Every day, Cal Poly receives millions of spam messages, according to Information Technology Services (ITS) Deputy CIO Ryan Matteson.
While students don’t see a majority of the spam they receive, numbers show that universities across the country are a target for cyber security attacks.
According to Symantec’s 2015 report, educational institutions were the third most targeted institutions, behind retail (second) and health care (third).
Why universities are targeted
Universities are more vulnerable to cyber attacks because of the mass amount of student data they hold, including financial information, social security numbers, student directories and academic publications.
Additionally, universities are targeted because their network system offers a service to thousands of individuals. From a hacker’s standpoint, it’s more effective to attack a network of interconnected users, as opposed to a single individual using a home computer.
“The risk-reward calculation becomes more favorable for the attacker when there are larger organizations,” computer science junior Max Zinkus said.
Larger institutions like banks and corporations are also included in the mix of targets for cyber attacks.
The most recent string of phishing attacks was Wells Fargo, which included messages prompting users to make changes to their account and update their finances.
Compared to a university, a bank has more resources, based on the amount of money they can spend on people to audit the security system and higher quality software and hardware, Zinkus said.
Nonetheless, both a university and a bank have an incentive to protect their user accounts from attacks.
Attacks on universities could come in the form of denial of service attacks, malware, ransomware, phishing and spam, among others.
According to Matteson, Cal Poly saw an uptick in phishing or attacks in which a person tries to illegally obtain passwords and personal information.
“We receive millions of phishing emails,” Matteson said. “(However), ITS has devices that detect and block the viruses before they’re delivered to campus.”
While some features might block a majority of phishing emails, that still leaves a small percentage left unchecked.
It only takes one
If phishing emails reach a Cal Poly student’s inbox, it doesn’t take much for one seemingly legitimate message to become a string of harmful attacks.
“It only takes one out of millions to have significant impact,” Matteson said.
When one person clicks on a file in a phishing email and downloads it, the person becomes a victim, opening the door to others catching the virus. When a victim downloads a malicious file onto a desktop, the hacker can access personal accounts, passwords and desktop files, among other account information. Once the victim downloads the file, it signals the hacker that they have access to the student’s .edu account. From this point, the hacker can send what seem to be reliable emails out to other Cal Poly students, spreading the virus or malicious file.
What to look for in a phishing email
The first thing students can do if they receive a suspicious email is to look at the sender’s domain.
“An attacker may try to send an email that at face value looks like it’s from ‘ASI Club Services,’ but the email it was actually sent from was maliciousphisher@domain.com,” Nathan Lemay, software engineering senior and president of White Hat — a Cal Poly cyber security and hacking club — said.
Often, the sender’s address will contain a series of jumbled letters and numbers. By hovering over the username, students can identify an unauthorized user.
Hackers might also try to target users by sending emails from domains they think their targets will be familiar with, Lemay said.
Because some phishing emails come across as typical messages, Matteson said to pause before clicking a link or downloading a file.
Because of the information and content sharing nature of universities, there aren’t restrictions on the content that can be downloaded from emails, Matteson said. This means students should be especially vigilant when opening what appear to be real links, downloads or requests.
A good tip is to consult with Cal Poly’s ITS department to verify if the authenticity of the source if a user is completely unsure.
How to protect yourself
Each time a Cal Poly user changes a password, a mini lesson about choosing smart passwords pops up.
“Oftentime people pick passwords that are supposed to look random,” computer science professor Zachary Peterson said. “The problem is humans aren’t very good at picking random things.”
Because humans struggle to remember a series of mixed numbers and letters, Peterson recommends using a password manager that generates passwords. A benefit to the password manager is that the user does not have to remember them —they’re stored on the computer and controlled by one master password.
There’s only one catch: the master password must be extremely complex and difficult to guess —and it must be learned and memorized by the user.
Furthermore, when considering a new password, Peterson recommended choosing a longer password, rather than a random one. As a starting point, users should create a phrase familiar to him or her, Peterson said. Users can add strength to the phrase by purposefully using misspellings or adding numbers and symbols.
While students can attempt to create their own passwords and rely on password managers to generate stronger pass codes, it’s ultimately up to the students to educate themselves on how to properly identify legitimacy on the web.