In February, students and staff were notified of a cyber attack causing the ASU Internet to shut down for about an hour and a half, according to an email from ASU Chief Information Officer Gordon Wishon.
This attack, called a distributed denial of service, or DDoS, happens when malware infects computers on a network and tries to overload the shared network, so other users cannot access it.
ASU spokesman Mark Johnson said the attack was not targeting personal information, and there “was no indication any sensitive information was stolen.”
However, many upperclassmen remember an attack on the MyASU system that shut down the entire system for days, interrupting classes and forcing students to change their passwords.
Psychology senior Margaret Rich, who was a freshman when the 2012 hack happened, said she worries about her information on a network that is often targeted.
“I should be able to trust my college’s security system to protect my sensitive information,” Rich said.
How information is protected
The Information Security Office is the center of protecting online information, ASU spokesman Logan Clark said.
The office, which addresses issues from online and telephone scams, data storage, malware education and information security sets up the system’s defenses against cyber attacks, Information Security Programs Director Evelyn Pidgeon said.
“Every organization with an Internet presence is constantly under attack,” Pidgeon said in an email. “ASU believes in a ‘defense in depth’ approach, meaning there are many layers of security in place. Most of the attacks are caught and deflected at the top level and therefore never affect students.”
Students are not notified of the majority of attacks to the ASU system, because most never actually get past the first defenses in place. With the layered approach, Pidgeon said the system is generally protected from the more common, less sophisticated attacks.
“Cyber attacks continue to get more sophisticated, so we encourage our community to remain vigilant and deploy the most advanced defenses possible,” Pidgeon said.
These defenses include changing passwords frequently, keeping information security private and being aware of shared systems when logging on, Pidgeon said.
Johnson said in an email these small attacks are not ignored even though they rarely reach students.
“Improvements to information security at Arizona State University are ongoing. ASU takes protection of information very seriously,” Johnson said. “Every event, small or large, is reviewed for opportunities to reduce the risk of future attacks.”
When a hack affects students
The hack in January 2012 was the most recent large-scale hack that directly affected students, forcing ASU to cut off access to the MyASU system, including email and Blackboard.
That attack had targeted sensitive information, and had stolen usernames and passwords of students. Officials cautioned all those on the ASU network to be watchful of their personal bank accounts and email, any information that could have been found through their MyASU account.
Students and faculty reported receiving malicious emails in the weeks after that breach, looking for personal information and account numbers.
Archaeology senior Kea Warren was a freshman at the time of that hack, and said she cancelled her debit card after the hack for fear her information had been stolen, because her payments to the school were linked to her bank accounts.
The February hack was a different type, designed to overload the system and render it useless for intended users. It is designed to overload multiple systems to prevent access as long as the hack is undetected.
Wishon said the hack began at about 9 p.m. on Feb. 5 and full service should have returned by about 10:30 p.m. but warned students of possible lingering affects.
“For this particular event and others like it we proactively work with those who administer the affected system to change passwords out of an abundance of caution,” Johnson said. “The compromised systems did not use or store credit card numbers.”
These two hacks are in the minority that can break through the levels of defense Pidgeon described, meaning breaching the security system is not impossible, so students need to secure their own information as much as they can.
“Cyber attacks continue to get more sophisticated, so we encourage our community to remain vigilant and deploy the most advanced defenses possible,” Pidgeon said.
If information is stolen
Last month, ASU revised its protection for students and staff using a system called AllClear ID, Pidgeon said.
This is a free service for people who believe their identity was compromised, through a hack, online scam or any other method.
When a person calls the AllClear ID number, they provide the ASU code, available on their website. They then speak with an investigator who will open a case for them and investigate places the identity may have been used.
The investigator will also help repair the identity from the compromise, meaning gathering information to dispute fraudulent charges, being disputing charges with credit card companies and other institutions affected by the breech and making sure all financial information is restored how it was before the breech.
According to the ASU Information Security Office website, the investigator will continue the case until he or she can confirm the user will not be held liable for fraudulent charges or actions, and set up protection to prevent against future hacks.
The office recommends calling AllClear ID if a user begins to see charges in a bank statement that he or she does not recognize, receives notification from an account that he or she did not open, the user believes he or she provided information to a scam online or the user suspects he or she has been a victim of identity theft.
The system offers a guarantee that if an identity is compromised, the investigator will recover all losses and restore a person’s credit score to its original state.
Pidgeon called the free service “an extra level of protection” for students and faculty in case information is stolen. The service can be used in the case of an ASU breech, but also on an individual basis.
Protect yourself
The Office of Information Security also provides information about online and telephone scams, which Pidgeon said affect students on a regular basis.
“Successful scams are common enough, unfortunately,” Pidgeon said.
Pidgeon said phishing is the most common way hackers access student and faculty information. Phishing occurs when fraudulent emails are sent to a user, looking like they came from a legitimate source, such as a bank, or from the University itself. Generally these scams coerce users to input passwords or bank account numbers, and then use the information to access accounts.
The office provides basic information to protect users from phishing, including not opening attachments from email without being able to verify where it came from, never submitting online forms that are embedded into the body of an email and being suspicious of messages asking for personal information. Pidgeon said students should notify the Office of Information Security if they receive a suspicious email that looks like it came from the University. She said ASU will never send emails asking for personal information like a username or password.
Pidgeon said students should understand the basic steps to keeping information private, like keeping passwords secret and difficult to guess, checking bank statements often and not opening suspicious email.
“Our defense in depth approach helps keep attacks from getting in, but it’s really this combined with everyone following effective security practices that is the most effective defense,” she said.
Reach the reporter at cvanek@asu.edu or follow her on Twitter @CorinaVanek.
Like The State Press on Facebook and follow @statepress on Twitter.
