By Mary Wang. December 3, 2018.
October may just be my favorite month.
It reminds me of falling leaves, candy, Halloween, horror movies, midterms, and, after this year, cybersecurity. Established by the Department of Homeland Security and National Cybersecurity Alliance in 2004, October is National Cybersecurity Awareness Month.
On October 9, I volunteered for an event hosted by Duke’s Office of Information Technology (OIT)—Sensitive Data Management for Researchers—which was one of the many events that OIT hosted during the month. At the event, Andy Ingham from Duke Research Computing identified common data types, and how different organizations and boards at Duke provide resources to protect said data during and after project use. These organizations include the Institutional Review Board, Office of Research Support, and Information Technology Security Office.
Not being a researcher myself, I was not even aware of the different classifications at Duke for levels of required data protection. As Ingham spelled out the differences between sensitive, restricted, and public data, I listened closely. He explained that sensitive data was high risk and may be defined by law or institutional risk mitigation; restricted data is the default middle option; and public data, as per the name, includes data accessible to the general public. Interestingly, in the examples he gave, research could fall under any of the categories depending on the circumstances.
The example that stuck with me, however—as Ingham went on to cover FERPA and HIPAA standards, the Protected Network, the difference between Duke research and Duke Health research, and other resources for researchers—was “prospective student information.” I was a prospective student just last year, putting my data squarely in this category. I wondered how my data was classified and was, thankfully, content with the answer: sensitive.
Near the end of the event, Ingham emphasized seeking help if needed. There are many cybersecurity resources and personnel available at Duke, and no one has to tackle the issue alone. Only half joking, he told the audience that if there was one part of his presentation he wanted them to remember, it was how to contact him.
While the event concluded after an hour and a half, the campaign for cybersecurity awareness did not and neither did my time volunteering. Sitting at a table to the side with OIT merchandise spread out in front of me, I offered one of several items to participants: an OIT pen, a webcam cover, or a sticker for cybersecurity awareness. Though the most popular item was the camera cover, several participants also took a pen—which had engraved on it a link to a quiz on phishing.
Phishing is the tactic of sending fraudulent emails, made to look reputable by imitating a real organization such as Duke, to lure recipients to reveal personal information, including credit card numbers and passwords. Despite its simplicity, the attack is incredibly common and quite often leads to major data breaches or other security incidents. The quiz on phishing was created by OIT to increase awareness, a timely warning as more than 200 individuals affiliated with Duke University were targeted in an phishing attack in July.
I’m glad to report that I only missed one question on the quiz. (Unfortunately, I did not win the drawing for the grand prize of an Apple Watch.) Even still, that one question could have been one question too many; it only takes a single click on a fake hyperlink for an organization’s security defenses to be breached, and phishing is not the only scam tactic used to achieve that end. Having general cyber hygiene education—e.g., about using strong passwords and updating software—is therefore incredibly important to maintaining strong cybersecurity.
As stated by the FBI, National Cybersecurity Awareness Month serves to “provide a reminder that each of us has the power to make the Internet safer and more secure.” Looking back on October, I was more than reminded of this power and, tied to it, responsibility.
Thankfully, though each of us should take individual actions in the service of good cyber hygiene, I learned from Andy Ingham and Duke OIT that we don’t have to face the daunting world of cybersecurity alone. Within Duke University, there are cybersecurity resources ranging from help on research data protection methods to guidelines on how to avoid phishing.
If you ever don’t know where to start, check https://security.duke.edu!
Mary Wang is a first-year majoring in computer science and a member of the Duke Cyber Team.