U.Va. continues to improve on-Grounds network protections

A look at cybersecurity at U.Va.

hs-AntiPhishing-RDizon

One way the University helps students improve their cybersecurity is with anti-phishing training emails.

Richard Dizon | Cavalier Daily

After last month’s Equifax data breach, the issue of online security has once again been brought into the national spotlight. 

As one of the three nationwide companies for credit-reporting, Equifax’s data breach means that millions of people’s private information has been stolen. Information like names, birthdays, addresses, Social Security and driver’s license numbers has been compromised, as well as around 200,000 credit card numbers.

“Over the next year, two years, you’re going to see a major change in what people are doing [in terms of security,]” said Jason Belford, the University’s chief information security officer.

In 2015, the University community was sent an email about a cyber attack and the resulting changes in security measures.

“Federal authorities had alerted the University of a possible cyber attack, and this was confirmed by the University on June 11,” Patrick Hogan, the University’s executive vice president and chief operating officer, wrote in the email. “Upon becoming aware of the attack, the University engaged Mandiant, an internationally recognized cybersecurity firm, to immediately help the University identify the nature of the attack and take corrective action.”

No personally identifiable information was stolen in that breach.

“After that, we started the SecureUVA program,” Belford said. “Any network that’s part of the on-grounds networking infrastructure — we’re actually making a lot of changes across all of them.”

The security enhancement program is currently working on several initiatives, with awareness being a key part of the movement toward safety.

“One of the things that I love about Charlottesville is the sense of community here,” Belford said. “We do have to doubt things that are coming in [to our online networks] and our education awareness program is trying to do that. We have to understand that the people that are attacking us are not in Charlottesville.”

When students first create their NetBadge account, they go through a brief internet security training. 

“The survey definitely supplied me with more detailed information,” first-year Nursing student Alice Bremer said. “I feel more educated on the subject.”

In order for it to be more timely, the survey will be undergoing some updates in the near future.

“It’ll be a little less dry and it’ll be very informative,” Belford said.

One of the most effective aspects of training are the phishing simulation exercises sent to students, faculty and staff. 

If someone clicks on the link and puts their information into the page, they are taken to a screen that lets the person know it was a phishing simulation. It shows the red flags in the message they were sent, so they know what to look for in the future.

“We take all of that data and look for hotspots,” Belford said. “Who’s answering at the highest level? That lets us focus the in-person training. We’re trying to get people to stop clicking on messages, to start questioning messages.”

Recently, about 100 student accounts were compromised when a fraudulent email told students they could get a reduction in fees.

“This one pretended to be Student Financial Services,” Belford said. “In a lot of [these] cases, the unauthorized user, the bad guy, went in and changed their account information.”

In addition to awareness training, NetBadge logins will become more secure. Though students like Bremer trust the system, there is always room for improvement, especially when it comes to phishing.

The University is working on implementing a two-factor identification for NetBadge logins. It’s mostly implemented for faculty and staff and then will move to students. The additional step will be optional to start.

“You’ll go to NetBadge, put your username and password in, and then you’ll do something on your phone,” Belford said.

Additional measures to increase cyber security at the University include an intrusion prevention system and an academic protected network, as well as updates to IT security policy and procedures.

Data classification is moving from a three- to four-part system. 

“The first category is highly sensitive data: that’s the health data, the financial data, stuff like passport numbers, driver’s license numbers, social security,” Belford said. “In our policies those require a lot more control around it. The machines that hold the information, there’s certain places it can be, there’s certain ways you have to access it.” 

Moderately sensitive data is protected by law and regulated, or sensitive in nature, but not to the same extent as more personal data. 

Memos and emails fall under a third category, internal use. Security measures are still in place around the data, but not nearly as many as the sensitive categories.

“That last category is public — it’s the stuff we stick up on the webpages,” Belford said. “I need to still protect those web servers, but I don't need to protect the data because it’s meant to be public.”     

Third-year Engineering student Ethan Trinh is taking CS 4501, Network Security, with Computer Science Lecturer Ahmed Ibrahim.

“All the information in the world is becoming digital and a lot of that is meant to be confidential,” Trinh said. “It’s important to learn about the methods used to keep that information safe and identify potential vulnerabilities in the currently used methods.”

As far as off-Grounds cyber security goes, there are a few steps to follow. 

“There’s a couple of things you want to do, just basic user hygiene,” Belford said. “Keep your machine up to date. Make sure you have some kind of anti virus. Understand what phishing is.”

Though breaches that occur within companies like Equifax make people question the safety of their information on the internet, according to Belford, the attacks aren’t any more likely to occur online than in real life. 

“To me, it’s actually safer if you’re ordering online with a reputable organization than it is doing some transactions in person,” Belford said. “I have confidence that they’re handling that information correctly.”

With all of the upcoming changes, Belford believes that student, faculty and staff information will be better protected than ever. 

“We’re making the network safer,” Belford said.

related stories