College cybersecurity survival guide

College cybersecurity survival guide

As students, teachers, and educational admins gear up for the school year, they should have more than new books and a fresh wardrobe in mind. Higher education leaders at EDUCAUSE said that their top IT concern for 2016 is information security.

According to DataLossDB, of the nearly 1,500 security breaches that happened in the United States in 2015, 9 percent were aimed at education institutions. Even top-notch schools such as Harvard University, University of California-Berkeley, and Massachusetts Institute of Technology have been victims of attack in recent years.

The reason for this? The goals of higher education—to share ideas and collaborate, to communicate with thought leaders around the world, and to expand minds through research and development—are not easily met through tightly-guarded networks. Instead, universities need open networks—some of the most open in the world—to accommodate the students, faculty, and visitors that come and go.

But more devices means more potential problems. In most corporate environments, devices are distributed and managed by IT, and networks are closed in order to safeguard intellectual property and data. Whereas in higher education, a constant stream of new faces bring their own personally purchased and managed devices.

That means the network’s safety is often determined by the security software that students, faculty, and visitors have equipped on their own devices—and how safe their web-browsing habits are. With a smaller budget for IT needs and a growing concern for hacking attempts, universities are having difficulties keeping up with buying and trying next-generation security tools to combat the latest threats.

Now, don’t think they aren’t trying to protect you. Universities do what they can to protect their network. Some examples of precautions already in place are traditional antivirus solutions on student workstations, password policies, and two-factor authentication. Universities also notify students and faculty when suspicious emails are floating around. Most schools will require you register each device so that they can keep record of all endpoints on their network.

Some schools are even using tools to monitor student and faculty browsing habits. According to the New York Times, the president of the University of California recently installed hardware and software in its data centers to “monitor patterns of digital traffic, like what websites are being visited by faculty and students, or telltale signs of cyberintruders.”

Why care about securing your computer on university networks?

Not taking proper security measures on an open network leaves your personal records vulnerable, ranging from academic history to financial aid records. Some of the biggest threats to cybersecurity within colleges are coming from those inside the network downloading, installing, and clicking on malicious programs and links they shouldn’t. Jean-Philippe Taggart, Senior Security Researcher at Malwarebytes, recommends you “treat the school network as potentially hostile.” Some of the dangers you might encounter on an open university network include:

Ransomware. You don’t want to fork over money to get your term paper back.

Ransomware will encrypt your data and hold it hostage until you pay a ransom. With access to such rich and sensitive information generated by university students and faculty, ransomware actors might think they’ve struck gold. They can deliver the ransomware in creative ways, such as through malvertising and spam emails, to manipulate unsuspecting students and faculty. If your files are only saved on your hard drive or other networked devices, this makes them more susceptible to an attack. This year a Canadian university paid $20,000 to ransomware actors that infected over 100 computers on their network, and last year the FBI reported that ransomware actors raked in more than $24 million dollars total (and that’s only from victims that reported it).

Online piracy. You might get caught by your school. Or you might infect your computer with malware.

Many colleges have strict policies regarding downloading unauthorized content. Typical punishments include a trip to the dean’s office and having your Internet connection disabled for a period of time. There’s good reason for these procedures. According to the U.S. survey conducted by Princeton Survey Research Associates International in 2011, 70 percent of people ages 18 to 29 have acquired unauthorized music or video files, with all other adults reaching an astonishing 46 percent. That’s a lot.

And why are colleges concerned about unauthorized content? Pirating websites and peer-to-peer sites often expose your system to malware and viruses. And not only are you exposing the network to infection, the Higher Education Opportunity Act of 2008 states that if colleges and universities don’t effectively try to prevent piracy on their campus, they have the possibility of losing federal funding. Think about that the next time you download the latest episode of Game of Thrones from a torrent site.

Additional malware. Internet threats do not check their malicious intents at the campus gate.

Just because you’re in a slightly protected bubble at school doesn’t mean you can’t catch the same mean malware infection you could contract at home. Campus networks are susceptible to the same pitfalls that trap all Internet users, from spyware to adware to malvertising. Resulting infections run the gamut, whether you’re being bombarded with pop-up ads or having your personal information stolen by keyloggers.

With IT resources spread thin at colleges, plus open networks encouraging threat actors to engage, it’s on you to protect your own devices. Follow these steps to stay secure at school:

  1. Back up your files. Store them in a place you can access from any location, whether you’re in a dorm room or home on break (the cloud, a flash drive, an external hard drive, DVD, etc.). And for those wanting to secure their data even further, backing up files in two locations ensures double the protection. Backing up files to the cloud (or other unconnected devices) safeguards against ransomware attacks because even if the school computer you save all of your files on is breached, you can ignore the ransom demand (and then take other actions to clean the malware from your computer). Then, you can simply restore your data from backups.
  2. Change your passwords. Do this regularly, and never have the same one across multiple websites. When a browser prompts you to “remember this password” after logging in to a site for the first time—don’t. Saved passwords are easy to trace and make it easier for the bad guys to gain access to your login information.
  3. Be aware of malvertising. These malicious ads can pop up anywhere, even in trusted sources you’re using for research. What’s worse, they can infect your computer without you ever clicking on them. To protect against malvertising, make sure your software is updated (patched). For instance, an unpatched Adobe Flash plugin can allow exploit kits to load when the ads load. These exploit kits often deliver ransomware. For additional protection against malvertising, you can enable click-to-play plugins on your web browser, which keep Flash and Java from running without your consent.
  4. Avoid torrent or P2P sites and unauthorized downloads. Often, these sites host malicious software. If you do use a torrent site, ensure what you’re downloading isn’t malicious. Read editor and customer reviews carefully, Google the product name, and if you’re still not sure, you can scan the files before you download them.
  5. Don’t stay logged onto websites. Whether it’s a health insurance provider, student loan page, or bank, make sure you sign out of a website that contains your personal information. “Someone could come in and snoop if you stray from the workstation,” says Taggart. It’s not enough to just close the browser tab or window. If you don’t log off from a public computer, a person with enough technical know-how could access login information from session cookies and sign into a site as you.
  6. Watch out for phishing attempts. These incredibly real-looking emails can deliver some awful endings. Don’t open any emails from people you do not know, and definitely don’t click any suspicious links. It’s a popular tactic for cybercriminals to target university email addresses because recipients are unalarmed by receiving emails from “other students” or “IT staff.” According to the Center for Digital Education Network Security Survey, 70 percent of educational leaders expect spam and phishing attacks to continue in the coming years.
  7. Install your own router in your dorm room (if it’s allowed). Many schools will not allow you to have your own router so that they can monitor traffic themselves. But if you have your own, it creates a private network where only your traffic is allowed and “it adds an additional hurdle for the attacker,” says Taggart. If you can have one, be sure to turn off guest access so that it is limited to only your use. Also, change the default password on the router. Some of these default passwords are easily discovered through a quick Google search.
  8. Have a strong security toolkit. Including but not limited to: a firewall, antivirus, and additional layers of protection such as anti-malware and anti-exploit software. While a firewall helps block unauthorized access to your system, an antivirus program can protect you from spyware and malicious software accidentally downloaded from torrent sites. Additional security layers, like Malwarebytes Anti-Malware and Malwarebytes Anti-Exploit, ensure your computer is guarded from the advanced threats such as ransomware and potentially unwanted programs like adware.

Universities don’t have the funding or the man power to secure the thousands of individually-owned devices at the levels required to defend against today’s threat landscape. With the right know-how, you can help protect yourself on open networks and continue sharing important ideas—safely.

ABOUT THE AUTHOR

Sarah Enderby

Contributor

I am the millennial no one's ever heard of—the exception that proves the rule.