicly.
The service, which is only available to faculty and staff, protects those who click on malicious links via link wrapping, which temporarily isolates a clicked link from the web browser and computer systems. Link wrapping allows Cofense to analyze whether the link is dangerous or not in a few milliseconds — if it is, the user is prevented from accessing the link.
Joseph Patella, a junior in the Kogod School of Business, said he doesn’t worry too much about IT vulnerabilities in the system.
“I think the University does a lot in terms of trying to protect your information,” Patella said. “We have to change our passwords every semester, and stuff like those little things make it harder for somebody to get your information.” AU requires students to change passwords only once a year, not once a semester.
However, individual actions still play a large role in the overall security of University systems, Hubbs said.
It only takes one person to click on a malicious link, accidentally download a virus onto a personal computer or set up an account with a weak password for a hacker to breach the system.
Hubbs recommended that all community members use a passphrase. A passphrase functions as a password, but is instead a three or four-word phrase. Hubbs said that entire sentences can also be used.
According to Hubbs, the most important piece of a good passphrase is making it memorable so that it doesn’t have to be written down or saved. If a user stores the passphrase anywhere, it becomes much more vulnerable to being stolen.
Along with working to ensure that students are using safe passwords and phrases, the IT team provides services that help students secure their accounts. These include DUO, which allows students to use multi-factor authentication for their accounts.
Multi-factor authentication is also available through student Google accounts. The University recently announced that multi-factor authentication through Google will be mandatory for all students beginning on Nov. 18.
The IT team also provides students, staff and faculty access to a virtual private network, which allows individuals access to secure servers when they are not on campus. While not required to be used by students off-campus, it does allow students to view material that is only accessible while on the eagle-secure wireless network, such as the Washington Post and New York Times.
An evolving threat landscape
The University’s IT team also relies on information sharing networks with other universities, which helps it proactively identify system vulnerabilities. The most far-reaching one is the Research and Education Networks Information Sharing and Analysis Center.
“[REN-ISAC] is a trusted community that’s sharing information about things that they may see,” Hubbs said. “Maybe a university in the middle of the country is seeing some sort of active threat coming against and hitting their firewalls and they say, ‘we prevented it so far but we're seeing it and it's coming from these machine numbers, these IP addresses.’”
Government law enforcement agencies also operate information feeds that provide up-to-date information on cyber threats, Hubbs said. Hubbs declined to name specific agencies the University works with, but that “AU works cooperatively with local and federal law enforcement agencies where [and] when appropriate.”
Hubbs declined to answer how cyber attacks inform the University’s security policies, citing security concerns.
But it is not complex information feeds and security systems that form the heart of the IT team’s strategy; it is the people in the AU community who use those systems.
“When you have a mature and comprehensive security program, you have to be looking at people,” Hubbs said. “What do people do? What are their jobs? Are they trained? What is their awareness?”