August

Gone: Phishing

Mike Hart explains how IT Services is adapting to stay one step ahead of tech threats and cyberattacks.

By Lindsey Coulter

August 6, 2018

Persistence tends to pay off for cyberattackers. Cybercriminals who specialize in phishing have cleaned up their grammar and put a professional spin on their product, and are hoping you take the bait.

Since Metropolitan State University of Denver was hit with two waves of phishing attacks in late June (hackers see the end of a fiscal year as a prime opportunity), the University’s Information Technology Services team has implemented a number of new tools and approaches to keep campus users and information safe.

Mike Hart, director of security, infrastructure and network services?, shared how ITS is responding.

What did ITS learn from the June malware attacks?

Unfortunately, we found that some malware is not being caught by antivirus programs because it is not a program or an application; it’s a macro embedded inside of an Office document. That old-school form of malware is now resurging because it’s not as easy to catch with the advanced malware tools.

We also learned, however, that lot of employees are very appropriately skeptical. Even though an email looks like it’s coming from someone in their department or from Accounts Payable, they know they shouldn’t just click on links or attachments.

How has ITS changed its approach to safety since the attacks?

We have a large number of projects ahead of us to implement advanced security features, but we want to test them and make sure they are compatible with how people do business.

We have made changes to our environment to make it more secure. We’re no longer automatically enabling certain types of sharing or connections between devices – especially on the wireless network – which helped stop the malware from spreading.

We also implemented advanced threat-protection features such as Microsoft’s Safe Links and purchased specific advanced threat protection for sensitive devices like servers and high-risk work stations. For people who were targeted by the malware, we removed elevated administrative permissions and local administrative rights, even within IT.

Since phishing emails are often looking for credentials, we are also testing multifactor authentication. For example, if a cybercriminal gets my credentials, the user name and password won’t get them into the areas that are protected with multifactor authentication. It will take us a little while to get that rolling for the entire campus.

How did preparation pay off?

We had good monitoring solutions in place. Shortly after the attacks, we were able to successfully identify the indications of compromise and respond quickly to shut off access to and from the buildings that were impacted so the attack couldn’t spread.

How do you keep pace with the changing nature of attacks?

We have our IT Services staff attend different types of training and then come back and share information with others in IT Services. We also have recurring meetings internally and with the larger campus community about security issues and trends, and how to best protect our data and systems.   

We’re also part of an information-sharing group for higher-education institutions, and we quickly and openly share information about incidents, trends or spikes that occur — as well as ways to respond and lessons learned.

How does ITS process alerts forwarded to spam@msudenver.edu?

Users should receive an automated response, but we generally don’t respond directly unless there is a compromise or infection that requires isolating a machine.

There are also a lot of duplicates when it comes to spam. If we received 1,000 email alerts, probably 80 percent are duplicates or are using a similar link. In some cases, it’s just generic spam and advertising, but when it is malicious we either block access to those sites from our network or we see that the sender is a known malicious actor and block the site.

Can users tap into any of these protections while working off-campus?

If you take your laptop home and log in through a Comcast or CenturyLink, you’re not being protected by our systems unless you’re connected to our Virtual Private Network service. If you’re logged into your Office 365 account, the Safe Links feature and some of our blocking will work, but unfortunately we can only concentrate our defenses around the campus.

If you have any questions about security, please contact the Helpdesk at 303-352-7548 or support.msudenver.edu.