Preventing Costly Cyberattacks
TCU fights cybercrime by thinking ahead.
The danger comes from ransomware carrying silly monikers — NotPetya, WannaCry, AstraLocker and Xing Locker, among others. But the damage can be serious and costly. In January 2022, technology firm Accellion paid clients $8.1 million for a data breach caused by hackers. In 2017, NotPetya disabled Merck’s computers, costing the pharmaceutical firm an estimated $870 million, in large part because production of a vaccine against the human papillomavirus was halted. Hospital systems, a critical pipeline, a major shipping line, sheriff’s departments and countless corporations have all been shut down by internet attacks.
Institutions of higher learning haven’t been spared. In 2020, the University of California, San Francisco paid a $1.14 million ransom after hackers calling themselves the NetWalkers froze academic files.
A ransomware payment compounded by the Covid-19 pandemic led to the closing of a historically Black college in Illinois. Lincoln College wasn’t alone. The New York Times reported 1,043 U.S. schools, including 26 colleges and universities, were the victims of ransomware attacks in 2021. TCU has beefed up security against the growing threat. The campus employs state-of-the-art strategies to protect its computer network from frequent hacking attempts. Faculty members have won federal grants to craft online cybersecurity labs — now used by students on at least three continents. And the Neeley School of Business requires business information system majors to take a course on cybersecurity. Some get snapped up by firms in the burgeoning field.
Cybercrime is a threat to most facets of 21st-century life. Staying safe from computer-related harm requires everyone to be a sentinel and to use the internet with safety in mind. Careless choices in the cyberworld can lead to catastrophic consequences in the physical one.
Anatomy of a Cyberattack
TCU’s technological defense team keeps the digital infrastructure secure.
Aaron Muñoz ’04 (MBA ’16) makes one thing clear: In the chaotic world of internet attacks, even educational institutions like TCU are targets of opportunistic hackers.
Cybercriminals can be just about anywhere, said Muñoz, assistant director for IT security at the university. During a two-day period in March 2022, he said, “We witnessed 18,000 different computers trying to hack into TCU computers.”
Thousands of those attempts originated in the United States; hundreds more arrived from Brazil and Mexico.
Muñoz said he believed that someone, perhaps in Russia, had marshalled thousands of computers by infecting them with malware and launching them as an army of bots. The hijacked machines used stolen or compromised usernames and passwords to try to gain access to TCU’s network in a brute force attack.
But Muñoz and his colleagues in TCU’s information technology division had armed the university’s network with an account lockout mechanism. By limiting the number of incorrect password guesses that could be submitted in a stretch of time, assaults were slowed to the point that brute force attacks were computationally infeasible.
The hackers “didn’t overwhelm us. They were guessing passwords and didn’t get a single one,” Muñoz said. “Part of the reason for it is our password policy. We enforce what’s called a lockout. After five incorrect password [tries], your account will lock, and it’ll stay locked for five minutes.
“A guess every five minutes slows the attackers’ efforts down to a crawl,” Muñoz said, “as opposed to a million guesses per minute.”
Across campus, students, faculty and staff passed by, unaware of the drama playing out in an anonymous-looking ground-level office in the Sid W. Richardson Building.
Muñoz said the first hint of an attack came on the night of March 22, when he noticed that he was locked out of his own TCU email account. His account was unlocked in five minutes when the system automatically reset, he said. “I thought it was just an anomaly.”
But the next morning his office received more than 10 calls reporting account locks. “That grabbed our attention and started us asking questions and digging further,” Muñoz said. “What were they after? Was it just nuisance, or were they trying to get personal information?”
His team didn’t know how malicious the breach attempt was. “It can be any number of things. This was not a phishing attack, where they come in and use these email accounts to send more spam or phish other organizations to basically harvest more accounts.”
Capturing a tcu.edu email address gives legitimacy to a fake message. “Every organization is vulnerable to this,” Muñoz said. “So that’s one potential goal of an attack.”
Or the hackers’ intention could have been to access TCU systems by exploiting the victim’s mailbox and contacts.
More worrisome, Muñoz said, is the fact that a mailbox can be linked to a personal investment account. By accessing an email account, a bad actor could gain access to an investment or savings account and drain assets.
“It could be even more nefarious,” he said. Hackers could compromise an administrative account to gain more access to the network and potentially start planting malware. With a stolen password, a university’s network could be shut down until a ransom is paid.
Sometimes the perpetrator is right on campus.
A homegrown attack involving a single computer keyboard led TCU to upgrade security protocols. In February 2018, a student switched a professor’s keyboard with one that logged keystrokes, including the password login.
The student then signed in as the professor and changed his grade for the course. News reports said a surveillance camera caught the student in the act. The student was expelled, and criminal charges were filed. The episode prompted the use of multifactor authentication, like an automated text request to confirm one’s identity.
A major concern for TCU is a distributed denial of service attack — an attempt to overwhelm a server or network with a flood of traffic — the sort that happened in March when an armada of virus-infected computers launched a coordinated assault. The answer, Muñoz said, is multifactor authentication login requirements that bots can’t easily break through.
“A weak link is when somebody uses Password1 as the password, or GoFrogs22,” Muñoz said.
Most internet users have trouble remembering numerous passwords, so many people use the same word on several websites. This is a bad practice, Muñoz said, particularly if a hack of an online merchant yields enormous amounts of personal information and dumps passwords en masse on the dark web.
There have been cases where a victim of a phishing attack resets the password in an easily discoverable way — like changing the compromised GoFrogs22 password to GoFrogs23, Muñoz said.
“We discourage folks from using a certain password pattern,” he said. “If your accounts have been broken into, stop using [the password] anywhere.”
TCU has avoided crippling attacks despite breach attempts arriving at least twice a month, Muñoz said. He credited a commitment to cybersecurity from the university’s highest levels.
Searching for an apt metaphor, Muñoz first compared the campus to a castle, then decided on a big ship.
“You may have a hole in one area, [but] you have compartments within the ship that if one area gets flooded, they prevent others from getting flooded too,” he said. “And so, much the same way, we try to put layers of security in place, making it harder for hackers to get in.
“If there is a breach, we limit the damage.”
Training for Attacks
The Neeley School of Business prepares students to protect companies’ sensitive information.
Kyle Deer had pursued internships with security-conscious corporations and felt confident he could handle potential online threats. Then the TCU senior took a course on cybersecurity in business. Deer said that until then, he hadn’t grasped how vulnerable the information on his personal computer and smartphone really was.
“There’s a very good chance all of your information is already out there on the dark web. We learned how [easily] passwords can be broken,” the Marine Corps veteran said of learning from Layne Bradley ’80 MBA, instructor of supply chain management. “We went into some detail on one thing — the assumption that nothing bad is going to happen because no one’s gotten my stuff yet. The reality is that there is a very good chance it could happen.”
Deer and all of his fellow business information system majors at the TCU Neeley School of Business must take Bradley’s course, Fundamentals of Cybersecurity, to graduate.
The course led to a deep-dive self-examination for Deer, he told the class. He recounted convincing his dubious wife of the merits of changing passwords on their laptops, phones, bank accounts, various subscriptions and apps, then signing up for a $105 a year antivirus service for peace of mind.
When passwords are stolen, people can find their bank accounts drained or discover a home mortgage taken out in their name in some far-off state.
The stakes can transcend financial devastation.
While doing research for a data analytics class, Deer came across a Wall Street Journal article about parents who sued an Alabama hospital, claiming their 9-month-old baby had died of inadequate care because its computers were paralyzed by ransomware.
In recent years, a string of high-profile ransomware attacks on hospitals, grocery chains and critical infrastructure has heightened interest in cybersecurity. Such attacks crippled the Colonial Pipeline, which reportedly paid $4.4 million to get operations running again, and the meat-packing giant JBS, which coughed up $11 million. The software firm Kaseya and some 1,500 clients were infected by the REvil/Sodinokibi virus, but Kaseya refused to pay the $70 million ransom, which was later reduced to $50 million before the Ukrainian hacker was arrested in neighboring Poland.
A 2019 IBM study estimated that the average data breach costs the target company $3.92 million, while “mega” breaches involving more than 50 million records were projected to run as much as $388 million. IBM’s X-Force Incident Response and Intelligence cited a White House assessment that NotPetya alone caused business disruption globally amounting to more than $10 billion in damages. Government Technology magazine quoted an IBM official as estimating that cybercriminals were costing the global economy $600 billion a year “with no signs of slowing down.”
As many established software companies, consulting firms and cybersecurity startups have learned, there are profits to be made countering or repairing ransomware attacks. Investors handed more than $12.2 billion to cybersecurity startups during the first half of 2021, The New York Times reported.
And the boom means job opportunities. In 2021, the U.S. Bureau of Labor Statistics projected job growth in information security to increase 31 percent by 2029, with increased demand in the public and private sectors.
Six years ago, members of Neeley’s Business Information Systems advisory board saw the looming trend and suggested adding cybersecurity to the curriculum, said Jeff Stratman, professor and chair of information systems and supply chain management.
One of the holes in the information systems program was cybersecurity education, Stratman said.
Bradley answered the call and developed a cybersecurity course for business information systems majors.
“Our expectation was that students were going to jump on it, but enrollment in the initial class was underwhelming,” Stratman said. “So we went back to our advisory board and said, ‘Look, are we pushing on a string here? There doesn’t seem to be demand for this kind of thing.’
“But they convinced us that the students didn’t appreciate the opportunity and that we needed to educate them in the skills they would need to be successful in the business world.”
Faculty heeded the advisory board’s advice and decided to make the course a requirement. Bradley brought in a number of guest speakers who, aside from discussing the breadth of the problem, told of ample job opportunities in the field.
Matthew Bowman ’22 said another Neeley course taught by Bradley, Securing Company Data, reset his job goals. “Before this class, I was familiar with the word cybersecurity but not with the details of what it really was. This course gave me a very well-rounded education into this field and helped drive my interest and desire to start my career in cybersecurity. If it were not for this course, I am not sure I would have decided to make the career choice that I did.”
The cybersecurity knowledge paid off when he was preparing for interviews with corporate recruiters, said Bowman, who in July joined Ernst & Young as a cybersecurity consultant.
Deer and a classmate, Nolan Dearborn ’22, demonstrated what business information systems majors could do in the cybersecurity field with their final project in Fundamentals of Cybersecurity. For the capstone project, they created an internet policies and procedures manual for a local defense contractor.
In the manual, they proposed a company policy that was tough on slackers. At a minimum, failure to comply with cybersecurity protocols would result in disciplinary counseling by a supervisor. Subsequent infractions, or any action posing a significant risk to the company, might result in termination as well as possible legal consequences.
Detailed in the proposed policy are the sort of emails that cannot be opened. Prohibitions exist to forbid sharing proprietary business information on instant messaging platforms other than the company’s secure internal system.
The student project also mandated cybersecurity training for new employees, along with subsequent check-ins by supervisors.
Then the pair described the procedure for off-boarding departing employees to protect sensitive company data. All of the used laptops and smart devices would be examined for evidence of proprietary files having been downloaded or exported. The company would also deactivate all of the departed employees’ accounts, preventing entry to company web portals and applications.
“The vast majority of the time the breaches really aren’t a technical problem. They’re a human process problem.”
Deer and Dearborn also addressed data breaches: If the leak was a result of a weak password, punitive measures would be taken against the irresponsible employee. If the company was attacked by malware, a specialist team would conduct a cybersecurity audit through a third-party vendor, change outdated systems and identify vulnerabilities. Should data be stolen, bank accounts would be frozen and all logins changed, and a cybersecurity consultant would be brought in to assess the damage.
Neeley is not training technical experts in cybersecurity, said Kelly Slaughter, associate professor of professional practice in information systems and supply chain management.
“Everyone thinks of cybersecurity as being a very technical issue and therefore [requiring] technical solutions,” Slaughter said, “but the vast majority of the time the breaches really aren’t a technical problem. They’re a human process problem.”
Slaughter cited the 2016 hack of the Democratic National Committee’s servers. While depicted as a technically sophisticated attack, the breach was actually quite rudimentary. A hacker sent an email to Hillary Clinton’s campaign chairman, John Podesta (and to 107 other email addresses), saying that his password had been stolen and he should change it by clicking on a link. He did so, giving the hacker access to the servers.
“What’s really neat about the cyber-security field is that you can make a career in it,” Slaughter said. “It’s going to be around for 20 years. It’s going to be around 30 years. It’s going to be around 40 years.”
Internet Defense 101
Liran Ma and Curby Alexander are making cybersecurity education free and accessible to all.
Liran Ma was at a Cub Scout outing when he saw a familiar face, another dad who was also a TCU faculty member. While the Scouts learned about fishing, Ma opened up about a dilemma he was facing in trying to spread the message about phishing.
Ma, professor of computer science, had been working with colleagues at the University of Washington and Georgia State University to develop online labs to teach best practices in cybersecurity. They were having scant luck landing funding to develop these innovative labs, which would teach college students how to counter computer/network-related attacks and other digital lapses.
The other father was Curby Alexander, an associate professor of professional practice in the College of Education. “It’s a funny story because I’m not in computer science,” Alexander said, “but I’m very techy because my PhD is in instructional technology.”
Ma confided that his group had gone through two unsuccessful tries for federal grant funding. The National Science Foundation kept responding with feedback saying the proposal needed a stronger plan for assessing student learning outcomes. Ma asked if Alexander would review his application and offer input.
Alexander said Ma and his partners, Zhipeng Cai, an associate professor at Georgia State University, and Wei Cheng, an associate professor at the University of Washington, Tacoma, needed to include a clear educational objective. Funders wanted measurements for assessing learning gains in order to understand what students would take away from the lab exercises.
“The next thing you know, Ma said, ‘We’re going to put you as a [co-principal investigator] on the project,’ ” Alexander said.
A few months later, during summer 2018, the foundation funded the $250,000 proposal.
“It was serendipitous the way I got involved,” Alexander said, “because I have no background in computer science or cyber, but I have a lot of background in measuring student learning gains.”
In spring 2019, the four-party collaboration earned a second round of federal funding. A beta version of their project, Eureka Labs, is now online at eurekalabs.net. The web resource offers tutorials on how to stay safe on the internet. “Our goal is to provide learners and educators with free, easy-to-use and high quality security education materials,” the site says.
“I have no background in computer science or cyber, but I have a lot of background in measuring student learning gains.”
So far, Ma and his collaborators have released 28 hands-on labs and tutorials, based on authentic scenarios, aimed at instilling cybersecurity concepts and principles. These real-world threats can infect computer networks, mobile phones and databases. Each exercise is ranked by level of difficulty — fundamental, advanced and challenging.
The lessons have catchy names to make them more appealing:
Bleeding Heart refers to the catastrophic Heartbleed computer bug, which is capable of scraping a server’s memory.
Zombie Apocalypse shows how a computer can be overwhelmed with internal message requests or pings, causing it to become inaccessible to normal traffic, also called a denial of service attack.
The Evil Twin attacks lesson refers to nearly identical but fake Wi-Fi access points that snare the unwary and capture whatever data passes through the imposter.
This POODLE Bites! describes an attack used to steal information, including passwords, from secure internet connections.
In WEP Cracking, the site details how Wi-Fi connections have weaknesses that can be exploited by nefarious hackers.
“This lab shows students the vulnerabilities, explains the concepts — why the attacks are possible and how you defend [against] them,” Ma said. “If you download the lab manuals you actually can see the steps of how [attacks] can be launched.”
The student is then shown how the hacking attempts can be circumvented.
Ma said tens of thousands of people have accessed the Eureka Labs website, including users in India, Japan, Germany, Britain and China, where 30 universities have used the tutorials.
Alexander’s evaluation results have demonstrated that the labs help the students learn. Students have indicated that they adequately grasped the security concepts, and also that they enjoyed the learning process. Some commented, “The labs are so much FUN.”