The online system failure experienced by the university just days before classes began has made many wonder how secure their personal information is under the university’s care.
On Jan. 10, a key storage device for university servers crashed. Mike Lohrbach, senior systems analyst, described the event as a hardware failure that IT Services worked to resolve as quickly as possible.
“Any time any service goes down, it’s very bad,” Lohrbach said. “With the way that many services are built, there are dependencies. A lot of systems are interconnected and they build off of each other.”
Lohrbach explained that while there may be one system that is used to receive data, there may be other servers behind the scenes that actually provide the data to that system.
“Any time you lose a major underlying component to that system and it affects multiple systems, obviously it can be very impactful,” Lohrbach said.
Lohrbach said that although these systems are designed to eliminate or reduce the possibility of crashes, there are some situations where something unexpected happens.
“With our job, obviously we have a mission to bring everything back as fast as possible,” Lohrbach said.
Server failures like this may cause concern among students who have provided the university with confidential information, such as their student records, social security numbers and credit card information, but Andy Weisskopf, senior systems analyst, claims that students shouldn’t worry.
“In our role as a university, the most important data that we have is the records on our students,” Weisskopf said. “We do everything that we can to keep it safe.”
Weisskopf is the team leader for information security, a group dedicated to ensuring that university data is protected.
“We use a variety of different methods to make sure that we protect the university’s data,” Lohrbach said. These methods include locking various systems and data down so that only certain people have access to that information.
Although the recent crash may have caused some data to be inaccessible through various university services like Access Plus, no confidential information was compromised.
“The data itself was not exposed or available to anyone other than IT resources,” Lohrbach said. “Even though we had a major storage failure that affected a lot of different systems, the data is still isolated with that system.
“But there is certainly information that we don’t want getting out and that we work to protect,” Lohrbach said.
Some methods that IT Services uses to protect information include testing and scanning the university’s systems to make sure that certain security rules are followed.
According to ed.gov, The Family Educational Rights and Privacy Act, there is a federal law in place to keep student education records private.
The law applies to all schools that receive funds under the U.S. Department of Education, including Iowa State. It is one of the laws that Lohrbach and members of the security team keep in mind when handling confidential records.
“Schools must have written permission from the parent or eligible student in order to release any information from a student's education record,” the federal law states.
One of the most common security threats seen on college campuses is what both analysts refer to as a phishing attack. One example of this is when a hacker sends an email to a university member falsely informing him or her that the campus is upgrading its webmail system and redirects the victim to an unprotected site to enter a username and password.
“There are hackers out there that harvest that information and then use that account, typically, to send out other emails as that individual,” Lohrbach explained.
Lohrbach said that hackers will generally attack a user ID or a single system rather than the university’s larger, more secure system.
Weisskopf agreed that the biggest problem he deals with is attacks on the user. He explained that hackers try to trick users into giving away their credentials.
To keep personal information secure, Lohrbach recommends various methods to personally conceal information. He advises students to use strong passwords or passphrases with approximately 15 characters.
Lohrbach also suggests using letters, numbers and symbols in passwords as well as creating separate passwords for different accounts.
“It’s more difficult to remember,” he said, “but that way if one thing gets broken into, you’re not as exposed.”