Tag: marie mcburnett

JSU improves cybersecurity in light of February breach

By Marie McBurnett

Special to The Chanticleer

Jacksonville State University is instituting changes in the way it handles data on its server due to a security breach in February – but it could have been worse.

Vinson Houston, JSU’s chief information officer in the information technology department said in an interview that it is one of his department’s responsibilities to ensure data – including everything from fraternity affiliation to credit card accounts – stayed out of the hands of potential threats.

“We do the programming and maintenance for the centralized software the university uses to run its day-to-day operations that students utilize to pay their bills, manage their accounts and those type things,” Houston said.

The university currently has two firewalls: a primary firewall that faces outward and an internal firewall that faces in to protect enterprise data.

Thomas Madden, a retired federal Chief Information Security Officer for the Centers of Disease Control compared computer firewalls to what firewalls were before the computer era.

“Original firewalls are in vehicles. They are in between the engine and the driver. Computer firewalls are the same way,” Madden said in an interview. “They stop attacks from coming in from the outside, and they aren’t bulletproof.”

Houston said the university pays around $90,000 to $100,000 for its firewall.

In February 2016, JSU student and faculty information was published on a website which stated it was untraceable. The website included pictures, classification, birthdays, organizational affiliations, student numbers and addresses of current students, graduates and faculty.

While JSU’s Department of Information Technology and law enforcement had tracked down the website publisher and shut down the website in less than a week, the university could suffer from decreased reliability in cybersecurity.

According to a study conducted in June 2016 by the Ponemon Institute, the largest financial downfall to an organization after a security breach is the loss of trust between the business and its customers. The study also highlighted the root causes of data breach and some major positive and negative factors that influence the cost of breaches.

Marie Chart.png

Factors that decrease costs of a breach per capita:

  • Incident response team ($16)
  • Extensive use of encryption ($13)
  • Employee training ($9)
  • Participation in threat training ($9)
  • BCM involvement ($9)
  • Use of DLP ($8)
  • CISO appointed ($7)
  • Board-level involvement ($6)
  • Data classification schema ($5)
  • Insurance protection ($5)

Factors that increase cost of a breach per capita:

  • Provision of ID protection (-$3)
  • Consultants engaged (-$5)
  • Lost or stolen devices (-$5)
  • Rush to notify (-$6)
  • Extensive cloud migration (-$12)
  • Third party involvement (-$14)

The breach in February did not include much more than directory information, but the university began implementing a few strategies listed by the Ponemon institute study, including security consultants and employee training.

“We are currently working with a security consultation firm to help us improve our security posture,” said Houston.

According to him, the university and the firm began a relationship a few months ago. He declined to give the name of the companies involved and the cost of the consultation and evaluation. He said this was the first year JSU has consulted for security evaluation and it looked like it was something they would take part in on an annual basis.

A cybersecurity consultant can cost “a couple thousand if you hire someone fresh out of college,” said Madden. He said for a consultant more renown, if can cost $50,000 or more per year.

“We work with multiple companies,” said university counsel Sam Monk in an email. “We have consulted with one firm that surveyed practices and procedures to help us identify any operational matters that should be addressed.”

The company’s report and the cybersecurity plan that will follow will only be discussed on a “need-to-know basis,” said Monk. The email went on to say the firm JSU hired was an Alabama company that has a “special knowledge of issues peculiar to higher education applications, processes and regulatory requirements.”

These companies, according to Madden, employ white hat hackers – or hackers who hack into networks in an effort to reveal weaknesses – in an effort to penetrate a system remotely, after which they are known as a “trusted insider.” When these hackers get inside, Madden said, they try to increase their privileges in order to create their own account. If they achieve that, they have free range of the system.

In addition to testing penetration, JSU’s consultants also “reviewed different policies and procedures and looked at adding additional training,” said Houston.

Another responsibility of the consultants was to hold different social engineering projects.

Houston said the consultants who visited the campus would plant storage devices with malware on them. The hackers could then “sit at the back of your computer and watch you” if someone plugged it into a computer.

Houston said they could attempt to phish users by sending emails from jsu.com or from a JSU-linked email account.

“They went in different offices to see kind of what’s going on, or they were lost or looking for something and they would observe and drop a flash drive to see what happens,” Houston said in reference to the white hat hackers.

“A lot of it falls back on employees and how they manage data they have access to,” said Houston

According to a study published by Symantec in April 2015, universities are one of the top targets for security breach.

ids.jpg

Madden attributed this to the day-to-day data flow.

“A lot of people use the same network every day,” he said. “Universities are a waypoint for stolen documents and it gives the adversary deniability. With the data flow, it acts like camouflage.”

Madden also said with all the credit card accounts linked to university’s networks, there is a “treasure trove” for hackers.

According to Symantec’s research, while the education sector was at the top for incidents of security breach, it was near the bottom in identities exposed. This could mean that hackers are looking for something other than identities to steal.

incidents.jpg

“We’ve been more fortunate than all our peer institutions,” Houston said in reference to the number of JSU’s breach occurrences. “Part of that could be we aren’t really a research institution.”

He said that targets for hackers are institutions that research diseases and have other trade secrets that may be desirable to someone else.

“If you look at the number of instances we’ve had compared to the number of instances they’ve had, theirs has been far more disruptive, being the type of information exposed,” said Houston, also pointing out JSU has not had a full-time staff dedicated to cybersecurity like other institutions.

Houston said the incident in February was not as bad as it could have been.

“You don’t want people’s photos out there and their home addresses and their classification, but that goes back to a matter of an internal compromise,” he said. “We had some student workers that had their credentials exposed. And as a result, that allowed this person to gain access to the system, to allow them to extract some information that otherwise he would not have had access to.”

Someone familiar with the incident said they knew both students arrested in connection to the security breach. One of the people arrested was a juvenile, and due to Alabama law, is subject to anonymity. Another student, Kurt Nilsson, 21, was arrested for hindering prosecution of the case.

“As far as I knew, they were just friends. I saw them hanging out a lot,” the source said. “It was generally accepted that Kurt gave his password over, whether he knew what the other fellow was planning on doing, I don’t know, however, my impression was not that he was coerced or that the information was taken.”

When asked how they knew that Nilsson gave up his credentials to the juvenile, the source said “he was fired, and then it was in the paper that he was arrested.”

Nilsson, according to the source, was a residential assistant in Dixon Hall at the time of the breach.

“JSU turned the case over to state and federal law enforcement agencies,” Monk said in his email. “We can make no comment on the status of the case.”

Monk did not know who Nilsson was and Houston declined to answer specific questions about the people involved in the case.

“Our IT team put together pieces of a story and the pieces started to fit,” Houston said regarding the investigation to find the person behind the website. “We gathered non-technical information and saw what made sense.”

Responding to a question posed about if there was a connection between the security consultation and the breach in February, Houston said: “Absolutely. We wanted to respond aggressively to identify any areas of weaknesses.”

In addition to the security firm, Houston cited FERPA training as an effort to educate employees of the university about the information they have access to and what information they can legally give out.

“If you have a key to the front door, I don’t care how good your alarm system is, and hackers know that,” said Houston, referring to internal threats to cybersecurity.

“Everything runs on computers and chips,” said Madden. It’s possible to hack into a network through an air conditioning unit or a copier, he said.

“You could have the best security system in the world, and at the end of the day you can get hacked,” said Houston. “You just have to do such things to show diligence, to show that you’re making a best case effort to protect your clients, which in our case is our students.”

One last layout: reflecting on my days as Chanticleer editor

This is my official goodbye to an old friend. I started working at The Chanticleer when it had a few hundred likes on Facebook and a big office in Self Hall.

Even though the office is smaller now, the likes continue to grow.

The Chanticleer is taking its place among all newspapers, pushing its online presence.

Even though JSU’s newspaper costs nothing to the public to read, and doesn’t generate profit of its own, it still needs to push its online  presence like papers that do generate a profit.

It’s as Dr. John Hammett, Dean of the College of Education and Professional Studies said at the communication department’s banquet last week, “This department teaches skills that you’ll need in your profession.”

I definitely can’t argue with that. Working as editor, I learned there is no paper without leadership, and there is no leadership without mutual respect.

The same can be said of any group. There may be a “group leader,” but leadership means nothing if no one respects one another.

I learned this fact last October, the same month I learned how much The Chanticleer actually means to me.

Many of the paper’s former writers link online portfolios to our website, including myself and my editorial staff. When I discovered The Chanticleer’s website was deleted, I was devastated.

After a week of investigating online forums, WordPress restored the website with all the content still intact. When this happened, The Chanticleer transformed from a student project to a personal one.

In my time here I’ve had the opportunity to speak to Rick Bragg, my role model.

I’ve listened to a world-renowned journalist speak at the Ayers Lecture; I’ve seen a university president retire.

I’ve written about a data breach, and ran across campus to take pictures of vandalism before it was cleaned.

I got the opportunity to speak to business owners in Jacksonville. I even got to produce the issue when JSU went to the national championships.

And this one, my last issue, the one where JSU inaugurates a new president.

Teamwork is the biggest thing that one can learn working in student media. The Chanticleer works closely with WLJS, the campus radio, the other half of JSU’s student media.

When it comes to applying skills, the student media combine, and concentrations don’t mean as much. Working with such a tight-knit group of students results in friendships that could last a lifetime.

It feels like only a short time ago that the former editor, Kara Coleman was teaching me the ropes of managing a student newspaper. Now, I’m getting ready to teach the next editor how to do the same thing.

I’ve seen a lot of chairs in this office empty, and now it’s time for mine to empty.

Marie McBurnett
Editor-in-Chief

Century divide: Teaching with technology

A man walks into a classroom and takes off his coat. His slacks are tailored and his shirt tucked. His shoes are quiet against the cold floor as he takes his seat, prepared to learn. The room fills with others wearing the same sort of clothing. There are idle murmurs of civil rights and chatter about the Vietnam War, along silent sorrow in remembrance for an assassinated president. The professor, dressed as professionally as the students, enters and immediately begins to lecture in his low and muddled tone. Scrambled scratches of pen against paper are heard in the empty hall outside as the students struggle to keep up with the professor’s voice.

But nowadays the ones scrambling to keep up are the professors, the ones that worked to build their careers in the 20th Century, when the World Wide Web was just a thought and the only clicks heard were those from Remington typewriters.

Within only a few decades, students began to dress more casually and clicks replaced pen scratches. Dr. George Lauderbaugh, professor of history at Jacksonville State University, still values those pen scratches he heard in 1963 as a freshman at Davis and Elkins College in West Virginia. “People teach the way they were taught,” he shrugs at his office desk. A floor-to-ceiling bookshelf covers his main wall and a desktop computer wheezes in another corner. A Samsung flip phone sits idly on his paper-covered desk.

Lauderbaugh is going through a slower adjustment period compared to other professors when it comes to using technology as an aid in the classroom. He used an overhead projector until spring 2013, while many were already implementing Apple TV in their classrooms. It was at that semester he began using his own PowerPoint presentations on a screen projector.

“I got rid of the overhead projector and now all my lectures are on PowerPoint, but I don’t see much difference between it except it’s easier to use than a slide projector,” he says. “It allows for brighter colors too.”

This reluctance is not present only the 21st Century, however. When Lauderbaugh attended college as an undergraduate it seems his professors enjoyed a strict lecture method. “We had overheads since the late 50s, but very few of my professors used them in college,” he says.

The biggest technology he had as an undergrad was something they call Corrasable Bond Paper. This is a type of typewriter paper that, if someone makes a mistake, can be erased by using a pencil eraser. “You didn’t have to use whiteout,” says Lauderbaugh.

The emergence of email 90s brought in a new world of technology to classrooms. “I had a professor that pushed us to use email, and he introduced us to the World Wide Web, but most of it was done the old-fashioned way,” says Lauderbaugh, who attended graduate school from 1993-1997, after retiring from the United States Air Force.

While some professors are slowly adapting to a new age of intense technology, a new program at JSU requires certain instructors use that same technology – and be evaluated on how effective it is.

The Quality Enhancement Plan (QEP) is a 5-year plan designed to enhance student learning by using more technology in the classroom. The plan depends on faculty mentors to teach students of the 21st century. Spearheaded by Director of Faculty Commons Gena Christopher, JSU’s Office of Faculty Commons houses the plan, and is required to train certain instructors of specific 100-200 level courses across the campus to teach these students with the tools they already know how to use best.

These instructors, as well as students in their “QEP class,” get in-demand products. The instructors receive a Macbook and an iPad, while students in the classes receive an iPad, says Christopher. Student use these iPads “to develop active learning strategies in that class and they have to emphasize critical thinking because that is what our QEP is about,” Christopher says as she sits on her leather office chair, her iPhone ringing in the background. Her office has a glass erasable board and her large, wooden desk holds one of the latest models of iMac desktop computers. Attached to her office is a conference room with tables and red chairs. The smell of coffee drifts into the hallways of the second floor of Self Hall.

Faculty commons is also a place where faculty members can get together and collaborate about techniques that work in the classroom. Some, like Lauderbaugh, are apprehensive about the office and the program. “I don’t have a problem with technology in and of itself,” Lauderbaugh clarifies, “I make students turn off their phones, which I think some people in our technology department don’t think we should do.”

Lauderbaugh lets students that ask to take notes on their devices to use them in class, but he points out that very few students ask permission. “Part of what I’m trying to do is to teach communicative skills, and the skill that JSU students are weakest in is listening.”

Another professor at JSU, Dr. Jeremiah Russell, an assistant professor in the department of political science and public administration, holds a similar view as Lauderbaugh. “I am fully aware that the current trend in education, not just higher education, is to increase the use of technology. I think technology should be kept to a minimum in the classroom,” he says in an email interview. Russell was an undergraduate from 1996-2001 and completed his second masters degree by 2006 and his doctorate in 2010.

“A typical day in an undergraduate course for me was sitting in my desk taking notes on paper while the professor lectured, writing important points on a chalkboard,” Russell says, and not much changed between the way he was taught and his own teaching methods. All he did was trade chalk dust for marker fumes. “In most of my courses, I use just three things—a book, a white board, and a dry-erase marker.”

Russell is like Lauderbaugh in that the use of technology in his classroom is only on an as-needed basis. Any other time, phones are not permitted. Unlike Lauderbaugh, Russell owns a smartphone – a Nokia Windows phone. Outside the classroom, he uses technology often. He has a Twitter account, and iPad and Roku. “I wouldn’t say technology has changed me personally. It has, however, helped me in my profession.”

While some are excited about what opportunities the QEP will bring, others are a little more skeptical. Russell commends JSU’s administration for trying to focus on critical thinking, but “I simply think that faculty should pause to consider the negatives related to the use of technology in the classroom, which have been demonstrated in several recent studies, not only its benefits,” he says.

When asked about the QEP, Lauderbaugh chuckled and shook his head, “In some respects, it didn’t get off to a good start in some areas.”

His grin faded and his eyebrows raised over his glasses, “There is a perception, and it may not be accurate, but a big mistake made was to infer, probably unintentionally, that I am not a ‘real professor.’ One of their invitations was for me to go listen to a ‘real professor,’ which infers I’m not a real professor.” Lauderbaugh suggests that the invitation should have used the word “virtual” instead of “real.”

“So I think that has clouded some enthusiasm for technology,” says Lauderbaugh.

These scenarios could feed an us-against-them ideology among some of JSU’s faculty. In one corner, there are the pro-pen scratch professors that don’t have adequate training in technology, or just don’t care to use it. In another corner, there is the QEP, a plan whose goal is to promote critical thinking through technology.

Lauderbaugh is not opposed to using more technology, but he wants training. “Our people in technology try hard to train us, but I think they don’t have enough people. They’re spread pretty thin, too,” he says. “I would want state-of-the-art equipment, and I wouldn’t allow it to replace the lecture completely.”

Russell believes that technology makes the human race less connected. “I think technology can have a negative impact on our democratic society. It can make us more individualistic, more isolated, more self-interested, less able to interact with others and less willing to show compassion to our neighbors,” he says.

Christopher says, “Technology isn’t always the answer for every teacher. Some teachers are good lecturers. The problem is when teaching isn’t happening. I heard someone say ‘teaching without learning is just talking,’ and I think that is a powerful quote.”

These QEP classes that faculty mentors teach is beginning to touch Russell’s and Lauderbaugh’s departments. Freshmen are the focus of the QEP, since these classes will be survey or entry-level courses. “It will eventually be weird to them if there isn’t technology in the class. We do need to teach them to use technology for learning in appropriate ways. They might not know how to do sound research online, and that’s such an important skill for students to have.”

Some voice concern over the in-class learning techniques if technology is involved. “No one is naïve enough to believe that students with laptops, iPads or smartphones do not check social media or visit websites during class,” says Russell.

Lauderbaugh agrees with this premise. “It’s hard to keep students from distractions for and hour. If there’s technology being used in the classroom, it want it to be my technology.”

Student distraction is a concern for professors, and for faculty commons, an even bigger concern is teaching students how to use technology for class-appropriate reasons. “We’re learning, as the faculty mentors go out and teach their classes, that we think we know that students know how to use technology, when they really know how to socialize,” says Christopher. “Students are gonna make choices and I think that high school kids are going to expect to have more and more active engaged classes.”

According to the faculty commons website, after the 5-year training and teaching cycle is up, the Southern Association of Colleges and Schools (SACS) will receive an information report and give the university feedback on techniques it used to employ technology in the classroom. “The QEP will start again in 5 years after its 5-year cycle. The faculty commons will continue to operate and remain a place for faculty,” says Christopher. After SACS sends gives JSU feedback, the QEP will start over.

So like it or not, the QEP won’t be going anywhere, nor will the administrations push to use technology as an aid for instructors.  “We aren’t forcing technology on anyone and technology can be a tool or a toy, and we fought electronic devices for a long time,” says Christopher, leaning back in her chair. “We began to realize they can be valuable.”

“I want them to learn and if that takes me being willing to get out of my comfort zone, I think that’s okay because we ask university students every day of their lives to step out of their comfort zones in our classes,” Christopher says.

So for now, instructors have complete freedom in their classrooms to use whatever teaching methods they wish, whether it be slide projectors, PowerPoints or – for some who prefer scratches over clicks – nothing but a mouth and words.

Marie McBurnett
Editor-in-Chief

Student, faculty information compromised

JSU discovered a website Tuesday providing information about students, including pictures, addresses, student numbers, birthdates and members of sororities and fraternities.

The street addresses were taken off the site Tuesday afternoon. It also has information on faculty members and recent graduates.

The Chanticleer is not releasing the name of the site due to the sensitive information it contains.

JSU posted on Facebook when it became aware of the website’s existence. “This matter is being investigated internally as well as by state and federal law enforcement agencies,” the post stated.

“An individual has been arrested by order of the District Court of Calhoun County and is being detained by the Coosa Valley Regional Detention Center,” Public Relations Director Buffy Lockette said in a text message Wednesday night.

The top of the site reads that the maintainers “aim to remain mostly anonymous,” and urge visitors of the site to use the information responsibly. A press release written by JSU urged students to change their passwords for their student logins and email.

The site also states it “was made to bring awareness to JSU’s information
security problems.” It also reads that it “shares limited information for your security.”

According to searchservervirtualization.techtarget.com, “a single computer can have several VPSs, each one with its own operating system that runs the hosting software for a particular user.”

The owner of the site claims to live in Russia, to have a Virtual Private Server in Bulgaria and the domain in Switzerland and for those who want to shut it down to “start buying tickets.”

A press release by JSU on Wednesday afternoon stated that “a student suspect has been identified and questioned.” The identity of the suspect was not given because they are a juvenile.

“We have no evidence of social security numbers, credit cards, or any other banking information has been accessed,” the release stated.

“I think students are surprised by how much information is on the web… But you can get all of that information from the Yellow Pages and your Facebook site,” SGA President Tyler Brown said through a text message.

Mysterious powder causes Self Hall evacuation, cancellation of classes

On Monday, several police cars and firetrucks lined Forney Avenue, blocking the entrance to Self Hall due to a white powder substance scattered on the floor.
Jacksonville State University Police (UPD), along with the Jacksonville Fire Department (JFD) and the Anniston Fire Department (AFD), evacuated all students and faculty, and closed the building from 9:30 a.m. to 1:30 p.m.
“A cleaning detergent can was found on the scene, but UPD wanted to run additional tests on the substance just in case,” said Buffy Lockette, director of public relations at JSU.
The AFD ran several tests on the powder substance and confirmed that it was a cleaning detergent, according to Lockette.
Assistant Professor of Communication Jerry Chandler barely missed whoever was allegedly responsible for the incident.
“I was going upstairs to my intro class at about a quarter after 9 in the morning up the center stairway and there was nothing abnormal. I came back down the stairway 5, maybe 10 minutes later to get something I left in my office and there was powder sprinkled at fairly heavy volume all over the stairway.”
Chandler’s first thought was “the cleaning folks are going to clean the floor,” but one of the women that works with cleaning services told him they were not planning on cleaning the floor.
“My initial thought after I found out that it was not for cleaning, was that it might be anthrax. Then I thought that if they did that in such great volumes, they’d be dead too,” Chandler said.
He called UPD and they arrived very quickly. Attempts to reach UPD Chief Shawn Giddy were successful, but he directed questions to Lockette. JFD officials, who were on the scene Monday, could not be reached for comment.
Chandler said, “if it was a prank, it was a prank in very poor taste,” and “I can’t help but think the person who did it needs help.”
UPD is in the middle of an investigation and is trying to determine if they will press criminal charges. They are asking any students or faculty who know anything about the incident, to contact them.
Self Hall houses the communication department, the campus radio, campus newspaper, and educational technology department.

Marie McBurnett
Editor-in-Chief