Cybersecurity Starts Here
From home to campus to Florida policy, USF is backing up the community in the burgeoning field of cybersecurity
By Kim Franke-Folstad
It's a nightmare millions of Americans experience every year: Someone out there pretends to be you – opening bank and credit card accounts, maybe filing for a hefty income tax refund, perhaps even using your passwords to get their hands on someone else's money or data.
Though the policies and processes put in place to protect your online privacy continue to improve, it can take months or even years to find out you've been victimized, and then to clean up the mess.
In its 2017 Identity Fraud Study, Javelin Strategy & Research reports that 6.15 percent of consumers became victims of identity fraud in 2016, an increase of more than 2 million victims from the previous year. According to the Bureau of Justice Statistics' most recent update, in 2014, 17.6 million U.S. residents age 16 and older experienced identity theft.
"If you think this won't hurt you, or that it only strikes once, you're wrong," says attorney Jay Wolfson, associate vice president for Health Law, Policy and Safety at USF Health and senior associate dean of the Morsani College of Medicine.
Wolfson has been the victim of four cybercrimes ... that he knows of. He is careful
with his personal information and vigilant about social media interactions. He was
assertive about getting help every time there was a problem, and is enrolled in an
identity theft protection service. And yet, he says, he continues to check his billing
and banking statements every month for any abnormalities.
As a health policy expert, Wolfson likely was more aware of the potential threat to his online information than most people when he experienced his first cybercrime about eight years ago. He knew identity theft was a national issue and that health records were especially vulnerable. According to the World Privacy Forum, Florida has long been a hot spot for medical identity theft.
"I was working on it in that context – protecting the integrity of the data," he says. But when he got a call from his bank asking about what appeared to be his efforts to withdraw money from someone else's account – a prominent person in the community – he was flummoxed. "I don't have anything to do with that," he told the caller. "We know," the bank's representative replied. But they wanted his help in the investigation. Around that time, Wolfson says, he had noticed his computer was slowing down and a series of files had gone missing. He brought in a technician to take a look.
Someone somewhere had accessed his router, he was told, perhaps by parking just a block away from his home. They'd targeted him, his financial records and anything that had to do with USF, the names of his clients and his friends. And they'd downloaded it all on the same day.
Wolfson says he got the FBI involved immediately – and did everything he could to better secure his online information. Still, about two years later, he got a call from the Tampa Police Department saying $10,000 in goods from Home Depot had been charged to his American Express. A sting operation busted an Eastern European fraud ring for that crime, he says.
Then the IRS rejected a tax return submitted in his name, though he hadn't filed yet. Turned out, he was one of hundreds of thousands victimized by a massive tax fraud scheme that exploded in the Tampa Bay area – and across the country – in 2010 and 2011. In 2011, the IRS identified 940,000 questionable tax returns and stopped $6.5 billion in fraudulent refunds from being issued. Still, an inspector general audit identified an additional $5 billion in fraudulent refunds that went through that year. Locally, a task force that included Tampa police, the U.S. Postal Inspection Service, the Secret Service and other agencies eventually was put in place to tackle the problem.
Wolfson wondered what could possibly happen next – and in January, he found out: Someone tried to use one of his credit accounts to spend $390 at Toys R Us. Fortunately, he now has an alert in place that lets him know every time more than $20 is charged to any card.
"Theft is always a fact of life," Wolfson says. "Caveat emptor goes all the way back to the Roman markets. But it's more insidious now. The thieves are much more aggressive – and there's much more at stake. You could lose everything."
Staying one step ahead of the bad guys is what keeps cybersecurity professionals awake at night – and helping ordinary people avoid pitfalls and predators is a big part of that.
"I'm most concerned about how unaware people are," says Sri Sridharan, director of the Florida Center for Cybersecurity (FC2), which is housed on the USF campus. The center works with all the universities in the State University System of Florida and is a statewide resource meant to position Florida as a national leader in cybersecurity through education and workforce development, research and community engagement.
Even today, with all the warnings that go out, 70 to 75 percent of breaches are the
result of human error, not tech, Sridharan says.
That means absent-mindedly clicking on links in emails that appear to come from friends but really are from hackers phishing for data. Or checking your bank statement at a cafe with a free but unsecured wireless connection. Or using short, easy-to-guess passwords that never change. Or shopping on a website that seems too good to be true.
"Never let your guard down," Sridharan says. "Once you do, you're doomed. That's the environment we live in."
Anyone can become a victim at any time, but because millennials are so comfortable online, they are prime targets, he says. According to Equifax Canada, nearly half of all suspected fraudulent loan applications are for those between the ages of 18 and 34.
Younger computer users are often tech savvy, but not necessarily security savvy, Sridharan says. Equifax found they're more likely than other age groups to share their passwords and PINs. They aren't as diligent about checking their banking and credit card statements. And they're less likely to install or update the security software on their personal computers.
FC2 fights cybercrime in two ways: It brings key stakeholders together to create educational and training programs and create cybersecurity awareness (see sidebar). Because young people are so vulnerable, the center's work includes helping parents and teachers improve kids' cyber hygiene.
It's up to everybody to make that work, says Nathan Fisk, an assistant professor of cybersecurity education in the USF College of Education and a community and outreach liaison for FC2.
Age-appropriate conversations about cyberbullying and predators are a must.
"The best way to keep your kids safe online is to have an open, trusting relationship with them, so they can come to you with a problem. That's really what my research and others' shows, is that one of the biggest challenges is that kids think if they approach an adult with a problem or question that might be a little risky, they'll get kicked offline," says Fisk, whose book, Framing Internet Safety (MIT Press LTD., 2016), advises an approach to children's internet safety that isn't oppressive or ruled by panic.
It's also crucial to cover cybersecurity basics with young users – password awareness, privacy, downloading from questionable websites and running anti-malware protection.
Most parents assume that if cyberthieves go after the family's data, it will be to tap into their credit and bank accounts. (And many mistakenly believe thieves only target high-income victims.) But a child's Social Security number also can be used to apply for government benefits, open bank and credit card accounts, apply for a loan or rent a place to live. According to a study by Carnegie Mellon University's CyLab, children are 51 times more likely to be a victim of identity theft fraud than adults. And you might not know for years that the crime occurred.
It's great when those lessons can come from both parents and educators, Fisk says. But parents should expect to take the lead. "Teachers only have so much time in a day, and to expect them to also know everything about cybersecurity and teach it with relatively little training is really a big ask."
And the children are using the home's computers, tablets and wi-fi, after all.
It's an issue Fisk believes USF is uniquely positioned to address, given the university's relationship with FC2 and, increasingly, the Florida Center for Instructional Technology at USF, which provides professional learning, digital content and technology integration evaluation services to schools worldwide.
"We're looking for ways to effectively salt cybersecurity into the curriculum," Fisk says, "so that we're not disrupting the everyday flow in the classroom."
FC2 and the College of Education also put on free summer programs along with USF's Whitehatters Computer Security Club, a student group formed in 2005 that works to raise awareness of issues related to information security.
High-schoolers learning hands-on at the GenCyber Summer Camp.
At the GenCyber Summer Camp, high school students learn safe online behavior and hear about careers in the cybersecurity workforce. At the Cyber Defense Boot Camp, Whitehatters mentor high school students as they learn techniques used to defend an infrastructure from attackers and gain career insight from industry professionals.
The goal is to fend off the guys in the black hats – criminals who are relentless. And, of course, they aren't just attacking individuals and their personal devices. Companies of all sizes and types – including and especially financial, educational and health institutions – face a barrage of attempted breaches every day.
The digital security firm Gemalto, which keeps an up-to-date global tally with its Breach Level Index, reports that more than 9 billion data records have been lost or stolen since 2013. In the first half of 2017, it says, 10.5 million records were lost or stolen every day. Large-scale databases are often the target – and if every single person connected to that database isn't careful, your information is at risk.
A major university, such as USF, is like a "mini city," says Alex Campoe, USF's chief information security officer. And unfortunately, not everyone within the walls of the city is on guard all the time. There are records and research files to poach and hackers are just sitting there waiting for someone to make a mistake.
"It's a bit of a cat and mouse game," Campoe says. Systems are constantly being monitored and patched.
The online world keeps evolving, and so do its hackers. Twenty years ago, Campoe says, the threat was mostly from "script kiddies," hackers who defaced web pages for the thrill and to prove their prowess to their peers. Today, there are also "mobster" hackers, hired by large-scale criminal enterprises to procure log-in information that can be used to get money. There are "hacktivists," who will hijack a website in protest or to promote a social cause. And there are "nation-state" hackers, or "anarchists" working to disrupt an entire country or shut down a government.
Any one of those groups might be interested in hacking into a university's systems – for student or alumni data, to steal research, or to bring attention to an issue.
Often a hacker will simply run a test, Campoe says, to "knock on the doors" and see
if they open.
"We get our doors tested thousands of times a day," he says.
And phishing is still a big factor. At a recent meeting of State University System chief information security officers, the group discussed their No. 1 worry. "All agreed it was email as an attack factor," Campoe says.
Because malware and ransomware and other hacks are so often in the news, people are becoming more careful with the information they volunteer. "It's definitely better than it used to be," Campoe says. Still, it's very easy for a hacker to send 10,000 emails to USF. And if just a few of those manage to get through the anti-spam filters, and if even one person clicks a link and types in a password ... there's a problem.
Usually, breaches are discovered quickly at larger institutions – and the security team may know someone broke into an individual's account before the owner even realizes it. (Keep that in mind the next time you call the help desk prepared to yell about a locked account. It's likely a precautionary measure that just saved you from a world of hurt.)
But it's vital that everyone keep a watchful eye on their own interactions.
Campoe says he heard a cybercrime expert speak recently, and the advice he heard stuck with him.
"You don't want to lock up your house to where you can't enter anymore," he says. "What you want to do is make your place secure enough that instead of your house, the criminal decides to go to somewhere else."
Being careful won't guarantee you won't be hacked. "But it might delay it," he says.
Video comments from Sri Sridharan – USF Cybersecurity: The Future
Video comments from Jay Wolfson – USF Cybersecurity: Identity Theft
Video comments from Jay Wolfson – USF Cybersecurity: Preventative Measures
Video comments from Alex Campoe – USF Cybersecurity: Evolution of Hackers
Video comments from Alex Campoe – USF Cybersecurity: Piece of the Puzzle
Video comments from Alex Campoe – USF Cybersecurity: DUO Mobile