For every step IU’s cyberinfrastructure takes, the cyber criminals take two. Information technology professionals work every day to stop them.
Technology users at IU, whether they’re careless or not, can be phished, breached, mishandled, misrepresented, hacked or overtaken by cyber criminals.
Recently, thousands of IU employees had their private information accessed through some of these scams.
It is up to people under the Office of the Vice President of Information Technology to make sure instances like these are as rare as possible.
More than 1,100 employees work under the associate vice presidents in OVPIT and the University Information Technology Services, and about 31 specialize in information security, OVPIT chief of staff Dan Calarco said.
Employees in the University Information Security Office are the main experts, but security responsibilities usually cut across different departments because it’s such a complicated field, Calarco said.
“They may be installing security patches on servers or helping integrate single-sign-on for a new service,” Calarco said. “Even I handle our UITS phishing education and simulations. Cybersecurity is not my primary job, but it is certainly part of it.”
Internet safety workers don’t just make sure IU’s technology is properly functioning and highly protected.
They educate staff and students on the best practices to protect themselves online by training employees, making information accessible on their website and easing users into better practices.
The offices also work to formulate a proactive security strategy rather than a reactive one so prevention is more of a focus than simply fixing the problems as they come.
“In UITS, at least in UISO, it’s all security,” IT human resources officer Deb Allmayer said. “Typically UITS has depth in roles while departmental positions have greater breadth of responsibility.”
Because these employees oversee all eight campuses and not just Bloomington, they’re often stretched thin.
One area Calarco said the office is focusing on is recruitment, so they can keep up with the demand. Calarco said talent comes from many areas, whether it's local, national or international.
“We’ve been recruiting from IU, locally, nationally and internationally,” Calarco said, “We often lose potential employees to companies like Microsoft and Amazon. We have to make sure we’re competitive.”
In addition to the people who work directly underneath IU’s IT department, every school has its own department of security services that operates separately. Many of these schools contract specifically with UITS to get work done within their departments.
“It can get confusing,” Calarco said. “But as long as these schools comply with IT-28, IU’s recent cyber risk mitigation policy that tries to contain cyber threats at IU, schools get to decide what they invest in.”
Regardless of the trouble they’ve had figuring out logistics or recruitment, information security is a field that has growing national interest, which helps with the expansion of OVPIT’s services, Allmayer said.
Policy analysts, journalists and industry professionals mention cybersecurity on a national scale on a daily basis, especially with the recent hacking scandals in the 2016 presidential election.
Now OVPIT can take on projects like the rollout of two-factor authentication while being more aggressive in safety education for staff and students.
Duo Login, the two-factor authentication system at IU, prompts users to confirm their login with a verified device after entering their username and passphrase.
During the spring 2016 semester, Calarco said one of the most pervasive attacks took OVPIT by surprise.
A series of emails prompting IU students and employees to click on a link to view an “important message” from the staff portal was sent to thousands.
When clicked, the link redirected to a mockup of the Central Authentication Service webpage, the familiar login form that users see before accessing any online IU service.
After the recipient entered their login information, the page redirected once again, but the message they were promised was nowhere to be seen.
Most people who received this email likely thought it was a glitch and did not report it.
However, this was a example of phishing, or a scam where people send emails pretending to be a legitimate source to solicit personal information.
“This is why we’ve now introduced many opt-in security services at IU,” Calarco said. “We detected fraud, but we also need to prevent it in the future.”
The bad actors, or people who attempt to access a system with malicious intent, now had direct access to many IU usernames and passphrases.
They could redirect paychecks and view the sensitive information of thousands of people.
IU security experts went through all the possibilities they could think of to stop the messages from reaching the inboxes of unsuspecting IU affiliates. Eventually all subsequent messages were blocked, and the original recipients were forced to change their passphrases.
Duo, the two-step login system that is now required for all employees, was introduced because of this phishing scam.
Calarco said the office is expanding Duo soon by gradually requiring it for more IU-affiliated bodies, like student organizations, but these efforts come with a challenge.
“We need more education for people so they know why it’s important to opt in, even if it’s not required for them yet,” Calarco said.
Education goes beyond telling users about what might happen. It includes making them capable of detecting when a message they receive doesn’t look quite right and reporting it to the technology services so the problem can be stopped as quickly as possible.
Calarco said he sees digital signatures and trusted messages becoming more common defense mechanisms.
These authorizations ensure the email’s recipient that the message they’re looking at was legitimately sent from that person.
These security measures may become commonplace in the IU network, but for now Calarco and his office try keeping as many threats as possible at bay.
“The cyber criminals continue to become more professionalized, convincing, and sophisticated,” Calarco said. “If there is some information of value, they will try to find a way to capitalize on it.”
Bad actors are out to profit from IU in many ways, whether it’s by stealing sensitive data from unsuspecting staff and students or by accessing expensive textbooks and research materials that aren’t open to the public.
As the University becomes more reliant on the internet and the digital landscape to access, exchange and develop information, there is a greater potential for vulnerability.
Calarco said with every advancement IU makes, cyber criminals are nearly always going to match those advancements with some of their own.
“As they develop tools, and as the things that we hold dear become increasingly digital and increasingly valuable, they will continue to try to tilt the game in their favor,” Calarco said. “With solutions like Duo and two-factor authentication, we can tip the game back in our favor.”
Like what you're reading? Support independent, award-winning college journalism on this site. Donate here.
Citizens around central and southern Indiana will be affected by high ozone levels.
Steve Martin and Martin Short will showcase their talents in an old-school variety show.
The New York native comes to Indiana for the first time.