It was Monday, Feb. 23, and the snow-covered campus was quiet as students and faculty remained at home. A blast of winter weather left students and staff with the day off. As a few faculty members from the SMU Office of Information Technology worked from home, an unknown cyber attacker was executing one of the most advanced phishing campaigns that they had ever seen.
The attacker was likely trying to acquire sensitive information from any of the 15,000 students and faculty in the SMU databases. Despite the limited number of faculty keeping an eye on the system during the snow day, campus security experts quickly handled the attack.
“Instances like that definitely make you aware that you are in the crosshairs of somebody who is waiting for you to slip up,” Information Security Officer George Finney said.
The phishing campaign in February is just one of about 50 million attacks targeted at SMU in the last 12 months, and one of 2.5 million in the month alone. That doesn’t include the additional 30 to 40 million spam and phishing emails blocked per month. However, some attacks are sophisticated enough to slip through the cracks, resulting in about 100 compromised student and faculty accounts per year.
Unlike larger corporations, SMU’s Office of Information Technology does not have the technology to identify the cyber attackers or learn what exactly they’re after. They only know when they block an attempted attack. Finney said that there is a spectrum of attackers, ranging from cyber activists, who are only looking to make a statement, to organized criminals, who are attempting to steal intellectual property. According to cyber security experts and media reports, the attackers on the higher level of that spectrum are after information such as Social Security numbers and other information that could be used towards identity theft, patents and classified research.
Cyber vulnerability is not limited to just college campuses. Senior White House officials announced on April 25 that President Barack Obama’s email was hacked in a 2014 breach of the White House’s unclassified computer system.
“It’s shocking,” sophomore computer science major Erik Gabrielsen said. “It makes having a cyber security program more important, and creates more awareness.”
SMU is a big target for cyber attackers because it holds the personal information of approximately 15,000 students, faculty, and staff, and operates as a high-performance computing center with loads of data running through the pipes. Consultant assessments of SMU’s cyber security efforts place it just above average. Finney said SMU would be a five or six on a scale from 1 to 10.
“You have to run to stand still, and sprint to get ahead,” Finney said.
The road to getting ahead begins with increased education among undergraduate students about cyber security, say experts.
“There simply aren’t enough trained cyber security people to fill today’s need,” Dr. Fred Chang, the director of the Darwin Deason Institute for Cyber Security, said in a piece he wrote for TechTarget.
The U.S. Department of Homeland Security actively recruits cyber security specialists to fill a growing need. There are a growing number of undergraduate and master’s programs in cyber security offered at public and private universities across the country. The Lyle School of Engineering offers a master’s degree in security engineering, and undergraduates can specialize in security engineering. Additionally, SMU has been designated since 2006 as a National Center of Academic Excellence in Cyber Security.
“Having an undergraduate program is incredibly important,” senior computer science and math major Derek Phanekham said. “Cyber security is currently one of our largest risks economically, politically and physically.”
Lyle continued to advance its cyber security efforts by forming the Darwin Deason Institute for Cyber Security in 2014 and bringing in Chang, a former National Security Agency research director to serve as the director of the institute.
“I joined SMU at the end of its first century, which puts me in the enviable role of helping to shape SMU’s next century through advancing research and education in cyber security,” Chang said.
In addition to his time with the NSA, Dr. Chang served as a professor for Infrastructure Assurance and Security at the University of Texas at San Antonio, and he was at the University of Texas at Austin as an Associate Dean in the College of Natural Sciences and Director of the Center for Information Assurance and Security.
George Finney, the Information Security Officer, praised SMU for reeling in someone like Chang.
“It speaks to SMU’s commitment to enhancing our cyber security capabilities,” he said.
The first change that Chang made to the undergraduate program was requiring bachelor of science students in computer science and computer engineering to take a foundational cyber security course as part of the core curriculum. The goal is to generate more interest in the field of cyber security, or even just more awareness.
“I’m thrilled to introduce more SMU students to the challenges and opportunities that are the result of growing the cyber security program here,” Chang said.
Beyond the educational side, the Office of Information Technology is also trying to support SMU’s cyber security efforts by conducting its own program of simulated phishing emails. These test emails are sent to each of the 3,000 faculty and staff. When the link within the email is clicked, the faculty or staff member is directed to a training page that will help them to better spot phishing emails.