They may not be super heroes donning masks and capes, but Jeff Gardiner and his Information Security team are trying to protect the university from an onslaught of online attacks every day.
Security breaches are inevitable, said the Central Information Security Officer. Western boasts a wealth of knowledge people want access to – and that makes it a target. By raising awareness about cyber security, Gardiner hopes to find allies across campus to help protect this information.
“Those who are trying to breach us are everything from low-level, curious students all the way to criminal elements like organized crime and foreign governments,” Gardiner said. “There is largely a lack of awareness that this university is under constant attack.”
By way of example, Gardiner cited an alleged leak of personal information of 4,900 students enrolled in first-year in 2014-15. The information, which included email addresses, residence details, phone numbers and programs of the current second-year students, was uploaded to a U.S. course note-sharing website.
This breach, Gardiner said, shows how not all information should be viewed as equal. Data classification is one way to protect and safeguard.
Under law, privacy rights are protected in federal and provincial legislation under the Personal Information Protection Electronic Documents Act, Personal Health Information Protection Act and the Freedom of Information and Protection of Privacy Act.
However, in addition to those standards, Western’s data classification scheme is three tiered: ‘public,’ ‘sensitive’ and ‘confidential’ data. Public data (like bus or class schedules) poses no harm to the university if released; sensitive data (like legal agreements or patentable information) may cause mild harm to a segment of the university, if released; and confidential data (like research involving humans or health-care records) would cause serious harm to the university or its research groups, if released.
“The data owners determine the classification – our role is to tell you how to protect it,” Gardiner said.
“Luckily, we have had low-exposure breaches; the data was leaked, its propagation wasn’t global. We’ve had health-care records breached; we’ve had identities breached. Whenever we have identities breached, we have to assume that some of our systems that require identity are compromised. So, we are constantly struggling against identity breaches,” Gardiner said.
In 2011, the Centre of Audiology alerted families of children who were clients of two Audiology and Speech Therapy programs that a copy of personal data records for 4,500 clients stored on a USB stick went missing. In 2012, the University Students’ Council issued a revote for its elections after a Western student hacked the voting server and changed voting options. In 2009, Huron University College also experienced a computer server security breach, which may have exposed personal information from former students, applicants and former residents of Huron’s dormitories.
“It would be naïve to suggest no network-connected entity has a breach; Western really is no different. It’s better for us to acknowledge these breaches and learn from them, rather than pretending they don’t happen,” Gardiner said.
“There is no doubt cybercrime is one of the most growing crimes out there,” said Paul Eluchok, Associate University Secretary and Legal Advisor, adding security from unauthorized access is a key focus for the university. “It’s growing across the globe. These attacks are happening and increasing so data security has to keep getting ahead.”
It is important not only to think about the classification of data, but also the life cycle of the information, Eluchok added. Currently, Western’s Working Group on Information Security is conducting a four-year review of every faculty and business unit across campus to assess their information security risk.
“The intention is to go to find out what information they are dealing with and how it is being protected,” he continued. “Part of that will be classifying the data using the classification standards, and looking at the life cycle of that data.”
Some areas on campus do not have similar-data retention policies for traditional and digital media. For example, safeguards are put in place to protect traditional media, such as shredding paper documents, but the digital version of the same document is often saved.
In order to assess the level of risk, Gardiner challenges users to consider what would happen if there was an unauthorized breach and the data was publicly exposed. If the answer is this information should be kept confidential, he suggested the owners of the information treat it “like the Crown Jewels.”
“What we haven’t done well is the information governance piece, which dictates how to safeguard our sensitive information,” he said. “Our job is to ensure confidential information remains confidential and only those people who have a right to change or alter information can. People need information in order to work. We are facilitators of accessibility – not impediments.”
Emails are a common source of information breaches. Gardiner equated sending an email to mailing a postcard – the details of the postcard are easily accessible and no care has been taken to protect the information, relinquishing a sense of privacy. However, encrypting information is akin sealing the envelope.
“But in spite of the risks, we send all sorts of information as postcards in emails all the time,” he said.
As an alternative to email, Western supports SharePoint to distribute digital information, as the Microsoft Campus Agreement allows ITS some administrative control. Gardiner also suggested using ‘https’ instead of ‘http’ to ensure Internet activity is safeguarded and encrypted; the ‘s’ stands for secure.
If members of the campus community are using Internet-based file-sharing or cloud services, encrypt data before uploading it to these sites, noted Matt Feeney, ITS Security Analyst.
“People don’t recognize how important their information is and they don’t have a realization of where it should be classified. Then, they realize, ‘Oh, this is really important and maybe should be treated more safely,’” Feeney said.
Phishing emails are commonly used to perpetrate identity theft. On average, Feeney said 15 accounts per day are caught being phished, however this includes cases of people unwillingly providing credentials on a computer with a virus that is capturing data. ITS has created a CyberSmart program to educate the campus community about Internet security and privacy.
Last month, Western experienced a Distributed Denial of Service attack, which overwhelmed the university Internet service with traffic from multiple sources and resulted in a three-minute Internet outage on campus. “These kinds of things happen all the time on the Internet. It’s just a way of attacking information systems,” Feeney noted.
Phishing attempts have become extremely sophisticated and some have even gone as far as duplicating Western’s Human Resources website, added Eluchok.
“Western will never ask you to provide your credentials in an email and you should be very careful when you receive an email asking for information,” he said. “There are very convincing emails sent where people ‘take the bait’ and enter their user name and password and give the criminal access to student or employee records. There have been sophisticated attempts over the past two years and they are growing in sophistication.
“We have to be constantly vigilant. It will be an endless effort,” Eluchok said. “It is really a team approach; it’s everyone’s responsibility.”