In April, Microsoft Word users encountered the scariest thing hiding in their software since Clippy. But instead of unwanted advice from an animated paper clip, these unsuspecting users found authentic-looking Word documents booby-trapped with malicious code. After users opened the rich text format file, the underlying harmful code infiltrated their systems, making private information vulnerable to hackers.
Just a month later, online criminals stole the hacking tool EternalBlue from the U.S. National Security Agency. They used the tool to morph the ransomware WannaCry into a malware juggernaut, compromising the security of Microsoft users around the world by holding their private information at ransom for Bitcoins.
To combat WannaCry, Microsoft released a patch for all users, including customers running outdated software the company no longer supports. But users not paying for ongoing service for outdated versions, or those using pirated versions, are susceptible to attacks without remedy.
New attacks are constant, so higher education IT departments must provide a steady stream of advice on how to avoid vulnerabilities and how to proceed if compromised, says Ganesan Ravishanker, CIO and associate dean at Wellesley College in Massachusetts.
At Northwestern University, CISO Thomas P. Murphy says that training and videos can educate users about the anatomy of phishing emails. “We strongly advise our community not to open unsolicited documents and not to click links if the sender isn’t verified,” he says.
Yet attackers are becoming more sophisticated, as the Microsoft Word breach demonstrates. That was followed by a Google Docs attack that tricked users into thinking that a trusted friend or colleague was sharing a document. Once the user clicked on the link, the damage was done.
“Malicious software isn’t going to hurt you if you prevent its download,” Murphy says. “So attackers are being more creative about misleading users into downloading harmful malware.”
Wellesley’s IT team installs anti-virus/anti-malware software on faculty and staff computers and makes it available to all students. “Pushing updates to computers is one way [to protect users], but you have to be sure automatic updates are set up or else these vulnerabilities will get through,” Ravishanker says. “Not everyone keeps their systems current.”
Even the most dutiful patching schedule cannot prevent some computers and smartphones from being at risk. Murphy points out that shared laptops or machines that aren’t booted up regularly remain at risk. Security patches won’t download for users who only put their machines to sleep, rather than shutting down and rebooting.
Managing critical patch distribution can be a tricky task in a university environment, where the wrong timing could be dire. “You don’t want to push a patch during a lecture or exam or during some critical point of research computation,” Murphy says. “The idea is to secure Northwestern, not to ruin someone’s work.”