Some services remain suspended after phishing fallout
Digital communications in some areas of the college continue to be limited as a result of increased security efforts in the wake of the ongoing phishing fallout.
An hour after the threat was identified on Jan. 29 the communication systems at the college started to shut down in a dominoes effect to protect the staff and students from malicious threats.
Other digital services went down too.
“It’s not just the VPN we restricted access to,” said Doug Wotherspoon vice president of innovation and strategy in an interview with the Times on March 8.
“The VPN is the pipeline into all services at the college, not one program. If you get in to VPN you have access. When someone gets phished it’s like the key to the house. You can get the key to the room or you can get the key to the house; VPN is the key of the house.”
Wotherspoon said the college is targeted by phishing attacks constantly.
“We have phishing attacks every single day; we did not turn things off previously. This was a much more planned effort so that’s why we turned things off,” said Wotherspoon.
“The reality is that with phishing, I think we blocked like 300,000 [spam emails] yesterday,”
The level of sophistication in the sender of the attack was significantly higher than anyone the college has seen before.
“What was different this time in comparison to other phish is that it came from an employee’s email. This was sent from within our system; they already had access to people’s accounts,” Wotherspoon said.
The VPN will undergo some drastic changes before becoming accessible to students and staff. Wotherspoon would like to see the system modified so that a hierarchy is in place on who gets access to what information.
“So we’re going to switch; VPN should only be used for, you know, high level folks. We’re in the midst of implementing that [multi factor authentication] but we’re not turning on broad access to VPN until we put in more checks,” he said.
Multi factor authentication is a method in which a computer user is granted access only after successfully presenting two or more pieces of evidence to an authenticating system. An example could be having to type in a code online that was sent via text message, or selecting how many photos have a street sign in them prior to getting access.
Single factor authentication systems are more basic. If you’re able to get someone else’s credentials you then immediately have complete access to their accounts and information.
Along with VPN, email inaccessibility by some faculty has been a growing concern around the college. However Wotherspoon said that would be turned back on March 11.
He added developments will need to be made to not trigger systems if someone from the Algonquin network legitimately leaves the country or dials in remotely.
“How do you both block that but at the same time learn from and create from that — and so that’s the multi-factor authentication,” he said.
On top of that, if updates are not being made regularly the effectiveness and security of the products are questionable and not being used to their fullest potential.
“It’s an ongoing battle. They get more sophisticated, we get more sophisticated. Or we need to partner with organizations that are with software that is.
“What we did in the past was buy a piece of product in 2010, but we wouldn’t buy the updated versions of it, and if you don’t purchase the latest version it gets you less and less secure,” said Wotherspoon.
Workday is rolling out version 32 to Algonquin College in the coming days.
The college’s phonebook, which was published on the campus website, had also been taken down due to security. The phonebook housed the entire faculty contact list and was taken down two days before the phishing.
“The phonebook went down for security; at this point i’m not sure that we’re going to put it back up,” said president Cheryl Jensen.
Wotherspoon said the college doesn’t want to make the phonebook accessible to everyone. “You can run scripts on that in the old way that just harvests all of that data. And that’s just too easy,” said Wotherspoon.
Algonquin had sent a number of email memos to its faculty, staff and students advising them of the many malicious threats made against the college over the years.
On Feb. 8, 2016, in a memo addressed to faculty, students and staff, the college announced that there had been an influx in phishing/spam emails. Some people had compromised accounts after they clicked on a link without realizing it was malicious, and continued to put in personal information.
On Aug. 20, 2018, in a memo addressed to faculty, staff and students, more instances where a significant number of accounts had been compromised due to phishing emails were reported again.
“We’ve taken action to block the emails, delete many that were delivered and monitor AC accounts for suspicious activities, however given the volume of email that is transmitted every day, it is impossible to eliminate all instances,” said the memo by Algonquin college ITS
On Oct. 26 2018, another memo was sent out addressed to college staff and faculty advising employees emails were again being targeted by malicious phishing attacks. ITS asked for anyone who received an email to contact them directly and to change all of their passwords.
An article published online from Seyfarth Shaw on May 1, 2017 stated that another institution that used Workday had been targeted by fraudulent activity. Their attack — much like Algonquin’s — involved a well-crafted spam email that was sent to the CFO,CEO and head of HR.
The email asked employees to follow a link attached to a fake Workday website and log in with their credentials. The ‘sender’ of the spam email then logged into the actual Workday accounts and had the ability to view and change the employees direct deposit and banking information.
In response to this institution’s attack, Workday made available on its customer portal a list of “best practice” tips that each of its customers should follow to avoid this instance from occurring.
The most successful mitigation techniques they advised were, enabling two factor authentication, and adding another layer of administrative approval before an employee can change their banking information.
Union Local 415 filed a policy grievance against the college March 5 in relation to the latest phishing attack.
“I can’t say we’re 100 per cent safe that would be foolish. We’re safer than we were. It’s always evolving, it’s a continuous effort that’s required,” said Wotherspoon.