Security Awareness 101: What keeps Joe Bazeley up at night?

by Elizabeth Jenike, IT Services

Joe Bazeley has an important job here in IT Services: saving the world.

That might sound a little dramatic—and maybe it is—but the truth is, Joe and his team are integral for the University to run smoothly and effectively, even though they do the majority of their jobs behind the scenes. These are the folks who protect our data and keep hackers’ grubby fingers out of Miami systems: the information security team.

There are two main worries when it comes to information security here at Miami University, according to Joe, whose official title is assistant vice president of security, compliance, and risk management: phishing and unauthorized access to Banner databases.

1. Gone (ph)ishing

Joe’s first security stressor—and the one most likely to occur—is phishing. This is the easiest to spot, and the one most likely to hit just about anybody at the University. However, phishing can have a relatively low impact, as long as it’s identified and ignored or reported appropriately.

Phishing is when a malicious actor –a hacker, if you will –sends an email from an account that appears legitimate in order to trick the recipient into divulging personal information or sending money. The most common example of phishing is the “Nigerian prince” scam, otherwise known as 419 fraud, according to the FBI. Someone claiming to be a Nigerian prince who has inherited money needs your help in some way, and if you send them your information, they will wire you a piece of their fortune. Clearly, there is no such prince, and no such money; if you send any funds to this person, your cash will be lost forever. You might think it’s easy to ignore any Nigerian princes that show up in your inbox, but in 2013, the scam cost the world an estimated $12.7 billion, and the numbers have only risen since.

On the other hand, there is also spear phishing, which is a version where the hacker goes after a specific person, usually an individual with more important credentials and with greater access to potentially compromising details, such as social security numbers and bank routing information. This is especially prevalent during tax time, when malicious actors look for ways to gain access to W2 information.

A goldfish

“Spear phishers take the time to target specific people,” Joe explained. “If I’m a spear phisher, the folks I’m going to target are the ones in Roudebush – the accounts payable folks or the treasury services folks. If I can get accounts payable to believe that I’m a current vendor and change the routing number (associated with that account), I’m going to get a check.”

“Spear phishing worries me a little bit, especially when it comes to the endowment, but not too much – because all the access into the endowment requires two-factor authentication,” he noted.

For more information about spear phishing, take a look at the Information Security website, where you can find definitions and examples of what this scamming tactic looks like.

2. Protecting Banner

The second—and far more critical—security issue that Joe actively works to prevent is a malicious intrusion into the Banner databases. The information stored in these databases is the most sensitive info out there: things like FERPA-protected data, social security numbers, and routing numbers for the vendors that the University has used in the past. If this information were to be compromised, it would be astronomically expensive in both capital funds and brand reputation.

“Security people are pessimists by nature,” Joe said. “Because no matter what happens, there’s always something worse.” And a Banner database hack would definitely be that ‘something worse.’

Phishing isn’t the only way to gain access to Banner databases. Zero-day vulnerabilities can be exploited as well – and more often than not, these vulnerabilities go undetected until a breach occurs. We have a number of tools running in the background on Miami University’s files to head off this kind of situation: CloudLock and Spirion are two of those tools. These programs troll Google Drive and Miami’s network files, respectively, looking for social security numbers and bank account information. When these numbers are found, Joe and his team reach out to the person involved and ask them to remove the data.

A white padlock on a red background to designate security

The good news, however, is that Miami University has never seen one of these huge, compromising incidents as a result of phishing, which means Joe and his team have been successful at making sure everything stays above board.

“What keeps me up the most at night,” he said, “is the thought that tuition money would have to be diverted to something like this. But so far,” he said, knocking his fist against the wood desk, “we haven’t had any of these big ones.”

“We take this very seriously at Miami. This is a huge level of trust that the community has given us, and we try and live up to expectations of having that level of trust.”

Here to help

If all of this scares you, here’s some good news: Information security isn’t all doom and gloom, and there is a silver lining to look for. Namely, the better informed you are, the less likely you are to become the victim of an attack. And, by proxy, the University as a whole becomes safer with better cybersecurity education.

Luckily, Joe and his team love talking about security, and they’re the ones you want explaining it to classes, departments, board meetings, and other groups. The big thing is just spreading the word about security issues and how to prevent them – and the infosec team is at the University’s disposal to help people learn about information security and their roles in the greater picture of security at Miami.

“If I can keep one student from doing something and alleviate pain down the road, my job is worth it,” Joe said.

Get in touch with them to set something up for your next meeting or class session. And the next time you see Joe, thank him for helping to keep your data safe!

Don’t forget: October is Cybersecurity Awareness Month, and we have events and activities planned throughout the month to promote information security education. Visit the Information Security website for more information and for a schedule of events.