As area universities fall victim to sophisticated cyberattacks, the University Information Security Office at Georgetown remains vigilant in its attempts to combat the 2.4 million attempted intrusions Georgetown’s network faces a day.
“The entire environment of cyberattacks against higher education has just simply changed. No longer sort of this lone wolf creating nuisances or viruses, it really is sophisticated, foreign, government-sponsored and organized crime rings that are now focusing their attention on colleges and universities,” Deputy Chief Information Officer Judd Nicholson said.
While 28.3 percent of the attacks are based domestically, an additional 14 percent come from China and 6.4 percent from Russia, according to Georgetown statistics.
The University of Maryland was the latest school to be targeted, after a cyberattack Wednesday compromised the personal records of more than 300,000 students, faculty and staff on its College Park and Shady Grove campuses. The database holds information dating back to 1998.
The database breached contained names, Social Security numbers, dates of birth and university identification numbers, but no financial, health, academic or contact information.
“I am truly sorry. Computer and data security are a very high priority of our university. … We recently doubled the number of our IT security engineers and analysts. We also doubled our investment in top-end security tools. Obviously, we need to do more and better, and we will,” University of Maryland-College Park President Wallace D. Loh wrote in a press statement Wednesday.
The incident coincided with the recent implementation of mandatory bi-annual password changes for all Georgetown students, faculty and staff. In an email Wednesday, Chief Information Officer Lisa Davis wrote that the change was spurred by “increasingly sophisticated phishing and cyberattacks” on Georgetown and other universities.
“We’re just such attractive targets because we have so much data, so many different kinds. It’s kind of one-stop shopping from the point of view of the hacker,” Associate University Information Security Officer Judith House said.
According to Nicholson, hackers are attracted not only by personal information, but also by research information and potential information about intellectual property. Nicholson believes the recent attack at U-Md. resemble the phishing attacks on Georgetown students, faculty and staff in deliberateness and complexity.
Nicholson emphasized the value of risk management and improved practices and procedures for dealing with more advanced threats in maintaining a “balance between openness and security” at Georgetown. Over the past two years, the university has been mitigating risk through the ongoing monitoring of university systems and networks, regular security reviews, system evaluation and analysis.
“It is about risk management, so we do various things here in UIS to really protect the data of the institution. So, on-going monitoring of our systems and our networks. We do regular security reviews so that we can know where the risks are, and we can then proactively mitigate those. So, I think in this case, understanding the risks and then putting in place the best practices and procedures to protect our environment is really our goal right now,” Nicholson said.
The new bi-annual password has been met with a less than enthusiastic response from students.
Christine Kalpin (SFS ’16) saw the change as a mark of inefficiency on the part of university administration.
“I’ve gotten so many spam things, and I feel like they tell me to change the password so many times, so I feel like they need to increase whatever they’re doing, try better measures of combating this,” Kalpin said.
Nevertheless, administrators expressed confidence in the policy as one way to reduce the risk of attack.
“Every computer and every device is an entry point to our network and the best protection is for us to do the pain-in-the-neck things that are securing our passwords. … I do understand that it’s a nuisance, but we really need you to be our partner on this,” House said.
In response to the breach at U-Md., House also encouraged students not to click on links in emails, share personal information over phone, email or text and to delete texts from unfamiliar numbers or names.