Dozens of hackers filled McNamara Alumni Center, programming past cyber defenses to capture vital information.
They weren’t real hackers and it was just a game, but the scenario is based on millions of real cyber threats that occur as spam, phishing and hacks every day. Cyber threats have become more commonplace and dangerous in the past decade, according to the FBI.
While cyber threats are growing rapidly, officials say the University of Minnesota’s networks and systems are safe.
The University has its own cybersecurity programs and systems, but also contracts out security protections for companies to manage, said Brian Dahlin, Office of Information Technology security and assurance director.
Symantec blocked 5.5 billion attacks in 2011, according to the company’s Internet Security Threat Report. The University offers Symantec Antivirus to each student, faculty and staff member for free.
President Barack Obama signed an executive order last month identifying cyber threats as “one of the most serious national security challenges we must confront.”
The order outlined how the government will work with businesses to improve cybersecurity for everyone, saying the only way to address these threats is to work together.
U practices
Massoud Amin has been predicting since 9/11 that cyber threats would evolve, becoming more malicious and prevalent.
Before becoming director of the University’s Technological Leadership Institute, Amin directed the development of more advanced and cyber-secure infrastructure for the country at the Electric Power Research Institute.
The University offers three master’s degrees in technology management and security technologies, which focus on making organizations’ information more secure.
Amin said the University’s responses to cyber threats are agile.
“When you look at such a large enterprise,” he said, “I’m very impressed at how quickly colleagues at the U localize the threats … to make sure it doesn’t become a large-spread phenomenon.”
But it’s often the “weakest link” device that threatens the cybersecurity of an organization, Amin said, so everyone needs to be as prepared as possible.
If a device becomes infected with a virus, Dahlin said OIT works with the person to fix it. Often, OIT staff members take it off the University’s servers or Wi-Fi to prevent it from compromising the network, he said.
Then OIT finds what the virus infected and what information may have been taken. It helps update the device’s antivirus program and any other necessary programs.
Dahlin said OIT also informs anyone else whose information was taken, if needed.
If a device is infected or is acting suspicious, Dahlin said to notify OIT by calling, emailing or going to Tech Stop.
While the University doesn’t have OIT employees trying to hack the system to test its security, Dahlin said credit card companies require “penetration testing” of financial systems. He said the University hires outside companies to test these systems.
The University also contracts out spam protection. More than half of the 2.5 million messages University accounts receive each day are spam and aren’t delivered, according to OIT data.
Dahlin said different companies offer varying levels of protection, which the University can negotiate. For example, the University negotiated for increased protection with Google, since their large contract covers Gmail and other apps.
Dahlin said the University has to vet these companies, but cloud solutions, for example, can often provide better security because they specialize in it.
“You’re trusting somebody else to provide security to you,” he said, “so there’s a level of contractual things that need to be addressed.”
Varying perceptions of safety
Adam Beal, economics and statistics senior, said he doesn’t do sensitive online activities like banking on University networks — he uses his Internet connection at home.
An average of 65,000 devices access University networks each day, according to OIT data. But Dahlin said the number of people on the network isn’t a concern.
The challenge, he said, is that people don’t secure their own devices, which can infect the network if they get a virus.
“That certainly makes things more challenging from a security perspective,” Dahlin said, “and it requires greater responsibility on the individual to ensure that the things that they have are secure.”
Beal said he feels there’s a “willful ignorance” in not thinking about cybersecurity because some people will inevitably get hacked while the majority won’t.
“We’re all so exposed,” he said. “Any determined hacker will get in anyway.”
Amin said as advanced as technology becomes, it can’t make up for lacking adaptive policies and procedures.
The future of cybersecurity will include automated software, Amin predicts, that will detect and respond to threats before they can infect the system.
Protection programs today only monitor past threats. Amin said once a virus infects a system, programs have to “play catch-up” to fix it, and this needs to change.
“Our security is something we take for granted, until we lose it,” Amin said. “It’s important to be prudent — not to be fearful — but to be a smart user of the services that we’re offered.”