With a student, faculty and staff population exceeding that of many cities, the Cal State Fullerton community faces the challenges of preparing its IT infrastructure for the cybersecurity demands of today’s wired world. Tony Modiri ’91, head of information security for the campus, looks at how the university is staying safe and offers advice you can use, whether at CSUF or in your personal life.
When checking your campus email, you notice an email message claiming to be from a faculty member a friend had as a professor a few semesters ago. It says your account will be terminated in a few days, but by clicking on the link, you can ensure continued access. By using an appeal to fear, the senders hope you will click on the link, only to find yourself in an unsecure space, with no relationship to CSUF, where cybercriminals can steal your personal information.
Tony Modiri ’91 (business administration and computer science), Cal State Fullerton’s head of information security, is at the forefront of thwarting such attempts to hijack the campus’ digital networks for nefarious purposes. Under his leadership, the campus has stayed at the forefront of organizational security by building strong defenses against threats and preventing dissemination through the network.
Still, as hackers and other cybercriminals continue to evolve, it takes the participation of every member of the campus community – from faculty to maintenance staff to students – to recognize and act upon best security practices, all the while developing habits that can reap reputational, financial and security benefits in your personal life as well.
A Primer on Today’s Cyber Landscape
While you might feel anonymous while surfing the web, the interconnectedness of digital platforms means that your data and activities are actually accessible to outsiders.
“The internet is open by nature, and we want it that way,” says Modiri. “But this means that most computers are accessible from anywhere in the world, unless protocol is taken to prevent access.”
Whether looking at Cal State Fullerton’s security infrastructure or your home computer, the format is relatively similar. When accessing the web, information first goes to a router, then to an intrusion detection device dedicated to weeding out suspicious attempts, then a firewall, and finally local area networks (LANs) that segment a system into various parts to ensure that if one is compromised, the rest stays operational.
Though modern information systems contain basic security protection, hackers stay ahead of the curve through malware – software that is intended to disable, damage, pirate, or otherwise use your network and data without authorization.
“There are two main ways in which hackers breach systems,” says Modiri. “One is outsiders who use the software programs to get in. The second is when a user is up and running on their computer and clicks on the wrong thing.”
Common forms of attack today include ransomware, which encrypts a user’s files and then demands money to regain access; adware, which unwittingly directs users to the hacker’s desired for-profit promotions; and broader phishing or targeted spear phishing campaigns seeking access to confidential data.
“Hackers have evolved from doing it for the thrill 10 years ago to doing it for money,” says Modiri. “Also, cyber defense and offense has now become the frontier of every military.”
As cyber scams become more elaborate it is more critical than ever to develop your IT security IQ. Phishing emails now often use your organization’s logo or bear the name of an associate, and the stereotypical bad grammar and spelling is not always present.
Following are some ways to stay safe, whether at CSUF or in the broader world.
Avoiding Phishing Scams
- Always check the email address that a message has come from. Phishing attacks against CSUF have often come from outlook.com, gmail.com or other third-party sites, rather than fullerton.edu addresses.
- When a message contains a link, hover over it to see where it is leading. If it does not direct to the anticipated organizational web presence, be wary.
- Did your boss or professor really ask you for $100? Out-of-the-ordinary messages appealing to urgency or fear need to be critically reviewed. If in doubt, check with the person claiming to be the sender to ensure that it is a legitimate message.
- If you are the victim of phishing, tell law enforcement as soon as possible, as there is a slight possibility that you might have the opportunity to recover your money if the situation is caught early. Plus, knowing what happened helps the authorities catch the offenders.
Keeping Your Files Safe
- Know the difference between confidential and publically available information. The CSUF campus uses three levels for data – Level 1, which includes passwords, financial or medical information meriting the highest level of protection; Level 2, such as student GPA data that is of an intermediate privacy level; and Level 3, which is public information such as course times and locations or staff directories. Most organizations outside of campus have similar classifications.
- When dealing with files with confidential information, use password protection. This will automatically encrypt files, but if another person needs to see the files, they can access with the password that you give them.
- Use Dropbox for less confidential files. By using this cloud solution, you don’t have to worry about your computer crashing or a malware attack disabling your system. As a side benefit, you can access your files wherever you need them – whether on your home computer or while on vacation half a world away.
Securing Your System and Devices
- The rise of the internet of things (IoT) means that there will be almost 50 billion connected devices worldwide by 2020, from appliances to toys to clothing. “Most of these devices don’t have any regulation, so no security is required,” cautions Modiri, who also points out that without the ability to receive updates, many of these objects will be obsolete in a few years. Before buying, find out if the device has security and privacy capabilities. Be sure to have these enabled if they are available and don’t make the purchase if they aren’t.
- Don’t enable auto population of passwords and other sensitive information. That way, if you get hacked, your email and other accounts won’t be as easily accessible.
- Choose an email provider that supports best privacy and security. Outlook is the best, Gmail is an intermediate choice, but Yahoo might be good to avoid due to breeches.
- Ensure your home’s internet is not wide open to passersby and the neighborhood. Check your network settings to keep it limited to your property.
- Use the GRC Shields Up tool to assess your internet’s vulnerabilities. Generally, nothing should be open to those whom you have not given access.
- Have trouble remembering all your passwords? Consider using a password manager, a secure safe where you can keep your passwords for easy use, needing only one strong one to open the platform. A good option is LastPass.
- Remember that passwords must not be simple or have the same format across your accounts.
For More on Staying Safe Online
For more on information security as a member of the CSUF community, visit the Information Security Office online. From phishing recognition quizzes to policies and standards, the site is a must-visit for anyone using the university’s networks.
Have a specific question or see something that doesn’t seem right? Reach out to firstname.lastname@example.org or 657-278-8888 if you’re a student or 657-278-7777 as a faculty or staff member.