For five days, classes at Baruch College were taught remotely after a malware attack in early September, with their internet access still being limited upon reopening. With Baruch being a senior college in the CUNY system, this malware attack may feel too close to home for students at Queens College.
Students at QC are constantly connected to QC Wi-Fi, using it to send private messages, emails, and access sensitive accounts and information. For many, online security takes second place to convenience. It’s all too common to connect to public networks without wondering what safety measures are in place.
But how is Queens College preventing a system shutdown from happening?
The Knight News spoke with Chief Information Officer and Assistant Vice President Troy J. Hahn — who oversees Queens College’s Information Technology Services — to find out.
ITS has implemented various cyber security measures, such as: installing anti-malware software and spyware filters, having confidential information be stored on an auxiliary hard drive with strong access controls, as well as content encryption against unauthorized disclosure while stored or transitioning over data networks.
“My mission is to ensure an uninterrupted digital academic experience for all students,” Hahn said.
ITS has multiple “incident response” plans in the event of a security breach, with the majority of these plans following a similar structure, beginning with preparation of a possible occurrence, whether it be through updating tools/policies, establishing an incident response team, or ensuring that communication procedures are accurate.
After an anomaly has been detected, the nature of an incident is determined, identifying potential targets, defining external touch points, and the likely scenarios. Once it’s reported, the threat is then contained by isolating the infected systems and disabling specific services, leading the cause to be eradicated depending on the circumstance. Systems are then recovered, any vulnerabilities are remedied, and operations are restored to normal.
“When a situation might require us to temporarily suspend network activity — email, websites, Internet access, etc. — it will be the result of a careful and considerate review of all options where we select those which will most effectively protect the college community’s data,” Hahn said.
Every incident differs in severity depending on what’s at stake. For example, a widespread malcode attack would be deemed a high severity, while a lower severity would be an isolated virus infection on campus. Incidents are divided into categories, ranging from unauthorized access, malicious code, improper usage, attempted access, and an investigation.
‘‘My chief of staff, Ms. Evelyn Alvarenga, establishes the protocols for numerous technology ‘fire drills’ throughout the year to assess our reaction times to a mock incident and the efficiency of our plan,” Hahn said. “The purpose is to not only test the plan, but to enhance the hands-on experience, so when an incident occurs, we are prepared and have confidence in everyone’s actions.”
ITS protocols aren’t set in stone once implemented, as they are consistently updated and evaluated for effectiveness. Security patches are applied in compliance with ITS’ Patch Management Standard which monitors security sources for vulnerabilities and tests the stability of updates. Updates must be approved by the IT Change Advisory Board in order to take effect, ensuring that a change won’t negatively impact our access to academic content.
“Network traffic and activity are carefully monitored 24/7 by IT staff through visual and electronic means,” Hahn said. To do this, ITS uses “security information and event management” tools, which feature dashboards tailored to specific needs.
“My team and I spend a significant amount of time each week reviewing these data points,” Hahn said. These include unusual login attempts, suspicious user activity and authentication issues.
While using QC Wi-Fi, your data passes through the school’s network. Your private messages, passwords, financial information and social security number need to be protected as you transmit information. Encryption makes this data unreadable by outside users without an encryption key.
“We recognize and respect just how valuable your data is to you. We use robust encryption protocols, like SSL/TLS for web traffic and WPA3 for Wi-Fi connections,” Hahn said.
TLS and WPA3 are the current gold standards of encryption, with WPA3 individualizing the encryption key for every device on a network and TLS working with it to encrypt data before it is transferred.
On the other hand, the Wireless Network Security Standard, updated in August, specifies that, “At a minimum, Wi-Fi Protected Access (WPA) 2 – Advanced Encryption Standard (AES) must be utilized.”
While WPA3 is individualized, WPA2 uses the same encryption key with all connected devices. If someone has one encryption key on a WPA2 network, they have the key for all devices.
A cyberattack would be a major disruption for students, as was the case for many at Baruch. “We did online [classes] because we didn’t have Wi-Fi on campus,” Michael Spencer, a first year graduate student at Baruch’s Weissman School of Arts and Sciences, said.
Though classes were allowed to be held on campus again starting October 2nd, he said he didn’t return to his classes until October 9th as professors expressed concern that, “Technology will not be sufficient enough for us to conduct class in the computer lab,” Spencer said, paraphrasing one of his professors.
Spencer also ran into trouble when trying to work on his thesis with a classmate in the library, leading him to use his own data on a mobile hotspot. “I kind of just gave up trying,” Spencer said, “A lot of people have had trouble connecting to Wi-Fi when they came back.”
As the Baruch malware attack demonstrated, digital protection isn’t something to neglect.
“Personal data, including academic records, banking records, contact information, and communication history, is highly sensitive,” Hahn said. “Protecting it ensures that their privacy is respected, and it reduces the risk of it falling into the wrong hands.”