U-M Safe Computing Newsletter

In June, Information & Technology Services (ITS) announced organizational updates in the area of Information Assurance (IA) that took effect on July 1, 2024. The changes support even greater focus on the privacy and security domains, and a recognition of the importance of identity and access management as a transformative capability.

Sol Bermann has taken on a new role in ITS as Executive Director of Privacy and Faculty Affairs. He will continue to apply his expertise in the privacy domain, and will play a role in developing collaboration and engagement strategies informed by his experience as a faculty member in the School of Information, including working closely with Advanced Research Computing and the Teaching and Learning teams. 

Sol is enthusiastic about his new role: “Privacy is of vital importance at the university, across academia, and in society at large. I am eager to focus even more time on advancing education, policy-making, and thought leadership in this domain. I am also grateful for the opportunity to use my faculty experience to enhance ITS engagement and inform ITS strategy to support our research and academic goals.”

With this change, Asmat Noori has assumed the position of Interim Chief Information Security Officer (CISO) and Executive Director of Information Assurance. Asmat takes on the new roles, while continuing to perform the duties of his previous role as assistant director of IA. His proven leadership enables IA to move forward its operations and vision, while continuing to promote shared responsibility in protecting U-M’s digital assets.

Asmat says, “I am excited to lead Information Assurance as we continue to provide important capabilities, and continue to work to enhance and expand them, as we strive to proactively protect U-M from an ever-changing landscape of threat that affects higher education and the world at large.”

DePriest Dockins, Director of Identity and Access Management, and his IAM team now report to Bob Jones in ITS Emerging Technology and Support Services. DePriest expresses his ongoing commitment to enhancing U-M’s security posture: “Our focus on IAM innovation is inextricably linked to our efforts to enable and protect the university and its community members. We are excited about this change and we will continue to collaborate closely with Asmat’s and Sol’s teams as we move forward.”

In the last few months, ITS Information Assurance (IA) has welcomed one new staff member, who brings experience and enthusiasm to the important work of securing the University of Michigan.

Arthur Gibson joined the RISC team as a Data Security Analyst and will be assisting them in the performance of Risk Evaluations of Computers and Open Networks (RECONs). Arthur is a U.S.A.F. veteran with a Bachelor’s degree in Information Technology from Walsh College, focusing on cyber security. Before joining IA, he spent three years at Brightline Technologies performing IT and Compliance consulting, where he assisted clients in developing, implementing, and maintaining system security plans. These tasks were related primarily to NIST and PCI compliance. Ask Arthur about his love for Star Trek, video games, and audiobooks. 

Welcome, Arthur! 

“Students who participate in internships are 49% less likely to be underemployed at graduation,” according to Forbes’ coverage of a recent report from Strada. Over the summer, ITS Information Assurance (IA) and Identity and Access Management (IAM) hosted nine of the 59 interns in the ITS program, and it is easy to see why these students would be successful when entering the workplace.  

One of the benefits of a world-class internship program is its ability to facilitate valuable professional experiences and allow students to work on meaningful projects. Daniel Scrochi Colmenares joined the IAM Engineering team and focused on automating various administrative tasks using Ansible. Daniel said, “This was my first experience in an enterprise environment, and it was incredible to witness how everything operates while learning and experimenting with tools I hadn’t encountered before.” 

Anika Raisa Chowdhury had the opportunity to work on multiple projects, such as using AI to sort security tickets and expedite the request process. Anika stated, “By leveraging generative AI, we can streamline operations, allowing the security team to respond faster to critical issues.” 

Internships often provide benefits and opportunities to grow that participants did not expect. Melissa Cunningham was involved in verifying and updating documents used to streamline workflows. She noted that her time management and self-discipline improved: “With a work history of over a decade, I was pretty confident that I wouldn't be learning more about HOW to work. So, I was definitely surprised when I strengthened both of those skills.” 

Emily Chen was the project manager for the Wayfinding for Hatcher Library project. She said, “One of the most memorable experiences I had during this internship came as a result of the friends I met during professional development.” She added, “the internship program isn’t just good for connections, but also genuine friendships.”

An exciting part of the internship program is seeing interns connect their memorable experiences to the next step in their careers. “The skills I have gained here will help me immensely when designing or maintaining robots in the future,” said Yatee Balan, who worked on the MCommunity Group Info Lookup project.  

Anthony Tan also feels better prepared to enter the tech world. Working on deprovisioning inactive Duo accounts, he gained insight into ways to “experiment with calling APIs via HTTP requests and how to structure them using Python and its libraries.”

For Ray Shumaker, seeing the interns’ project presentations at the IA/IAM All Staff meeting in July was particularly memorable because they “represented a closing to the journey of the project.” Ray reflected on the project workflow and how it started as “messy, complicated, uninterpretable rows,” and culminated in “a story that we get the opportunity to tell.” 

Good luck to all of the IA and IAM Summer interns! 

If you want to host an intern in 2025, please email ITS-Internship-Planning@umich.edu for more information.

Security enhancements are coming to the Duo Mobile app on Wednesday, September 25, 2024. These Upcoming Changes to Duo include Duo Verified Push notifications.

With a Duo verified push, the Duo login screen displays a three-digit code for you to enter in the Duo Mobile app to approve the push notification.

This change to the Duo Mobile app does not impact other methods of Duo two-factor authentication (e.g., use of YubiKeys). The extra verification is designed to better secure the authentication process and help prevent unauthorized two-factor approvals. Advantages include:

• Significantly more difficult for a threat actor to trick a legitimate user.

• Protection against multi-factor authentication fatigue.

Use the current version of Duo Mobile

To ensure the Duo Verified Push will work as designed, users should update their version of the Duo Mobile app to the most current version (if they have not done so already). The most recent version of Duo Mobile is available from the app stores for devices running Android 11 or later and iOS 15 or later.

ITS and the U-M security community share the important responsibility of securing U-M’s digital assets.Protecting credentials in accordance with the Access, Authorization, and Authentication Management (DS-22) standard is an essential component of that effort. ITS Identity and Access Management (IAM) is working to enhance the security of Active Directory (UMROOT)  over multiple phases. Each unit that uses the UMROOT environment will be engaged in order to implement changes and align their practices with new expectations.

The current step in this effort is to implement new daily, automated disabling procedures for inactive AD (UMROOT) accounts. 

• Beginning October 9, 2024, on a daily basis - UMROOT accounts that have not been logged into for 90 days will be considered inactive and automatically disabled. 
• Beginning November 8, 2024, on a daily basis - UMROOT accounts that are disabled and have not been logged into for 120 days will be deleted.

Note: Uniqname accounts in UMROOT will not be affected by these procedures.

IAM Support for Units

To facilitate units’ adjustment to the automated, daily disabling of inactive accounts, IAM is:

• Sending email communications to those responsible for Active Directory (AD) account management beginning regarding the implementation of the new procedures.
• Maintaining information on the Active Directory (UMROOT) Improvements page, including a link to key information, dates and instructions.
• Holding Active Directory Office Hours to answer questions. Refer to the Active Directory (UMROOT) Improvements page for dates/times. 

If unit IT staff have questions or concerns, they can reach out to Kyle Cozad.

U-M IT professionals who manage Active Directory (AD) accounts in UMROOT have an important responsibility for the security of those accounts. This responsibility includes ensuring that they are:

• Reviewed regularly
• Used appropriately
• Named using correct naming conventions
• Removed promptly when they are no longer needed. 

Those who manage AD accounts in UMROOT should review a complete list of guidelines annually. Please see Active Directory Non-uniqname Accounts (U-M Weblogin required). Thank you for diligence in managing these elevated accounts and doing your part to protect U-M’s digital assets.

Dion Taylor, Cybersecurity Manager at the School of Dentistry, and Security Unit Liaison (SUL), did not have a career path that followed a straight line to cybersecurity. He describes his work experience as a “winding road” that started with active military service and time in the reserves. Since then, he’s had stops in the restaurant industry, in IT at a glass factory, as a security officer at U-M, and in private sector computer support.

Taylor found his way back to U-M in a Unix/Linux administration and desktop support role. He notes that it was a natural transition to cybersecurity from there: “A lot of things that jibe with Unix/Linux system administration have interesting security components. You learn a lot about the OS, the file system, and manipulating and hardening things.”

In his current role as Cybersecurity Manager, Taylor has to account for the unique way the School of Dentistry is positioned. He explains, “We're academic, but we're also a patient care facility. We have a strong relationship with Michigan Medicine and central campus. A lot of it is being aware of what the different units experience – patient billing unit versus student administration.”

As an SUL, he shares information that comes from ITS Information Assurance (IA) and dips into regular meetings across Dentistry to assess their unique needs. He elaborates, “There's the passive stuff, where alerts that come out from IA are sent out in school-wide messages, and there’s a more active way to reach out to units.” Taylor likes to check in with different groups and ask, “What do you understand? What don't you understand?”

This energetic and engaged SUL is adept at meeting departments where they are. For example, he recalls a meeting in recent months where he had to pivot: “My intent was to talk about a lot of different security-related things like phishing and passwords. The first question I got was, ‘What's a password manager?’ That took up the rest of the meeting.”

Another creative way Taylor has spread awareness is through video storytelling. He describes, “Five or six years ago, one person experienced a ransomware event and one experienced random Duo prompts. Our videographer interviewed them and we sent the interview out to the school.”

Taylor also likes to pass along tips. One of his favorites is borrowed from his colleague, Matt Vuocolo, who talks about “digital clutter.” Taylor recommends managing the clutter by taking a break to “inventory your digital life. What accounts do you have? When have you changed the password last? Is multi-factor authentication on it? I did this for myself.”

Taylor’s go-to resources are the Sensitive Data Guide and the Standard Practice Guide. He adds, “The IT standards are fantastic also.” He is sure to give a shout out to IA staff: “It's fantastic to be able to touch base with Sasha Womble and Asmat Noori.” Taylor also mentions that his boss, Cassandra Callaghan, “does a great job at giving an opportunity to succeed and treating you as a professional. She says, ‘I'm going to trust that you know how to handle this. Come back to me if you have questions.’ It's a really good feeling.”

Taylor has words of wisdom for those starting out in IT: “If you’re being asked to support something, don't be afraid to question it. Be inquisitive, in a professional respectful way. Cassandra encourages us to say ‘Help me understand what this means’ because any bit of questioning can bring out if the process is broken.” 

Taylor balances his work life with a creative outlet. He says, “Photography is probably the biggest thing for me. I love fly-on-the-wall type of stuff. I like event photography.” He picked it up from a friend in the army when he was stationed in Germany, and it stuck. Check out two of his images.

Dentistry Sunrise

Dentistry Sunset

Last but not least is a fun fact about Dion. In his words: “I eat cereal professionally. If it was a job, I'd be a master.” He can describe subtle texture and flavor changes in his favorite cereals that have occurred since he was a kid. Which begs the question, which cereals float to the top for a cereal connoisseur like Taylor?

1. Cinnamon Life
2. Reese’s Puffs 
3. Cocoa Puffs
4. Crunch Berries 
5. Frosted Flakes

 *He confessed during the Zoom interview: “I'd be eating cereal right now if I could turn my video off.”

Stay tuned for future SUL interviews, and if interested, reach out to Bridget Weise Knyal (bweise@umich.edu).

The ITS IT Policy team has been working on revisions and updates to a number of IT policies and standards in order to ensure they remain credible, implementable, and enforceable over time. Some recent highlights include:

• Revising the university policy on Institutional Data Resource Management (SPG 601.12): the long-standing policy will reflect updates to technology and the U-M Data Governance Framework. An executive summary is available for review (U-M login required).
• Streamlining the university policy on Domain Naming (SPG 601.15): merged the outdated policies on IT Addressing (SPG 601.15) and Domain Naming (SPG 601.15-1) into one. The policy is accompanied by guidance on requesting domain names (U-M login required).
• Updating the IT Standard on Security Log Collection, Analysis, and Retention (DS-19): requirements for security log collection and retention are being revised and clarified. A summary of proposed changes is available for review (U-M login required).

In addition, the group is collaborating with subject matter experts on updates to the IT Standard on Network Security (DS-14) and is in the process of drafting a new IT standard and guidance around endpoint protection.

You can stay up-to-date on policies and standards under revision by visiting the Policies Under Review page on the website of the Office of the Vice President for IT & CIO.

ITS Information Assurance has clarified the guidance on how to Use “Personal and Private” folders to Protect Privacy. The updated information is a reminder that, while the policy on Responsible Use of Information Resources (SPG 601.07) permits personal use of U-M information resources, U-M community members are strongly encouraged to store personal files, folders, email, or other personal data in non-UM personal accounts.

The university recognizes that employees may have personal, non-work-related files and records on their U-M computer or in online storage space provided by U-M. We urge you to indicate which files are personal and private by placing them in a folder named Personal and Private. With some exceptions as outlined in Privacy and the Need to Monitor and Access Records (SPG 601.11), unless required by law or an authorized investigation, the university will not monitor or access materials in folders labeled with the phrase Personal and Private. See Use “Personal and Private” folders to Protect Privacy for details.

Additionally, it may be difficult for others, such as next of kin, to access personal information in your U-M account after you leave the university. Using Personal and Private folders and labels for non-work-related information facilitates sharing that information in the event you are deceased or incapacitated. Keep in mind that the process for Requesting Account Access for Next of Kin and Others requires legal documentation, which may be difficult to obtain, so it is best to store your personal files in non-UM personal accounts. Please note that the process includes a new form to submit a request to the ITS Service Center.

Reminder: It is important that units collaborate closely with their UHR business partner in the event of an employee’s death.

In an era when data breaches, IT security incidents, and privacy violations are in the news on a daily basis, protecting university data and systems is more important than ever. This is especially true for IT professionals, who have more access to sensitive university systems and data than other members of the U-M community.

To help stay on top of cybersecurity best practices, the ITS Information Assurance (IA) team has revamped the data protection training for ITS staff, while incorporating the ability to offer the training to all U-M IT professionals. 

ITS staff have been required to complete 3-4 courses on data protection, including annual training on HIPAA and Payment Card Industry (PCI). The new training, launched on September 16, consolidates most of the learning material into a single data protection course that features a streamlined and engaging learning experience without compromising important content.

New Data Protection for ITS Course

• Required for all ITS staff annually
• Available in MyLINC
• Combines material covered in the DCE101 U-M Data Protection, RO100 FERPA at U-M, ITSE101 HIPAA, and ITSE102 PCI courses (ITSE202 Advanced PCI Training continues to be an annual requirement for a subset of ITS staff who work with PCI data and systems).
• Allows for flexibility to emphasize emerging topics and incorporate unit-specific content in a designated section.

U-M units will be able to leverage a unit-specific version of the new course to train their IT staff. Security Unit Liaisons (SULs) can work with the IA Education and Engagement team to develop unit-specific content, if needed, and have the course assigned to IT professionals in their unit. Email ia.training@umich.edu for more information and to get started with this option.

As the U-M community is settling into the fall semester, it is once again time to celebrate Security at U-M in IT (SUMIT) throughout October, the national Cybersecurity Awareness month. The Information Assurance (IA) Education and Engagement team has planned events and prepared resources to reach U-M faculty, staff, and students. Please help us spread the word.

• Cybersecurity + Privacy Challenge: the annual opportunity for students on all U-M campuses to test their knowledge of cybersecurity and privacy, and win prizes, will run from October 14 to November 1.
• Level UP Your Cyber Game – College Gameday Edition: The BTAA is hosting a virtual trivia game show where teams can show off their cybersecurity knowledge. Join the U-M team in this friendly competition for the title of Most Cybersecurity Aware Institution in the BTAA.
• A Conversation with NYT Technology Reporter Kashmir Hill: The Ford School-hosted event will explore the intersection of technology and privacy, addressing some of today's most salient issues.
• IA pop-ups: The IA team will be organizing table pop-up events on the Ann Arbor campus to engage with students and promote SUMIT events.
• Cybersecurity Sessions: U-M cybersecurity experts will host virtual sessions on topics such as CrowdStrike, Tenable, Plasma Pup, and Passwordstate.

For members of the U-M security community, we are also providing a SUMIT 2024 toolkit with materials units can use to promote cybersecurity awareness among their students, faculty, and staff.

Check out event details on the Safe Computing SUMIT page. Thank you for supporting and promoting IT security at U-M!

Hackers may have stolen your Social Security number in a massive breach. Here's what to know. One of the biggest hacks of personal data may have resulted in the theft of billions of records. Read about the hack and what you can do to try to protect yourself.

CAPTCHAs: The struggle to tell real humans from fake ones. Are you really a human? CAPTCHAs, used to prevent many types of online fraud, are struggling to tell. Ever wonder how they work and how AI is affecting this common fraud prevention mechanism? The piece from The Conversation has some answers, and some questions.

Russia accused of EU and Nato cyber-attacks. As nation-states ramp up hacking and disinformation efforts, Russia has become a leader in aggressive cyber warfare.

Here’s Why ‘The Matrix’ Is More Relevant Than Ever. Reality might not be quite as strange as fiction, but it's starting to catch up. Take a look back at how one popular movie was prescient and has had staying power in our ever more complex online world. 

All Highline schools closed Monday due to cyber security incident. Highline Public Schools cyberattack highlights impact of security breaches on education at the local level.

We've all stared at the "enter a new password" box and wondered what we can enter that is secure but also memorable enough that we won't forget it by the next time we log in.

Passphrase to the rescue!

A passphrase is a collection of words strung together to act as a password. The words in the phrase only need to make sense to you, and the more unusual and unpredictable you make them, the better.

Stuck on where to start? Try something fun like:

• The number of books you own.
• Your favorite color.
• Your favorite animal.
• A favorite activity.
• A place you want to travel to.

You might end up with something like 400PurplePandasDanceinSpain or 1MillionYellowCatsBikeinTheUP. You can make up any criteria you like to add more or different words. Just remember not to use things like your name or uniqname in your passphrase!

If the system you're making a passphrase for requires more complexity than just numbers and letters, add punctuation, replace some letters with symbols or numbers. The more you mix it up, the better!

And remember: Your passphrase is only as secure as how you store and use it. 

• Keep your passphrases in a secure password manager, and avoid pitfalls like writing it down and leaving it near your computer or in a place where others might find it.
• Do not use the same passphrase across systems and services.

Whether you are taking a short trip or a long excursion, it's important to protect sensitive personal and university data. Check out the updated Safe Computing While Traveling page and brand-new video for guidance on protecting yourself and the U while you are away.

Here are a few highlights!

Plan ahead:

• Take only what you need, and leave devices with sensitive information at home if possible.
• Make sure your devices, software, apps are all updated before you go.
• Plan ahead to use multi-factor authentication and a secure VPN.

While traveling:

• Keep your devices with you or secured.
• Use a VPN and avoid free WiFi if you can.
• Don't enter personal or U-M information on public computers.

And of course, if one of your devices is lost or stolen, report it immediately, especially if it contains U-M data!