You’ve seen the TV show before. A shadowy miscreant in a black hoodie is furiously typing away at a keyboard, illuminated only by the glow of the monitor. Suddenly, a dialog box pops up: “ACCESS GRANTED.” The attacker has successfully hacked the mainframe. Unfortunately, Hollywood’s portrayal of “hacking” doesn’t quite match up with the challenges of cybersecurity these days.
When you study the attacks of recent years, a familiar pattern starts to emerge. First, the attacker sends out a phishing email. Far from the easily detected Nigerian prince-style emails of the early 2000s, these emails are very deceptive, realistic looking, and convincing. There is usually a panic-inducing call to action, warning the recipient that if they don’t click the link or open the attachment, their account will be lost forever. Victims that fall for the scam are then tricked into providing the attacker with their user account and password. Since so many of us reuse the same password in multiple locations, the attacker can now use your credentials to log on to any service you use.
The crown jewel for the bad guys is your email address. Since your email is used for correspondence to confirm accounts, purchases, and/or changes, if they can take control of your email address, so many other attacks then become possible. In the case of compromising a business, university, or hospital, the attacker uses the stolen credentials to pivot around the network, looking for an opportunity to elevate their privilege to a higher level so that they can compromise critical infrastructure.
(Next page: Defining multi-factor authentication)
Who are u?
Cybercrime costs are projected to reach $2 trillion by 2019 [source: Forbes]. Many of the most recent high-profile breaches, including Yahoo!, Target, and the Democratic National Committee, started with a successful phishing campaign launched by cybercriminals. In order to combat the increasing threat, we need to change the “we ‘authenticate’ users” approach to verify that they are who they say they are, which will stop many attacks before they can really get started.
What if an attacker had to do more than steal a username and a password to log on to someone’s email? What if logging on required a person to provide something they know and something they have? This is the core principle behind multi-factor authentication (MFA). In order to authenticate, at least two of the following are needed:
1) Something that you know: This is the most common single factor of authentication, and the one that most of us use every day. You’ll be asked for something like a social security number or a PIN, but for the most part this takes the form of a username and a password.
2) Something that you have: Have you ever seen one of those RSA ID keychains hanging alongside someone’s car keys? This is one example of authentication that requires the end user to prove who they are by something that they have. A more common example is a mobile phone app, such as Google Authenticator or Duo.
3) Something that you are: This is the least common authentication factor, but one that is occasionally used in the government space. How do you prove who you say you are by something that you are? Usually this takes the form of a fingerprint scanner or a retinal scanner. Increasingly common is voice-recognition software as a means to authenticate.
MFA education
Phishing campaigns remain a concern in the higher education space. A common tactic that the bad guys employ is to impersonate university officials and offer a gift card for the student union if the victim logs on and completes a survey. Another scam uses stolen credentials to log on to a portal and change employee direct-deposit information, so that the bad guys get the paycheck instead of the employee.
One reason institutions do not implement MFA is the fear that end users will not adopt the extra step, and that it will result in frustrated, angry, or confused faculty, staff, and students. Much like any other change, educating end users on why the technology is being used should prove to be helpful in encouraging its adoption and thwarting destructive security breaches.
For example, we conduct an annual Security Week at Hyland. For one week each year, our application-security team gets to immerse our fellow coworkers into the world of information security. Throughout the week, we host presentations on topics ranging from phishing scams to advanced cryptography. Volunteers also staff instructional demo booths and walk employees through the process of hacking vulnerable systems, so they can learn about the threats posed by unpatched, outdated, and unsecure software.
Through this proactive security education, our end users are engaged in practical and memorable training to better understand their role in protecting our customers’ information. Consider taking a similar approach to training campus users so that they will fully understand the purpose of the technology.
Securing the future
Most ransomware attacks begin with a successful phishing campaign. Getting ahead of the bad guys by implementing MFA solutions could save your institution millions of dollars, while also protecting the private information of your faculty, staff, and students. What are you doing to ensure you’re not next?
- Students are testing out the FAFSA before it goes live in an effort to avoid last year’s mess - November 1, 2024
- Bridging the financial literacy gap for Gen Z - October 28, 2024
- The horror: Top traits of a horrible leader - October 24, 2024