While much of the world is working or studying remotely to lessen the impact of the COVID-19 pandemic, opportunistic hackers are trying to take advantage of the arrangement — and have substantially increased their efforts to infiltrate Cal Poly.
Fortunately, the California Cybersecurity Institute (CCI) is working with Cal Poly’s Information Technology Services (ITS) to protect the university during the sheltering-in-place directives.
Several engineering students are involved in the project, acting as first responders for malicious activity. Those students review all suspicious emails reported by faculty, staff and students and help block malicious activity passing through campus email. Students are also improving the university’s primary security monitoring tool, Splunk, and the Information Security Office’s ability to detect and respond to compromised portal accounts, malware and other security incidents, said Doug Lomsdalen, with ITS.
We asked Lomsdalen and Steven Taruc, one of the students on loan from the CCI, about the threats to Cal Poly during this time and how students are helping to protect it. Taruc is a statistics major working for ITS as a junior security operations analyst, and Doug Lomsdalen is an information security officer.
What normally would the threats be to a university like Cal Poly?
DL: The largest threat to Cal Poly by far is phishing attacks using compromised user account information to access accounts to propagate more phishing/malicious emails.
ST: Normally there would be malicious or phishing emails sent to students or faculty of Cal Poly or people from other countries attempting to log in to Cal Poly accounts.
How does coronavirus change this?
DL: Recently, COVID-19 has changed the wording of malicious emails to include hot-button words like “coronavirus” and “COVID-19” to convince you to open their email. The Information Security Office expects phishing emails in the near future to contain language referencing the recently-passed stimulus bill and unemployment.
ST: There are now many threats that take advantage of students’ vulnerabilities to the current situation. They use it to leverage students into doing “remote work” and promising to pay when, in fact, they are phishing.
How does Splunk work?
DL: The CCI brought in Splunk to investigate ways Cal Poly could use the data analysis capabilities of the Splunk ecosystem. CCI had several students take the Splunk training and were able to get them up to speed. We, in the Security Office, saw the benefits of Splunk and pursued a contract. Once we had Splunk up and running, CCI assigned their three Splunk trained students to the Security Office. These students are working with Cal Poly data, looking for trends and indicators of compromise — protecting Cal Poly’s data and infrastructure.
ST: Splunk essentially allows us to search through the Cal Poly data logs efficiently and create dashboards for generating insights. We are able to dive deeper into who, what, when and where these threats are occurring.
How have the students done so far?
DL: Each student has contributed to ensuring the security of Cal Poly through their efforts in managing day-to-day security operations. They’ve improved Splunk’s visualizations and alerting capability to proactively alert the team of indicators of compromise. As a result our response time between a reported email and other incidents has decreased significantly.
Have you been able to detect any threats so far?
ST: There are a few potential threats that occur each day, and we get notified of these and are able to block them.