When criminal hackers unleashed the WannaCry ransomware attack last month, the headlines were dire:
- "Hackers hit dozens of countries exploiting stolen N.S.A. tool" (The New York Times)
- "The ransomware meltdown experts warned about is here" (Wired magazine)
- "The era of cyber-disaster may finally be here" (The Washington Post)
And rightly so. In just one day, the attack infected more than 230,000 computers in over 150 countries, crippling Britain's National Health Service and putting a serious dent in government and business operations all over the globe. In short: WannaCry was the largest ransomware attack the world has ever seen. (Ransomware is just what it sounds like: It's malicious software that prevents people from accessing their data until a ransom is paid.)
Like every university and large-scale business, the Indiana University security team spent many hours including nights and weekends trying to understand and mitigate the mutating WannaCry worm and its variants. We found hundreds of IU computers that had not been patched even though the security updates from Microsoft had been available since March. We removed network access for those computers until they could be patched by their owners.
I see no near-term solution to the recurring malfeasance of cybercrime and attempts to steal your personal data. It will get worse before it gets better, and there are three, structural reasons that will remain so in the near term:
- The machine is deeply flawed. By "machine" I mean the billions of devices that comprise the thing we call "the internet." Its DNA was built for communities of trust, and it was never designed for the e-commerce and sensitive data handling that we have tasked it to do every moment.
- Humans do human things. From clicking suspicious links to using the same password for every site, people unwittingly do things that open the door to cybercrime -- and despite our best efforts to educate, that won't change.
- Nefarious actors are industrializing. It is shocking to see the flow of sophisticated hacking kits from nation-state actors to professional criminals who take that malware and then package, improve and automate its use for criminal purposes from any place on the planet.
The world has changed, and we must, too, as criminals increasingly automate and industrialize their attacks. Personal behavior in the use of technology remains one of IU's greatest risks, and we will all have to stay deeply engaged in educating and ensuring appropriate behavior to help mitigate these risks.
Case in point: the phishing attack that struck IU in April 2016. As one of the longest sustained phishing attacks to hit our university, this crime targeted about 12,000 IU users, mostly faculty and staff.
The fraudulent email wasn't even very sophisticated. Its goal was to get individuals to give out their financial information by clicking on a link in an email purportedly from the "IU staff portal" -- and IU doesn't even have a staff portal! Unfortunately, hundreds of IU faculty and staff fell victim to this scam and unwittingly gave criminals access to their W2s, bank account numbers and more.
This situation required serious communication. For the first time in my 10-year career as vice president for IT, I sent a message to all 150,000-plus faculty, students and staff explaining the dangers of phishing. We then began the process of rolling out Two-Step Login (Duo), our two-factor authentication system. My rationale was simple: By providing an additional layer of security when you log in to some IU systems, we can protect sensitive data and guard against increasingly sophisticated email and online scams (e.g., phishing attacks) that can leave you vulnerable to identity theft.
Duo is working. Just last month, our cybersecurity measures were able to ward off unauthorized access when 2,000 IU passphrases were discovered to have been reused outside of IU and compromised from those sites. (See point No. 2 above.) You see, my greatest worry is human behavior, as it the primary target of the criminals. We can and will continue to invest in technology and services to mitigate the dangers, but the best defense against cybercrime is educated users, specifically with regard to phishing. Simply put, our best defense is YOU.
UITS is here to help you and your department/unit become cybersecurity-savvy. We recently signed a contract with PhishMe to provide a suite of tools including phishing simulation, reporting and training, all designed to help you become smarter about phishing.
I encourage all schools and departments to try the PhishMe Simulator. With this tool, departments create simulated real-life phishing scenarios that deliver on-the-spot education opportunities. Cybercriminals know that the best and most damaging phishes look locally contextualized. The PhishMe Simulator will allow you to train your staff to spot a tailored phish, and on how to avoid it and report it. To request a license for the PhishMe Simulator, email talk2UITS@iu.edu and our staff will help set you up.
Finally, I want to encourage you to view the new, no-cost training materials we have from PhishMe on "Email Security Fundamentals."
I know that many of you might have cybersecurity fatigue. However, if there's one thing I know, the news headlines will continue to scream dire messages about cybersecurity crime. It's up to us to do our part to keep IU, and ourselves, as safe as possible.
Brad Wheeler is IU vice president for information technology and chief information officer and a professor in the Kelley School of Business.