CoE Cares Profile- CEE's Mike Anderson

In keeping with this month's theme of information security we sat down with CEE's Director of Information Technology to pick his brain about keeping our personal and professional information safe.

Mike Anderson
Director of Information Technology
Civil and Environmental Engineering

Where are you originally from and how did you end up at Georgia Tech?

I was actually born and raised here in Georgia. I grew up in a little town called Stockbridge down in Henry County. I stayed there until I was 19, then I joined the Marine Corps. I was in the Corps from 1994 until 1999. I lived for three and a half years in Tustin, California. While I was out there I was a counter-measures specialist for helicopters. I was in the electronics field. I came back here and went to work for an aviation company. My heart was really set on IT because that was when the dotcom world really started to take off, so I went and got my bachelor's degree in information technology. The company I was working for at the time had an opening for an IT coordinator and they heard I was going to school for it, so they said they'd like me to take the position. I moved from avionics into IT. I was there for 7.5 years, then I went to a company called ADP, Automatic Data Processing. I worked there for about a year and three months, and it was very stressful. They are the largest outsourced payroll company in the world, and they do a ton of other things. A friend of mine was working over here at Tech and when there was an opening he told me it really fit the type of work I was doing, and it was a much better commute than driving up to Alpharetta, so I applied here, got the position, and I've been here since March of 2008.

What do you enjoy about your work at Georgia Tech?

The folks I work with are great. I enjoy the general experience. I feel like I'm actually giving back. Working here you're not busting your tail to line a CEO's pockets. All the actions that you contribute help send these kids out into the world to make new things, new innovations, and to make the world better. It's really cool to see these kids come in as freshman and leave academically mature. It's good to be a part of that.

What is the scope of your work on a day-to-day basis?

It's a mix of everything. Our biggest support base is grad students and all of the research they're doing. We support a lot of the faculty as well. They'd be our second largest customer. We get a few calls here and there from the staff. We don't usually hear from undergrads unless there's a problem in one of the computer labs. We do everything from supporting our own Windows clusters all the way down to installing software applications on a machine. Every day is a mixed bag, which is another one of the joys of this job. You're not pigeon-holed into doing one specific thing.

What are some of the biggest threats people face online?

The biggest risk right now is that there are so many people out there who are attacking for profit. We try to be as proactive as we can, but the reality is that a lot of our security advances come from being reactive. After the fact we can get in and diagnose something and see what the attackers are doing, then we can shore up our security for that.

Some of the things people need to be concerned about are phishing attacks. Some are random and some are targeted where the targets are high profile people like President Peterson, or Dr. Bras, the provost. Anyone that has access to sensitive research data can be targeted for phishing attacks. Generally we feel like we've done a pretty good job limiting the amount of spam and phishing attacks people get through their GT email that are sent in an attempt to compromise accounts. The biggest attack vector coming in usually consists of somebody getting an email with a malicious link in it and an unsuspecting and trusting person clicks the link which infects their machine. That leads to other machines on the network becoming infected in a cascading effect. All it takes is one computer to start a chain reaction. It's problematic and it's a mess to clean up. Here's an example.

We had a student that received a phishing email from an outside party warning that his/her account would be suspended if they didn’t update their password ASAP. The links provided in the email led the user to a malicious password reset site where the student entered in their GT credentials. Once this occurred, the attacker on the other end started looking for mail servers at Georgia Tech. They used the student's credentials to gain access to the students email account. Once inside, the outside party began sending several thousand spam emails to the world including everyone in the students address book. Spam was sent to several other universities throughout the email bombardment. Georgia Tech ended up being blocked from sending email to those universities which held up communications vital to some ongoing research projects. 

Here’s where it gets interesting. The student's account was disabled to prevent further spam from being sent by the compromised account. The student had to create a new password before having his/her account re-enabled. This action forced the attackers out of the account. Until……..the student wanted to continue using their old password because it was easy to remember. They went back to the password change site for the GT system and preceded to change their password enough times to get it back to the original compromised password. And, I’m sure you’ve guessed that once this happened, the attackers jumped back into the account and proceeded to blast spam out to the world again. Prior to the actions of the student (with regards to the password reset), Georgia Tech staff had reached out to the universities that had blocked our email and got them to add us back to their safe list. So, once the students account started spamming again, you guessed it, we were banned again and it’s always harder to ask for forgiveness the second time around. 

What advice do you have for keeping your information and accounts secure both at work and at home?

At both the office and at home make sure you have anti-virus software installed and running, make sure you have your firewall running on your machine, and if you can access an anti-malware program have that do real-time protection on your machine.

I'd also recommend keeping your passwords separate. Don't use the same password for every account that you have. If you use the same password for Gmail, Amazon, and everything else, you're making it easy for an attacker. If they can breach your email account they'll have access to your other services, like financial services. People like the simplicity of having one password but it's dangerous.

Thirdly, try to minimize your overall profile in the open. If you're on Facebook don't talk about sponsored research or where and when you're going out of town. Tweak your privacy settings to limit your posts to friends and family. Don't make yourself a target. The more someone knows about you the easier it is for them to take advantage of you.

How important is it to have strong passwords?

If you don't make a tough password it's just a matter of minutes or even seconds before your account is compromised. The difference between a good and bad password is huge. For example, in the case of the recent Ashley Madison site compromise, they had someone with a supercomputer go through the dump of information and within a matter of hours he had cracked 4700 simple passwords. The number one password for the majority of those users was "password". When you make it that simple hackers can run a dictionary script and it's a matter of minutes before it's breached. The more complex you make it the harder it becomes. You're adding exponential factors of time when you make it more complex. That's why we have the requirements that we have. I recommend using a password program like LastPass, which we actually offer to all staff members. It will do an auto-generation for you if you can't think of a complex password. Then you only have to remember one strong password and from there you can get into your encrypted database with all of you various accounts and then copy and paste you passwords and user names. They can be as complex as you want because you don't have to memorize them. Anyone interested in using it should send a request to support@oit.gatech.edu or visit OIT's Technical Support Center in Clough.

What guidelines should people follow when coming up with passwords?

The longer the better, and make sure there's upper case and lower case characters, as well as special characters. Don't use anything that's common to you- your name, your children or pets' names, your birthday. Nothing that's public. Pet names are a huge no no because someone with bad intentions could walk up to your dog and check their collar. That sounds paranoid, but it happens.

I also highly recommend using two-factor authentication whenever possible. It's simply the best way to protect yourself from password breaches. If somebody manages to crack your password, so what? At that point they don't have the second piece they need to get into the castle. If you use websites and services that offer it, use it. I'm shocked that there are still large institutions like banks that don't use it. If Facebook can offer it why can't banks that handle trillions of dollars. It would cut down on the number of compromised accounts they have to deal with it. Turn it on. It's easy to use and very secure.