Photo credit: blogtrepreneur.com/tech
There are three billion people on the Internet — and not all of them are law-abiding. That fact is the one of the reasons securing data and computer networks is such an essential component of any organization, including Boston College.
While the responsibility of protecting data and the computer network belongs to all members of the University, the oversight of the University’s computer security is the purview of Information Technology Services.
With nearly 50,000 devices on the Boston College network each day, the task of data and network security may seem daunting, but Vice President for Information Technology Services Michael Bourque cited two factors for the University’s success to date: the unparalleled support from all levels of the University and the proactive, not merely reactive, approach of ITS’ data security team.
“Security is one our top priorities at ITS,” said Bourque. “We get strong support in our security efforts from the trustees, the president, the executive vice president, the provost, the deans, the Academic Technology Advisory Board, the faculty and the entire BC community.
“The support is fantastic. We sense that we get far better backing than our colleagues at most other universities.”
Leading the security efforts in ITS is Director of Computer Security and Policy David Escalante, who also serves as chairman of REN-ISAC (Research and Education Networking Information Sharing and Analysis Center), a computer security incident response team for higher education.
Escalante stressed the importance of being vigilant about the emerging threats on the technology landscape as well as being aware of new technologies appearing on campus, such as smart TVs and wireless smart speakers, like Amazon’s Alexa.
He pores over a multi-page report on known software vulnerabilities he receives every week from the US Computer Emergency Readiness Team. He is also connected to colleagues through an annual security camp he hosts for nearly 200 computer security practitioners representing universities throughout the US as well as their partners in government and business.
All this information gathering and networking helps Escalante stay ahead of issues, such as the faulty software that recently led to the Equifax data breach.
Said Bourque: “Dave and his team are experts and are in tune with what’s going on and that is a huge advantage. They work closely with the Data Security Working Group, which represents the security needs of departments throughout the University.”
Much of the work the data security team does is behind-the-scenes and invisible to faculty, staff, and students.
For example, Escalante says the level of “junk” email coming into BC is unprecedented, noting that the University rejects 90 percent of its incoming email.
“It isn’t even scanned for spam; it’s just not accepted,” said Escalante, who teaches in the Woods College’s Master of Science in Cybersecurity Policy and Governance program. “Then, the remaining email goes through two different spam filtering systems before it gets to users.”
Each day ITS blocks computers on campus from accessing tens of thousands of known bad websites and uses firewalls to discard 150 million undesired attempts to access BC.
High on the list of current threats, according to Escalante, is credential theft – stealing a username and password combination. These credentials are vulnerable to theft through phishing schemes, which trick users into sharing their credentials, and viruses that track users’ keystrokes. In addition, if people use their BC credentials on other websites, and those sites get hacked, the hackers then have a way to access BC’s network.
To combat that threat, ITS instituted a policy in 2013 where users must annually change their BC password – a task some may find irritating, Escalante acknowledged, but the policy has resulted in a more secure BC network.
“We have gone from forced resets of hundreds of compromised passwords a year to only a handful,” he said.
Additionally, ITS has initiated multi-factor authentication (MFA), a two-step verification process for systems such as PeopleSoft HR, PeopleSoft Financials, and eventually, the virtual private network (VPN).
Other threats are malware, such as a virus that damages a computer or network, or ransomware where hackers threaten to withhold data or publicly release data unless they are paid money. These occurrences are relatively rare on campus, according to ITS, thanks to the network protections already in place.
If Escalante’s team is the behind-the-scenes player in the security efforts, the team led by Technology Director of Support Services Scott Cann is on the front lines. Cann oversees the technology consultants and the HELP Desk, typically the first ones contacted by faculty, staff or students dealing with a possible issue. His group is also responsible for training and communications, raising and maintaining the University community’s awareness and engagement in security issues.
Both Cann and Escalante said one noticeable change in the threat landscape is the increased sophistication of the phishing attacks. Instead of blasting a phishing email to a million users, hackers now will customize their attacks to as few as 10 people.
“That’s why it’s called spear phishing,” said Escalante. “They are targeting very small groups with tailored emails. And because it is such a small sample, it is hard for any security system to detect them and stop them.”
“The criminals are taking information about the targeted enterprise, such as when a company announces it is changing its benefits provider, to craft messages that make it more likely that someone will click on them,” added Cann.
Escalante says a rising threat is scams. Today’s scams are no different those of the past, he says, but now technology is the instrument, with scammers spoofing caller ID systems and emails to separate unsuspecting people from their money.
Last month, as part of National Cyber Security Awareness Month, ITS and Woods College’s Cybersecurity program co-sponsored a well-attended event where Escalante talked about new twists on old scams and FBI Special Agent Doug Domin presented information on FBI cyber investigations.
Because security protocols are not flawless, Escalante said, there are steps members of the BC community should take to help keep their data and BC data safe.
Escalante urged people to opt in for MFA where possible, such as with online banking. When accessing WiFi off campus, even for tasks unrelated to BC, people can use BC’s VPN. This will add a layer of encryption and protections, such as blocking bad websites.
The simplest and best tactic, Escalante added, is to be a skeptic when online and slow down and think before reacting to emails.
Members of the BC community who receive an email they deem suspicious should contact their TC or forward the email to firstname.lastname@example.org.
—Kathleen Sullivan / University Communications