Can you tell us about your role here at Penn?
I am the University Chief Information Security Officer, which means I am accountable for the security of all of Penn’s information. What this means in practice is that I work to coordinate the information security efforts of Penn’s schools and centers, inclusive of cybersecurity, with the goal of providing the best support to Penn’s mission. My team, the Office of Information Security, helps with this goal by developing policies, standards, and guidance and by providing information security services like consulting, incident response, and technical tools.
What are some specific things your office does to keep Penn safe?
Members of the Penn community might recall the two-step verification protections that were implemented for PennKey logins last year. The changes to put two-step verification in place took the combined effort of hundreds of people across Penn, but have been well worth it. Successful attacks against two-step verification protected accounts have dropped to essentially zero.
More recently, we have implemented a phishing simulation tool that individual schools and centers can use to help their community learn how to recognize malicious and deceptive phishing emails.
Additionally, because the Office of Information Security supports all of Penn’s schools and centers, we are in a position to help monitor for new cyberattack trends across all of Penn. To do this we aggregate information about attempted attacks from schools and centers and combine it with information from technical sources like Penn’s firewalls and intrusion detection systems. This allows us to identify and stop some attacks before they are successful.
You mentioned monitoring trends and new developments in cyberattacks. What are the current trends you are observing?
As I mentioned above, two-step verification protection for PennKey logins was very successful at stopping cyberattacks attempting to take over PennKey accounts. Unfortunately, we have seen those attacks shift to focusing on Penn email accounts where two-step verification protections often are not yet in place. Two-Step verification is becoming an industry standard control and one of the most important measures an entity can take to protect its information assists.
In the past, where a cyberattacker managed to gain control of a Penn computer, they often utilized virus type software to carry out the attack. In order to respond to this type of attack, antivirus software was put in place that looks for known malicious virus programs. Recently, we have observed cyberattacks that attempt to circumvent antivirus software by using existing, normally benign computer management software during the attack.
What is being done to protect against these new cyberattack trends?
We believe the implementation of two-step verification is of vital importance to protect against these new attacks. In order to protect against attacks on Penn email accounts, we are strongly recommending the adoption of two-step verification and are working with schools and centers around Penn to make the process of this adoption easier.
For cyberattacks that do not utilize known bad virus programs, we are piloting a new antivirus type tool called CrowdStrike that can also detect against these newer style attacks. So far, we are seeing very promising results.
What can individual Penn community members do to stay safe and to help protect Penn?
I mentioned before how effective two-step verification is at protecting Penn email accounts and PennKeys. Everyone should take advantage of two-step verification for their personal accounts as well. Banks, social media, and most email providers offer this option and I would suspect that most member of the Penn community already regularly use two-step verification in their daily lives.
When dealing with Penn data, the biggest thing everyone can do is to work with their local service provider [LSP] to be sure that any sensitive information is being stored on Penn managed computers. Computers supported by the LSP will have important security features like encryption, data backup, antivirus, and patching which are very important measures for keeping Penn data safe.