With activities resuming on campus, many of us might wish to leave thoughts of computer networks, account logins and virtual meetings out of mind. But Sam Horowitz, UC Santa Barbara’s chief information security officer, urges us to continue minding our digital hygiene. “It doesn’t matter whether you’re working at home or working at the office,” he said; “all of these basic security practices apply to your personal life as well as your work with university computers.”
October is Cyber Security Awareness Month, and IT experts want to highlight four themes this year: social engineering, phishing, ransomware and multifactor authentication.
Social engineering is the use of deception to manipulate people into divulging confidential or personal information. It’s a broad term that has many manifestations. “Everybody is susceptible to social engineering,” Horowitz said. “It can happen when the telephone rings; it can happen when the text message comes in. The most common way it happens is when an email comes in.”
Phishing is one variety of social engineering that involves email. A criminal posing as a trusted source uses an email to extract an individual’s personal information or infiltrate their computer with malicious software, called malware. Horowitz’s advice: Don’t click links or open attachments unless you know the sender. When in doubt, confirm with the individual by phone or in person.
Students are often bombarded with fake job offers, while staff might receive suspicious emails purportedly from their supervisors or campus leadership. “Every single year, I hear about students or staff who respond to a phishing email and wind up losing money,” Horowitz said. At that point, there’s little the victim can do aside from file a police report and hope that their bank or insurance agency will mitigate the damage.
Phishing emails can also be used to deliver ransomware, a type of malware that scrambles computer data so it can’t be read. The software’s creators then hold it for ransom, charging the victim for unscrambling the data. Unless you pay the ransom, or have a good backup, the data is lost.
There are two kinds of ransomware: Those that affect personal systems and the kind that targets entire sections of an institution. Colleges and universities have become popular targets for these criminals. There were at least 26 ransomware attacks involving colleges and universities in 2020.
Multifactor authentication (MFA) adds another level of security to our activities, preventing malicious actors from accessing profiles and systems even when information becomes compromised, such as through phishing attacks or simple password reuse. On that note, you should never use the same password for multiple services or websites.
MFA secures information using not only what you know, but also what you have. A familiar example is withdrawing money from an ATM: What you know is your PIN, and what you have is your bank card. In this way, MFA protects accounts against breaches even when passwords are compromised. At UCSB, what you know is your password and what you have is usually an app on your smartphone.
UC Santa Barbara has implemented MFA for a variety of services, most recently for the university’s virtual private network, or VPN. The protocol is gradually coming to almost all facets of our digital activities on campus. Horowitz recommended students, staff and faculty use multifactor authentication even for their personal accounts.
Although where we work, teach and learn may be different this year, good security routines haven’t changed. “These basic security practices are timeless and placeless,” Horowitz said.