Photo credit: blogtrepreneur.com/tech
There are three billion people on the Internet 鈥 and not all of them are law-abiding. That fact is the one of the reasons securing data and computer networks is such an essential component of any organization, including Boston College.
While the responsibility of protecting data and the computer network belongs to all members of the University, the oversight of the University鈥檚 computer security is the purview of Information Technology Services.
With nearly 50,000 devices on the Boston College network each day, the task of data and network security may seem daunting, but Vice President for Information Technology Services Michael Bourque cited two factors for the University鈥檚 success to date: the unparalleled support from all levels of the University and the proactive, not merely reactive, approach of ITS鈥 data security team.
鈥淪ecurity is one our top priorities at ITS,鈥 said Bourque. 鈥淲e get strong support in our security efforts from the trustees, the president, the executive vice president, the provost, the deans, the Academic Technology Advisory Board, the faculty and the entire 蝌蚪直播 community.听
鈥淭he support is fantastic. We sense that we get far better backing than our colleagues at most other universities.鈥
Leading the security efforts in ITS is Director of Computer Security and Policy David Escalante, who also serves as chairman of REN-ISAC (Research and Education Networking Information Sharing and Analysis Center), a computer security incident response team for higher education.
Escalante stressed the importance of being vigilant about the emerging threats on the technology landscape as well as being aware of new technologies appearing on campus, such as smart TVs and wireless smart speakers, like Amazon鈥檚 Alexa.听
He pores over a multi-page report on known software vulnerabilities he receives every week from the US Computer Emergency Readiness Team. He is also connected to colleagues through an annual security camp he hosts for nearly 200 computer security practitioners representing universities throughout the US as well as their partners in government and business.听
All this information gathering and networking helps Escalante stay ahead of issues, such as the faulty software that recently led to the Equifax data breach.
Said Bourque: 鈥淒ave and his team are experts and are in tune with what鈥檚 going on and that is a huge advantage. They work closely with the Data Security Working Group, which represents the security needs of departments throughout the University.鈥
Much of the work the data security team does is behind-the-scenes and invisible to faculty, staff, and students.
For example, Escalante says the level of 鈥渏unk鈥 email coming into 蝌蚪直播 is unprecedented, noting that the University rejects 90 percent of its incoming email.听
鈥淚t isn鈥檛 even scanned for spam; it鈥檚 just not accepted,鈥 said Escalante, who teaches in the Woods College鈥檚 Master of Science in Cybersecurity Policy and Governance program. 鈥淭hen, the remaining email goes through two different spam filtering systems before it gets to users.鈥澨
Each day ITS blocks computers on campus from accessing tens of thousands of known bad websites and uses firewalls to discard 150 million undesired attempts to access 蝌蚪直播.听
High on the list of current threats, according to Escalante, is credential theft 鈥 stealing a username and password combination. These credentials are vulnerable to theft through phishing schemes, which trick users into sharing their credentials, and viruses that track users鈥 keystrokes. In addition, if people use their 蝌蚪直播 credentials on other websites, and those sites get hacked, the hackers then have a way to access 蝌蚪直播鈥檚 network.
To combat that threat, ITS instituted a policy in 2013 where users must annually change their 蝌蚪直播 password 鈥 a task some may find irritating, Escalante acknowledged, but the policy has resulted in a more secure 蝌蚪直播 network.听
鈥淲e have gone from forced resets of hundreds of compromised passwords a year to only a handful,鈥 he said.
Additionally, ITS has initiated multi-factor authentication (MFA), a two-step verification process for systems such as PeopleSoft HR, PeopleSoft Financials, and eventually, the virtual private network (VPN).听
Other threats are malware, such as a virus that damages a computer or network, or ransomware where hackers threaten to withhold data or publicly release data unless they are paid money. These occurrences are relatively rare on campus, according to ITS, thanks to the network protections already in place.听
If Escalante鈥檚 team is the behind-the-scenes player in the security efforts, the team led by Technology Director of Support Services Scott Cann is on the front lines. Cann oversees the technology consultants and the HELP Desk, typically the first ones contacted by faculty, staff or students dealing with a possible issue. His group is also responsible for training and communications, raising and maintaining the University community鈥檚 awareness and engagement in security issues.
Both Cann and Escalante said one noticeable change in the threat landscape is the increased sophistication of the phishing attacks. Instead of blasting a phishing email to a million users, hackers now will customize their attacks to as few as 10 people.听
鈥淭hat鈥檚 why it鈥檚 called spear phishing,鈥 said Escalante. 鈥淭hey are targeting very small groups with tailored emails. And because it is such a small sample, it is hard for any security system to detect them and stop them.鈥
鈥淭he criminals are taking information about the targeted enterprise, such as when a company announces it is changing its benefits provider, to craft messages that make it more likely that someone will click on them,鈥 added Cann.
Escalante says a rising threat is scams. Today鈥檚 scams are no different those of the past, he says, but now technology is the instrument, with scammers spoofing caller ID systems and emails to separate unsuspecting people from their money.听
Last month, as part of National Cyber Security Awareness Month, ITS and Woods College鈥檚 Cybersecurity program co-sponsored a well-attended event where Escalante talked about new twists on old scams and FBI Special Agent Doug Domin presented information on FBI cyber investigations.听
Because security protocols are not flawless, Escalante said, there are steps members of the 蝌蚪直播 community should take to help keep their data and 蝌蚪直播 data safe.听
Escalante urged people to opt in for MFA where possible, such as with online banking. When accessing WiFi off campus, even for tasks unrelated to 蝌蚪直播, people can use 蝌蚪直播鈥檚 VPN. This will add a layer of encryption and protections, such as blocking bad websites.听
The simplest and best tactic, Escalante added, is to be a skeptic when online and slow down and think before reacting to emails.
Members of the 蝌蚪直播 community who receive an email they deem suspicious should contact their TC or forward the email to听security@bc.edu.
鈥擪athleen Sullivan / University Communications