The number of targeted phishing attacks on the university has risen by 60 percent this year, representing the trend of these attacks of moving from government bodies to private institutions.
“The scheme involved phishing attacks that successfully collected NetIDs and passwords,” Chief Information Officer Lisa Davis wrote in an email to The Hoya. “We’ve seen scare tactics in email subjects, including ‘Your NetID has been compromised,’ or a note from ‘Information Technology’ requesting specific information from users.”
University Information Services Security Officer David Smith attributed the continuing success of this tactic to the increasingly realistic quality of these fraudulent emails, including one that appeared to come from Davis’ account.
Davis emailed the Georgetown community Thursday morning requesting that everyone change his or her email account password by the close of business Friday, citing “recent phishing attacks resulting in several identity thefts on campus.” Thursday’s email from Davis used more urgent language than previous phishing warnings.
According to Smith, Georgetown is one of many universities that has been affected by phishing and other cyber security threats.
Tracy Mitrano, director of information technology policy at Cornell University, identified three types of cyber attacks: those originating from common criminals seeking money; “hacktivists,” including vandals and political groups; and most prevalently, advanced persistent threats, or APTs, that are often sanctioned by foreign governments seeking information.
“There is no international Internet governance, and so it is the proverbial wild west in terms of crime and law enforcement global,” Mitrano said.
Foreign sources are interested in universities’ data, according to Mitrano.
“Originally APTs were directed to military information, then industry and, most recently, with focused intensity to higher education,” Mitrano said. “The goal of these attacks is to obtain as much data – for example, from academic libraries and scholarly journals, research and research laboratories and institutional intellectual property – as is possible in the event that it might be useful information to have given any particular academic or industrial development.”
At Georgetown, UIS utilizes an array of techniques to defend against cyber attacks. According to Smith, the constantly evolving nature of cyber threats necessitates a similarly dynamic defense policy.
“Because new attacks are being devised and new vulnerabilities in IT systems are being discovered all the time, UIS creates administrative and technical safeguards to reduce the effects or potential impact of a security threat or vulnerability,” Smith wrote in an email.
Specifically regarding phishing, Davis described how certain safeguards attempt to protect the student body from potential cyber-based threats to personal security.
“UIS’s security analysts stop many phishing attempts through our various proactive means to capture and/or block malicious IPs,” Davis wrote. “We use every technical means at our disposal and are always adapting our tactics as phishing schemes change.”
Phishing, however, according to associate professor of computer science Wenchao Zhou, is particularly difficult to eliminate due to the ease with which someone can send an email from a false address.
“Phishing attacks are sent through emails, and they’re really hard to prevent, because the protocol used to send out emails does not really require authentication,” he said. “Anybody can send out an email from any address they want.”
In addition to employing conventional means of cyber defense, including firewalls and other safeguards of important information, UIS encourages people not to put personal information online and provides phishing avoidance training. In addition, the university has cyber insurance to protect against any potential problems that may arise.
Assistant professor of computer science Adam O’Neill said that the greatest threat to student and university cyber security is a product of human error rather than technical flaws.
“You need to educate people more about these kinds of attacks and show what a strong and weak password is,” he said. “Any large organization with a lot of data is vulnerable to being hacked, as long as people follow the best practices and keep up to date, we have a pretty good understanding about how to prevent this kind of threat.”