LAWRENCE — When students, faculty and staff are working and learning on campus at the University of Kansas, all traffic goes through the Jayhawk network and is behind the campus firewall, making it easier for KU Information Technology Security Office (ITSO) staff and security systems to protect people and data. However, the COVID-19 pandemic has pushed much of the work and learning off campus.
“Since COVID, our network border has scattered to the winds along with our students, faculty and staff,” said Julie Fugett, KU chief information security officer. “The firewall is the traditional point for us to add new protections, so we are having to get creative to meet our users where they are.”
The network border is the line of demarcation between the campus network and the outside world. The firewall essentially acts as a gatekeeper; it monitors and controls incoming and outgoing traffic according to established security rules.
Network security at KU was already a big job, and now it is bigger because the shape of the network — the shape essentially being the representation of all of the locations of all the people who are accessing it — has morphed so dramatically. And remote work has required some KU employees to adapt to new tools. For example, many more KU employees now must use the KU Anywhere virtual private network (VPN) to access the KU resources they used to access easily while working on campus. The good news is that traffic between employees’ remote locations and KU via the VPN is encrypted.
“The VPN secures traffic between you and the KU network,” Fugett said. “But the traffic between you and the internet may or may not be encrypted.”
The IT Security Office team and partners in networking, email and other areas plan for potential cyberattacks and protect KU students, faculty and staff on and off campus. And the stakes are getting higher.
“The big threat right now is ransomware,” Fugett said. “The FBI saw a 37% increase in reported ransomware attacks between 2018 and 2019 and a 147% increase in financial losses due to ransomware in that same timeframe.”
Even though media tend to focus on ransomware attacks that affect large organizations, individuals are also very much at risk. According to the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security, “Anyone with important data stored on their computer or network is at risk.”
Underscoring that fact, a ZDNet story from earlier this year noted that one of the more famous ransomware programs, WannaCry, which was first reported May 12, 2017, typically “demands $300 in bitcoin for unlocking encrypted files — a price that doubles after three days.” A ransom note on the user’s screen also threatens to permanently delete their files if the ransom isn't paid within a week. To illustrate the reach of this attack, more than 300,000 victims in over 150 countries were targeted in the course of one weekend.
Fugett said hacker crews have become very active during the pandemic, employ diverse toolsets and are “really taking advantage of people being away from their corporate or campus networks.”
The U.S. Treasury Department has begun monitoring ransom activity. If you are targeted, you might not just be able to pay the ransom and move on with your life. According to the U.S. Treasury Department, paying ransoms could mean you are indirectly funding terrorism, human trafficking or other nefarious activities. And, that could mean you are in violation of sanctions law.
In July of this year, Garmin’s network was compromised and its files encrypted by hackers. The company could not restore from backups and paid the attackers, who turned out to be Russians.
“Garmin was the first in this new era under the Treasury department’s advisory,” Fugett said. “They got a pass, but whoever is next likely will not.”
How KU IT is continuing to evolve
To manage the changing threat landscape, Fugett and her team are taking several steps. Some of their efforts have been underway for a while, and some are more recent.
KU IT has migrated all campus email to Microsoft’s cloud platform, which comes with a suite of security tools. Additionally, KU IT is enhancing the security of its own servers and decommissioning some that are out of date.
Another step forward is the impending rollout of LastPass, a cloud-hosted password manager that all students, faculty and staff can access. LastPass features an encrypted archive, comes with a complex password generator and can sync across multiple devices. It also checks the dark web for personal information. This means LastPass searches the hard-to-access websites where hackers trade and sell people’s personal information — email addresses, passwords, bank account and credit card numbers — to see if its customers’ information is out there.
KU’s LastPass license will allow students, faculty and staff to store both personal and work passwords in separate archives, making the tool all the more useful and helping further secure individual and KU accounts separately, which will reduce the risk of a broad intrusion if one account is compromised.
A change in IT security philosophy
The IT Security Office has traditionally operated as a centralized “security shop” within KU IT, working with other IT teams and KU at large to help secure KU assets and protect students, faculty and staff. Now, Fugett and other leaders in KU IT are working on a new vision of security within the department. To encourage closer working relationships, the plan is to train a member of each IT team in essential cybersecurity techniques so that security is on the mind of every team and is central to everything they do.
Even with this new vision, security will always be a collective affair. All members of the KU community have to do the best they can to ensure their personal networks and equipment are safe and secure in order to protect themselves, their friends and colleagues and the campus community.
October is National Cybersecurity Awareness Month. It does not take much effort to #BeCyberSmart, and KU IT offers many of the tools you need to be secure. Follow KU IT on Twitter, Facebook and Instagram for cybersecurity tips and news.