The Internet can be a wealth of information and connections, but it can just as easily be a haven for viruses, identity thieves, and hackers. Luckily, associate director of information security Dan Jones and information security analyst Eric Martin are working hard to ensure that WPI is kept safe from threats and has access to a smooth, safe, and secure Internet experience as often as possible.
“We keep people from hacking WPI, we keep WPI from hacking other people, and we keep WPI from hacking WPI,” Martin says.
Jones and Martin work in the Power House on campus, with an oversized monitor situated on the wall between their two desks that alerts them to WPI's Internet usage, lists of automated blocked websites (currently at around 940,000), and the roughly 10,000 endpoints on campus.
The red screens that pop up when WPI users try to access one of those 940,000 blocked sites, alerting them to the fact that the page they’re attempting to visit is not currently safe, are a well-known sight. They’re also a measure of security that has resulted in a 90% decrease in ransomware on campus.
“[Incidents] have gone up—quadrupled in 2016, doubled in 2017—on other campuses, but it’s stayed flat here,” Jones explains.
Although ransomware attacks have remained under control, there are still fraudulent emails and other web pages that need to be dealt with; according to the information security (InfoSec) team, anywhere from 25 to 50 people per day are victims of phishing. Phishing occurs when attackers send fake emails to trick individuals into revealing their passwords, credit card numbers, and other sensitive information.
“There are some [emails] that appear to come from senior management, telling people to do an ACH transfer or release funds to some place. Thankfully, people are starting to question that, but some still pass through,” Jones says. “...If you didn’t expect it, question it. If [the sender] is asking you to take action, you might want to check with the person to see if they actually asked.”
By copying login screens and other web pages through a process known as screen scraping, or by purchasing a cheap domain to host their malware, attackers are also able to steal information quickly and easily when users try to log in.
“It’s kind of a dark art,” Jones says.
The methods and timing of attackers may seem random, but Jones and Martin explain that’s not the case. For example, a few weeks ago, 48 people fell prey to a phishing scam, causing them to unknowingly give up their WPI credentials. The scam took place during the weekend, something the InfoSec team says was planned deliberately, because those who were affected accessed their email accounts through their home networks as opposed to WPI’s.
“They have big resources,” Jones says of the companies behind malware and phishing scams. “They’re making millions on these scams … they’re carved up divisionally like a real business.”
"We keep people from hacking WPI, we keep WPI from hacking other people, and we keep WPI from hacking WPI." -Eric Martin
At first glance, it could be easy to think that the job of the InfoSec team solely consists of flagging dangerous websites and stopping spam and phishing emails from entering inboxes, but that’s just the tip of the iceberg. In actuality, Martin and Jones are in charge of protecting countless amounts of sensitive data, passwords, and financial and personal information.
“We have patient health data because of student health services, and credit cards, and unpublished research that hackers would love to get their hands on,” Jones says. “Higher Ed is very much in the crosshairs these days because crooks know we have all this.”
Keeping your information secure and protecting yourself on the Internet can seem like a daunting task, and most of what the InfoSec team can do is help people recover after they’ve been hacked or their information has been stolen. However, they’re working toward getting ahead of the curve by offering security consults and encouraging members of the WPI community to come to them with any questions or concerns.
“We’re the subject matter experts,” Martin says, “but we’re not solely responsible for InfoSec. InfoSec and security awareness is an ‘everybody’ thing.”
He’s pleased by the fact that, over the course of his year and a half working on campus, more and more faculty, staff, and students have been seeking the team out for help and advice instead of just jumping into the digital playground and hoping for the best.
Whether you’re working in the cloud for the first time or looking for the most secure ways to store your latest research paper, be sure to ask the experts for advice and ensure that the only phishing you have to worry about this summer is the kind out on the lake.
- By Allison Racicot