Facing an increasingly complex cybersecurity landscape, Yale’s Information Technology Services debuted an interactive e-learning training module to the Yale community last week in order to raise awareness on the dangers of phishing.
According to the ITS website, phishing is a technique that uses email servers to fraudulently obtain private information. The Phishing Awareness Training module can be found on the ITS website and aims to help users recognize email threats and implement proper procedures for countering the threats. Although most students and professors interviewed were unaware of the new training module, they acknowledged the dangers of phishing attacks and proposed alternative methods of combating cyber theft.
“There is some truth to ITS’s claim that ‘web security is your responsiblity’, but it’s a joint responsibility,” professor of computer science Michael Fischer said, adding that ITS could take additional measures to combat cyber threats against the Yale community.
The Phishing Awareness Training, which is open to all Yale staff, faculty and students, includes interactive quizzes and an informative slideshow. The training module informs users on a wide range of information regarding cyber theft by introducing the concepts of phishing, social engineering and malware — programs that steal information from computer hard drives. Victims of phishing may accidentally divulge essential information such as their social security number, direct deposit information and student data, according to the presentation.
The training module also provides examples of several common phishing techniques, such as the impersonation of yale.edu email addresses and fraudulent Yale login pages that tempt students to enter login information. Users are shown fake Yale emails and login pages and are asked to spot the mistakes of the forgery.
Three of five computer science professors interviewed said they had heard of one training material, while only out of 10 students said they knew of it.
Computer science professor Michael Fischer said it is difficult to protect a large institution and all its members from cyber attacks. He said recent examples involving major companies, such as Sony, falling victim to cyber attacks showcase this difficulty.
“The general sentiment in the security community right now is that any organization will be hacked; it’s just a matter of time,” Fischer said.
Nevertheless, Fischer said he believes there are steps ITS and the University can take to better protect students and faculties from phishing and other cyber attacks. He said one of the most dangerous types of phishing at Yale are those emails that ask students to take counterfeit surveys or update their information signing off as University authorities — often faking to be ITS itself. In face of such threats, Yale could make an official website for people to find the exact time, sender and content of all emails sent by University authorities, Fischer said.
Associate professor of computer science Bryan Ford, who specializes in cybersecurity, said the email phishing threat can be countered using an authentication system — called Domain Keys Identified Mail — that blocks emails coming from outside of the Yale network, using a false Yale address. This technology is already supported by Google and Google Apps, through which Yale’s email portal, EliApps, already operates.
But students interviewed said they believe that the most important defense is still for individuals to be aware of phishing risks and to stay alert. A good preventative is hiring a cyber security company.
John Roethle ’17 said he was once a victim of a phishing attack when he mistakenly gave his account information for a video game to a counterfeit version of the website he usually used. Roethle said he has educated himself about phishing and stayed away from suspicious emails and links since.
Still, Nils Metter ’18 said ITS could better inform students about cyber attacks that are happening in the community.
“If ITS discloses how many attacks and frauds happen every year at Yale, and how many were stopped, I would have a much better sense of [whether the Yale network is secure enough,]” he said.
ITS introduced an additional security screening to all incoming Yale emails last month.