With the recent spate of network phishing attacks, where hackers have attempted to gain information, the university has instituted a mandatory biannual password change for students, faculty and staff during both the fall and spring semesters.
University Information Services sent out the first batch of emails to students who have not changed their password in the last six months — students who changed their password within the last month are exempted — but found that 1,300 have failed to change their passwords. This figure represents about half the students notified.
If students fail to change their passwords by the date specified in their targeted email, they will be locked out of the system and be required to call the service center in order to go through the password change process and regain access to the network. UIS has already postponed their additional deadline, because of spring break.
“We’re looking at about 31,000 student IDs, and if you take that 50 percent number, that’s a lot of people. We don’t want that many people getting cut off. We don’t even want half that many people getting cut off,” Associate University Information Security Officer Judith House said. “We’ve worked the dates around so that no one will be cut off during pre-registration and no one will be cut off during exams, but in that window in between, everybody is either going to have to comply or be cut off.”
In order to ward against attacks, Georgetown uses a defense and depth system, which uses layers of defense to ward off hackers. The university gets around 2.4 million attacks a month on the system. Normally attacks come in the form of false log-ins or malware links that network users click on, allowing a false network to gain their information.
“In a very real sense, the human is the weak link. … If you have a weak password that’s easy for them to guess, if you accidentally click on a link that has malware attached to it, that kind of thing, is a door into the institution,” House said.
Recently, other schools, including University of Maryland, Indiana University, Johns Hopkins University and the University of North Dakota, suffered data breaches. University of Maryland’s system especially suffered, as attackers were able to gain personal information of around 300,000 students, including social security numbers.
For some students, the emails about phishing attacks have proven confusing, as they are unsure how exactly to change their passwords and what to look out for.
“I also think that the university doesn’t really do a good job differentiating what’s real and what’s not because they’ll say, ‘Did you get this email? That was fake, don’t do it,’ and I never really know which one is which,” Claudia Huang (COL ’17) said.
Huang noted that she had not changed her password, and was not aware that students are required to do so and that students would benefit from a Blackboard alert directing a password change.
Thu Dao (NHS ’17), who also had not changed her password, did not feel particularly concerned about the phishing attacks.
“I think I should be, but because I haven’t been personally affected by it, I don’t think I’m that concerned,” Dao said.
In order to cause more concern, some students believe the university should more directly and clearly communicate with students about the status of attacks.
“I think they could make it more clear in how they explain what the risks are to students and just the way that students can protect themselves,” Evan Chernack (SFS ’17) said. “If that’s something Georgetown wants to do, it needs to be accompanied by them raising a lot of awareness.”