This is shaping up to be a pivotal year in the political direction of the United States, with rhetoric and outrage increasing in volume on both the left and the right. The same is true here in North Carolina, and the high stakes of the upcoming elections mean that anyone with an email address is being deluged by solicitations from candidates, political parties, lobbying organizations, advocacy groups, “blue” interests, “red” interests, ad infinitum.
All these messages combine into a noisy blur that can camouflage hacking attempts such as phishing campaigns and targeted spear phishing efforts to compromise account information or commit outright theft of intellectual property. These efforts are persistent, adaptive and perpetrated by both unscrupulous humans and automated systems, meaning everyone is a potential target, if only to provide access to something larger or compromise a greater number of accounts.
Universities and colleges represent a plum target, especially those that have leveraged their R&D to attain medical breakthroughs, create new technologies, acquire and exploit patents, and spawn startups and other for-profit endeavors. In the context of this conversation, the Triangle is a target-rich environment. Besides the big three of Duke University, North Carolina State University and the University of North Carolina, there are an additional 12 universities and more than 10 colleges in the Triangle area. Together they’ve spawned a vast array of school-affiliated analytics institutes, biotechnology centers and technology incubators.
Certainly the number of administrators with the “keys” to the IT infrastructure of these institutions is small, yet the sheer quantity of schools and affiliated enterprises comprises a significant number of potential targets for hackers and other bad actors.
1. Password protection in plain English, mostly.
The first and arguably the most effective barrier to hacking is a robust password protocol. We’ve gathered the latest Best Practices on password security that may help the administrator of any institution or business sleep a little better at night.
The first advice regarding passwords is familiar to most of us: Make them at least 12 characters long, make them very random, don’t reuse them, and share them with as few people as possible. These factors represent the lowest bar. What follows are tactics that may be better choices for your educational institution or business organization.
2. Use a passphrase instead of passwords.
See this great comic for the idea: https://xkcd.com/936/
This gambit calls for using something like ‘ring_palace_parade_interesting” instead of the common but flawed practice of swapping certain numbers for some letters and adding other “sneaky” ways of making a password look more complex. To a human the “sneaky” ways look effective, yet in actuality those tactics don’t really add much of a challenge to modern cracking software. Also, a passphrase is a lot easier to remember and to type. That said, there are differing schools of thought on this one. Software written specifically to defeat passwords has become increasingly sophisticated, and some consider passphrases a less-than-robust password protocol.
3. Consider two-factor authentication.
If a service offers two-factor authentication, and you don’t need to share access with multiple people, use it. This typically means that in addition to your password you will also need to enter a one-time code that is either sent to your phone via SMS or is generated by an authentication app when logging in. This means that even if someone gets a hold of your password, they can’t log in because they don’t have access to acquire your one-time code. These codes change every 30 seconds (or as soon as one is used, depending on the system) so even if someone sees an old one, it’s no good for future use. This makes hacking an account significantly more difficult. Both Facebook and Twitter offer two-factor authentication for their users’ accounts.
Google’s version of two-factor authentication is called 2-Step Authorization, which also sends a code to your mobile phone allowing you to access your account from the computer you’re on. However, you may be unable to connect to your account with a non-browser application or device, such as a Gmail account on a phone, or via Outlook. Google’s fix is to generate an application-specific password to link your device with the target application. You must do this with each device, but only for the initial use for that device or application.
4. The next big thing: Security Key Devices and U2F.
In 2012 an initiative was launched to create a formal, open, two-factor authentication standard known as U2F (Universal 2nd Factor) accessed by a specialized USB security key device (that fits on a keychain, naturally) or via NFC (near field communication). Created by Google, Yubico and semiconductor manufacturer NXP, U2F is hosted by a non-profit industry consortium known as FIDO Alliance (FIDO is an acronym for Fast Identity Online). FIDO’s stated mission is to perfect and evangelize an open, scalable, interoperable set of mechanisms to reduce reliance on passwords for user authentication and to establish standards and programs that will ensure worldwide adoption.
Currently the only browser that natively supports U2F is Google’s Chrome. Mozilla is in the process of integrating U2F support into Firefox, but there is an add-on available that will allow you to utilize U2F right away. Microsoft is working on support for FIDO 2.0 for its Edge Browser and Windows 10 but apparently will not be playing nice with anything coming out of the Googlesphere. U2F keys can also provide two-step verification with Google accounts like Dropbox, GitHub, GitLab and Bitbucket. Yubico pioneered these security keys, but other manufacturers have emerged, and the keys are relatively inexpensive and available globally.
5. Establish a formal out-processing policy before you need it.
When an employee leaves, make sure your out-processing includes changing any passwords to which the employee had access. Also keep in mind that some systems allow you to assign access to other accounts, so be sure to check linked accounts. Establish and maintain a list of all such systems and passwords before you need to change them so the process can be accomplished quickly.
When should you reinforce your institution’s system security? Survey says… yesterday.
One only needs to search “hacking attacks worldwide” to induce a paranoia attack. The prevalence of hacking attempts has risen globally and will continue to do so. Unfortunately, there is no single magic-bullet solution for protecting your systems from hackers—not with multiple competing operating systems and browsers accessed with fluidly linked desktop, laptop, tablets and mobile devices.
Universities, colleges and corporations, especially those with affiliated high-value business enterprises, must examine their circumstances and put in place password protocols and tactics that safeguard their systems, and maintain a watchful diligence. The unfortunate fact is that the unscrupulous are a diligent bunch, and administrators must make it a priority to actively monitor, audit and upgrade their online security regularly.