Feb-12-2009 10:34 AM
One of the most important issues facing university IT security teams is data security. University IT teams should make students, faculty and university professionals aware of the many dangerous phishing scenarios, which can contaminate university servers and personal computers on university campuses.
Data disclosure and phishing-two methods which break past IT security defenses-are commonly used in order to obtain private information, including social security numbers and other sensitive data. "Data disclosure" is when old files with Social Security numbers or other personal are accidentally made public, lost, or stolen. Furthermore, one of the most significant threats to the data in university systems is a type of social engineering called phishing. Basically, phishing can include getting tricked into clicking a link to malicious software, among other methods to access your personal data.
Many IT security teams at universities are struggling to find ways to battle against data disclosure and social engineering. And yet the best defense against these methods-to protect personal data-is to find the sensitive data and keep it personal: remove it from the server.
Sensitive data finders installed on your servers can help: like Spider, for instance. For those who are supporting other computers, you may also have to run the sensitive data-finder programs on those computers too. University IT officials will likely have to assist users in interpreting the results, but better now than encountering problems later on.
Microsoft has come a long way in battling security problems, making more fast, effective and resilient security software in the past few years. Amongst this software is Windows Firewall and the Microsoft Secure Development Lifecycle. Both are enabled by default; therefore, anyone interested in accessing your sensitive data has moved to e-mail and IM as a means of attacking and getting access to the private information on your computer.
Phishers have been known to try trick computer users in many ways, including fooling computers users into thinking they were being contacted by a legitimate place of which they are familiar. Phishing e-mails have often even taken the form of fake complaints from organizations such as the Better Business Bureau
If users are not expecting an attachment, the attachment should ALWAYS remain unopened. Of course, if it is a person's job to open attachments, it is necessary that the attachments not be opened on the local machine.
As malware (computer contaminants, anything that includes "computer viruses") becomes an increasingly common threat, university IT officials need to keep up-to-date on the latest security softwares that can help to combat this threat.
Studies at the University of Indiana demonstrate that hackers have the most success by using hijacked web addresses or e-mail accounts that appear to be real. Research has also shown that computer users basically have little knowledge of web site security certificates-and worse, they leave themselves open to attack with poorly configured routers or operating systems.
The term most often used when referring to the kind of threat that faces university online systems and servers is "spear phishing". It is a customized version of phishing, specifically where the attack is focused on a community of computer users-such as a university campus. It is a legitimate threat that university IT officals should be concerned about. Many universities have experienced a significance increase in spear fishing threats over the past few years.
In most cases, it is simple to uncover spear phishing threats just by reviewing who sent you the message, in the "from" and "reply to" sections. Most often these sections will not feature a university address-it will most likely be a hotmail or yahoo address, or any other public account. Furthermore, the majority of these attacks come from outside the Unoted States, and so those familiar with phishing might recognize that the spelling, grammar and syntax are off, and may reveal a non-native English speaker that is not an administrator or professional at the university.
Another thing that universities should be aware of are hoax emails. Of course, hoax email messages about viruses are common. Those at universities should know that there are many hoax messages circulating which suggest that reading an email as simply a message (instead of opening it is an attachment) can destroy your hard drive and other things on your personal computer. Hoax messages also include those that ask the computer user to forward the email to "as many people as possible." Obviously, no genuine anti-virus information will suggest this to a computer user.
This article brought to you by the staff at University-security.com. The webs resource for campus and school security information.