In an attempt to improve cybersecurity at the University, Yale Information Technology Services has introduced an additional security screening to all incoming Yale emails.
The change will largely affect hyperlinks in email messages, examining web addresses outside of Yale’s network for malicious software or outside attempts to acquire sensitive information. In particular, the measures are aimed at combating malware and phishing attempts. Chief Information Security Officer Richard Mikelinich and Associate Chief Information Officer Jeff Capuano announced the new measures in an email to all students, faculty and staff on Dec. 12.
“Incidents with email and phishing were impacting the email reputation of Yale and as a consequence some email vendors would limit or deny Yale email,” Associate Director of Strategic Communications for ITS Susan West wrote in an email. “These conditions required a response to restore the normal flow of email communications.”
West said all links in emails — excluding web addresses that include yale.edu websites — would now be filtered against a list of known “hostile locations.” Links in an email will be rewritten by the Targeted Attack Protection, a comprehensive email security service, and be replaced by a longer URL. West added that the protection is needed since outside parties send emails to Yale accounts in an attempt to obtain Yale credentials, which are then used for a variety of illegal activities including identity theft, financial fraud and spamming.
West said that since the implementation of the new security layer last month, some emails have experienced issues with the rewriting of the web address. She said that Yale ITS has since adjusted the software to prevent this type of glitch from happening in the future.
Joanna Grama, director of the cyber security at EDUCAUSE, a nonprofit association for information technology in higher education, said colleges and universities often face unique challenges in the information security realm because of the transparent and collaborative nature of research and education environments. She added that while she could not comment on the efficacy of Yale’s specific security control, many spam and phishing attempts often rely upon links embedded in an email.
“Even in a well-informed community, users may inadvertently click on a link, particularly if an email is well-crafted,” she said. “Identifying and blocking or redirecting these hyperlinks can reduce such incidents and improve overall information security.”
Kevin Jones, senior information security engineer for Thycotic Software, an IT security firm, noted that cyber security is always about multiple defenses since no system can ever be perfectly secure.
He added that “educating the user” is often the strongest form of defense, specifically communicating to faculty and students the university’s policy regarding the solicitation of social security and other sensitive financial information.
“Emails are a tricky thing to defend against since they are often used for legitimate purposes; technology has a hard time differentiating between legitimate and bad email,” Jones said. “Ensuring people have the right knowledge to make good decisions is always a good first step.”
Despite the campus-wide email announcements, none of the six students interviewed — including three ITS student technicians — were aware of the changes or noticed anything different in their email links since returning from winter break.
According to ITS policy, no email from Yale ITS will ever ask students or faculty to validate, confirm or update personal information and passwords.