Story by Didi Martinez | Digital Managing Editor, Video by Jessica Babb | Broadcast Managing Editor
College campuses have become hotbeds for cyberattacks as hackers seek to infiltrate student accounts and gain access to university information.
Since April 1, Baylor has reported that more than 2,000 student accounts have been compromised through security breaches, according to Jon Allen, Baylor’s chief information security officer.
“The thing we’ve been struggling with the most is phishing,” Allen said, referring to the Baylor email lookalikes that have circulated around campus. “We’ve really been implementing a lot of tools to try to knock down on the number of those messages coming through and if your password is compromised, making sure that the impact of that is much less.”
However, a two-factor authentication system has yet to be set in place for university email accounts, a complaint Allen said the ITS department is well aware of.
“We didn’t do two-factor on email yet because that wasn’t the highest risk and the biggest concern,” Allen said. “Academic processes, Canvas, Box, where we store files and things. Those were very significant concerns from an institutional risk perspective.”
That being said, Allen said it is “highly likely” that students and faculty will soon be required to use two-factor authentication to gain access to their email accounts. In the meantime, Baylor ITS is using a tool called Microsoft Advanced Threat Protection, which rewrites phishing website URLs and makes them inaccessible.
Compared to the recent Equifax and SEC data breaches, it may seem like institutions of higher learning would considered “small fish” for potential hackers. However, Dr. Jeff Donahoo, a Baylor computer science professor who specializes in networking and cybersecurity, said there’s plenty to gain from hacking into university systems.
“The university has all sorts of personal information that I can then use to impersonate a student and get a car loan or get a credit card,” Donahoo said.
Because a variety of consumer accounts allow individuals to recover passwords through security questions, seemingly useless information could be worth a lot more.
“Information is valuable because I could use it to impersonate and then through impersonation, I could steal all sorts of stuff,” Donahoo said.
Earlier this year, Recorded Future, a threat intelligence firm, set out to notify more than 25 U.S. universities that a “Russian-speaking hacker” was selling unauthorized access to their systems. Baylor University was not one of the universities listed for this threat.
Baylor has yet to detect any major incidents to its systems, Allen said. This, however, doesn’t mean that the university is letting its guard down.
“Universities are set in a very unique position in that space,” Allen said. “We have lots of resources, we have really good technology and so while we may not always be the direct target, we could always be leveraged for another attack because a lot of times we’re trusted organizations. And so there’s multiple reasons why we could be targeted and multiple groups who may target us as well.”
On Friday, the university held a Cyber Day for the Baylor and Waco community. It included a panel discussion with industry leaders who echoed similar concerns for the state of consumer privacy online.
“We are all under constant attack,” said Nita Awatramani, Verizon’s senior manager for enterprise identity and access management. “Up to now, people have been acting out of a place of fear. Don’t become numb, but don’t become paranoid. There’s constant risk you’re going to have to take.”
When it comes to using artificial intelligence to eliminate all cyberthreats, its implementation would be unrealistic, according to Richard Barger.
“The ‘easy button’ is an illusion,” Barger, who serves as the director of security research at Splunk, said. “There’s so much nuance into security for AI.”
Awatramani concurred, saying,“It’s not that security is not being done. It’s that what is considered security is changing,”