What is the value of a compromised account or computer?

What is the value of hacked email, website account, or computer?

“Hacked” in the context of this announcement is defined as stolen, compromised, or otherwise accessed account/computing asset without the authorization and often knowledge of their owner. The attackers can hack into an account to gain system access or they can gain system access and then harvest accounts that reside on the computer stored in browsers, the computer memory, or computer files (plain text and even password protected files with easy to guess password). 

Picture is worth a thousand words:

 Figure 1. Value and uses of hacked email.Figure 1. Value and Uses of Hacked Email.Source: https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/

Figure 2. Value and uses of of Hacked PC.Figure 2. Value and uses of Hacked PCSource: https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

Figure 3. Stolen account economics.Figure 3. Stolen account economics
Source: https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-credentials/

What is the impact on the University of a compromised account or computer?

  • FERPA federal funding implications
  • PCI DSS credit card processing implications
  • HIPAA patient record privacy, security, criminal, and financial implications
  • Tangible loss: costs for event/impact analysis, containment, eradication, recovery, future proactive measures, notification, identity protection services, hotline, etc.
  • Intangible loss: reputation, trust, confidence in our commitment to protect the data and services we deliver to our constituents and community partners

What can we do?

  • STOP. LOOK. THINK. before clicking on links or attachments.
  • Join the “Human Firewall”, which is delivered through KnowBe4, our partner for the FSU cyber security awareness, training, and education program. Enter your FSU email address [email protected] and you will receive an email with instructions from KnowBe4 to sign in.
  • Manage your passwords. Don’t reuse them. Password managers like keepass, dashlane, lastpass have free personal password vaults, which allow you to create one very complex password and help you manage passwords for any other accounts without you having to memorize them.
  • Be proactive, sign up for HaveIBeenPwned, where you can be notified if personal or University email address was compromised and reported as part of a publicly discovered security incident.

Do not use @ferris.edu account for personal business. When we detect that your @ferris.edu is part of reported cyber security incident, we will do our best to notify you and take appropriate actions to minimize impact on the University.

Figure 4. Number of @ferris.edu accounts that ITS detected and assisted with in 2017.Figure 4. Number @ferris.edu accounts that ITS detected and assisted with in 2017.

KnowBe4 Security Awareness Training (available for Ferris State University employees. After clicking the link, enter your email address in the web form. For example, [email protected])