Cybersecurity has become a hot topic at Cornell recently. For instance, you may have noticed options for “Two-Step” or Dual-Factor authentication in Cornell’s central login service. There have been increased reminders about “Don’t Click That” and other internet hygiene tips. The Cornell Policy on Information Security has been recently revamped. The Research Division and CLASSE are being included in discussions with ITSO – the central IT Security Office.
Why is this interesting to CLASSE employees?
Standard Cybersecurity Concerns
If you ask Cornell’s ITSO, they will tell you that all of the standard cybersecurity concerns apply to CLASSE – malware, defaced websites, hacked databases, stolen data, and reputational risk among others. You’re no doubt aware of these sorts of incidents: high profile examples unfortunately make the news on a regular basis. The impact of an attack can vary widely depending on many factors.
CLASSE Cybersecurity Concerns
Many of the issues above don’t exactly apply to CLASSE, and it’s understandable why many of the ITSO and industry security notices seem irrelevant to CLASSE users. Here at CLASSE, we don’t store or use confidential data (credit card numbers or SSNs). There’s little to be gained in stealing our files – most are either uninteresting or will be published publicly anyway. There may be some reputational risk, but only if CLASSE has a high profile, public breach (such as a defaced main website).
Main risk – Availability
The main cybersecurity risk to CLASSE is loss of availability. If a database is destroyed, you may be unable to manage users and proposals. A malware attack can take your computer offline for a few days while CLASSE-IT notifies ITSO and rebuilds the operating system, software, and configuration. Ransomware could encrypt, delete or destroy any and all files your account has access to, stopping your work in its tracks. If your e-mail account is hacked, all your stored e-mail could be deleted, and you may be blocked from getting new messages.
Think about what each sort of issue would mean for your projects and work here at CLASSE. The impact could range from an inconvenience to a potential catastrophe. These are the cybersecurity issues CLASSE-IT is concerned about, and all CLASSE members should be as well.
CLASSE-IT is the first line of technical defense for CLASSE security problems; we take this issue seriously, and our baseline infrastructure and client configurations have taken steps to limit these threats for many years.
Operational Security
However, the main threats these days are not purely technical — they require a computer user to take some action to achieve the compromise. You’re no doubt aware of “phishing” emails that contain malware — this malware gets installed when you click on the link or attachment in the email. Or “spear phishing” emails that look legitimate but take you to fake websites that try to steal your CLASSE or Cornell credentials. Cornell has provided lots of training, videos, and other content to help users avoid being phished. Please take a moment to become familiar with their security site: http://www.it.cornell.edu/security/ Pay attention to the Phish Bowl and Verified Communications links on the left hand side of that site, and peruse the rest of the content.
Design Security
Even though phishing is now the primary cause of infections, there are still technical risks that we must mitigate. That’s why there are updates and patches seemingly all the time. It’s important to realize that as new computer services, programs, and resources are developed or deployed at CLASSE, their design directly impacts how secure they can be.
Consider something as simple as sharing your CLASSE account credentials to allow an external user to transfer data (rather than giving that user a separate account). Once you share your credentials, you’re trusting someone else to not misuse or further share them. CLASSE allows logins from around the world, so once your credentials are exposed, they can be used from anywhere for anything you could do until you change them. Not only does this risk your account, but it potentially gives an attacker a foothold in the CLASSE IT infrastructure, with which they can then attempt to “pivot” to other computers, both inside CLASSE and in the rest of the Cornell network.
A less obvious issue is third party software, from FLOSS (Free/Libre Open Source Software) tools to purchased software. When we install any piece of software, we’re trusting it to do what it says. However, any software downloaded from the internet has the potential to be a “trojan horse” – something that appears to be benign but is actually malware. This is less likely for major software products, but the less well known a package is, the fewer people there are who are looking for issues. Sometimes, download sites can be compromised and legitimate software links are replaced with malware. Or, the attacker still provides the original software, but with “a little something extra” hidden from you. Even aside from actual malware, many software packages contain bugs, and some of those bugs can then expose a computer to additional attacks.
This is one of the reasons we have to carefully consider any software we install. Each program adds another potential vulnerability as well as another item to check for updates, and plan for patches.
What to do?
Be vigilant when opening emails, especially those that you’re not expecting and that ask you to take actions like logging in to your account. Don’t click on links if you don’t know where they go – see Cornell’s IT security site or contact CLASSE-IT for help if you’re not sure about any messages you do get.
When thinking of new computing services you’d like to see or new programs you’d like to use, think of ways the configuration you’re considering could be attacked and how we could mitigate those issues. Get CLASSE-IT involved early in software selection decisions so we don’t have a security albatross that we then must try to mitigate later on.
CLASSE-IT Wants to Know
If you have questions about cybersecurity at CLASSE or are worried about how some computing system(s) are configured, please contact us. And if you want pointers to more information or specialized training, please contact us.
Together, we can work to prevent any loss of availability or functionality of CLASSE computing systems.