U-M Safe Computing Newsletter

Asmat Noori, Interim Chief Information Security Officer, appreciates the ways in which the security community demonstrates commitment to the shared responsibility of protecting U-M’s digital assets. One component of this responsibility is staying informed. Information Assurance (IA) has established a training working group composed of unit representatives who are interested in implementing new ITS-developed data protection training across the university. This group, which meets monthly, has been learning about the training and developing plans to transition to the new courses. Noori elaborates, “It’s an exciting opportunity to provide consistent, vitally important content in an engaging format. It’s great to see units already successfully implementing this training.”

IA has also been moving forward with updates to IT standards, such as Network Security (DS-14). A revision published in February, provides clarification to required security measures, and roles and responsibilities. Noori explains, “This update supports our effort to work collaboratively with the security community to ensure open access to resources across the university, while protecting its valuable digital resources and data.” See the article below about other policy review efforts and how to stay informed.

Noori is also looking forward to working with units in the coming months on expanding use of IA’s existing vulnerability management capabilities, such as Tenable. “Remediating vulnerabilities in an expedited manner is one of the most important things system owners can do to ensure the confidentiality, integrity, and availability of their systems and the data they protect.”

Sol Bermann, Executive Director of Privacy & Faculty Affairs, extends his gratitude to the U-M community and beyond for participating enthusiastically in this year’s Data Privacy Day activities. He elaborates, “We were thrilled by the turnout for the fantastic presentation by Prof. Sauvik Das on ‘Privacy in the Age of AI,’ and UMSI Prof Florian Schaub’s in-depth conversation with him. We so appreciate engaging with U-M faculty like Prof. Schaub, and the on-going collaboration with the U-M School of Information in co-sponsoring Privacy@Michigan events with ITS. We also debuted yet another first-of-its-kind privacy tool as part of this year’s festivities! Privacy Portraits is a question-based fun way to find out what sort of privacy persona you are by assessing your privacy practices and considering privacy recommendations at the same time.” See an article about this year’s events in the newsletter.

We are thrilled to introduce David Savercool, who has recently joined ITS Information Assurance as an Information Security Engineer. David brings a wealth of experience from his previous roles at Barracuda Networks, Ripple Science, American Express, Dart Container, and VMware. His diverse expertise spans security engineering, automation, and infrastructure security, making him a valuable asset to the PROACTIVE team.

David began his journey in IT in 2004, working with various startup companies. Over the years, he has built a strong foundation in IT security, participating in numerous innovative projects. Among his recent achievements, David successfully utilized open-source tools to create an automated SIEM-like platform and developed custom queries and alerting workflows for a managed security service provider (MSSP).

Outside of his professional endeavors, David is an avid hiker, enjoying treks in challenging weather. He also has a passion for traveling and reading non-fiction, particularly memoirs, humor, science, and space-related topics.

Please join us in extending a warm welcome to David as he embarks on this new journey with the IA team!

Creating fantasy realms when running through the backwoods or getting the chance to test-drive heavy machinery can provide an idyllic landscape for a kid growing up. Arthur Gibson has fond memories of his childhood in Alabama, but today, his interests have shifted toward the field of cybersecurity.

As a Data Analyst in IA, Arthur Gibson performs Risk Evaluations of Computers and Open Networks (RECONs) to analyze whether or not unit environments meet the appropriate standards for securely processing and storing sensitive data types. For example, a unit might have a government contract where they need to process Controlled Unclassified Information (CUI). The Data Analyst collects data and runs tests to ensure the unit can be confident they will comply with applicable laws, policies, and regulations.

Looking back on his first year as a Data Analyst in IA, Arthur says, “It has been a breath of fresh air to work with everyone. The wealth of knowledge and the overall scope of experience from person to person has been amazing.” More specifically, he points out, “In every RECON that we do, there is a collaborative effort to see where we need to draw lines. Our IA colleagues are always doing a fantastic job challenging us Data Analysts to make these standards better.” Along with trying to ensure unit environments follow security and compliance guidance, their goal is to make them operationally realistic so that units are not forced to “do with less.”

Behind Arthur’s passion for safe computing is a long-held interest in video games and PC building. It was during his time serving in the USAF that he began looking at those electronic spaces through a security lens. He was tasked daily with thinking about how to set up barriers to “protect a base”, which helped him develop a security mindset. Arthur noted that he felt satisfaction in “the actual procedures of keeping things secure in a way that everyone could feel safe, and be productive, without having to worry.” Arthur also built PCs with his friends in the service to play an array of games on Steam. It combined his interest in computers and video games with his newly acquired security mindset.   

Arthur noted that he felt satisfaction in “the actual procedures of keeping things secure in a way that everyone could feel safe, and be productive, without having to worry.” Arthur also built PCs with his friends in the service to play an array of games on Steam. It combined his interest in computers and video games with his newly acquired security mindset. Arthur has this advice for someone entering the cybersecurity field: “Be patient with yourself because you are going to challenge yourself in ways you didn’t expect. You’re going to need a broad understanding of every component of information technology. It will take time.” When thinking about possible next steps in developing his skills in cybersecurity, Arthur reminds himself to stay grounded by allowing his knowledge to grow through organic experience.

Finally, Arthur talked about his love for the Star Trek universe. When asked about his favorite iteration, The Next Generation, Voyager, and Deep Space Nine are the series he always returns to. Like a hot cup of Earl Grey, he finds comfort in watching the adventures of Picard and the Enterprise crew. If you find Arthur working on a large project, you might hear Q heckling Riker and Picard in the background.

Vulnerability management is the process of discovering and remediating or mitigating security weaknesses in the U-M computing environment. Tenable Vulnerability Management and the Tenable agent are critical to this process.

Tenable provides proactive detection of vulnerabilities on U-M systems, allowing proactive remediation. Benefits include:

• The ability to perform internal and external scans, which improves insight into where vulnerabilities exist.
• The Tenable agent runs locally on systems, allowing it to see threats that might otherwise be blocked from view by network or authentication barriers. It does so without requiring special exceptions in firewall rules or the use of stored credentials or remote authentication.

ITS Information Assurance provides units using Tenable with access to the Tenable console, which empowers units to:

• Create, edit, and run Tenable scans.
• Specify unique group parameters for system scanning (e.g., MyCampusUnit Windows Servers, MyCampusUnit Linux Servers, MyCampusUnit Workstations).
• View and analyze results from their scans.
• Obtain a high-level or granular view of scan results.
• Control who in their unit has access to Tenable scan results.

Tenable compliments CrowdStrike Falcon, which provides enhanced endpoint protection, and with the addition of the Falcon Complete service, gives U-M and our partners at CrowdStrike the ability to detect and quickly respond to threats to our IT systems and data.

Together, the two systems give U-M exceptional proactive, prevention, and response capabilities, and provide unit IT staff with access to information they can use to protect their unit and U-M.

This spring, ITS Identity and Access Management (IAM) will take another step toward improving the security of Duo two-factor authentication at U-M. Phone Call and SMS (text message) will no longer be available as authentication options for people who are enrolling in Duo for the first time, or for current users who add a device with a new phone number. If you are traveling to a location where data connection is unavailable, the Duo mobile app can provide a Mobile Passcode.

The change is designed to make the university’s authentication process significantly more difficult for threat actors to impersonate or “phish” legitimate users. Michigan Medicine transitioned away from Phone Call and SMS methods in September 2024.

People who use only Phone Call or SMS for authentication will not be affected by this change at this time, but are strongly encouraged to transition to the preferred and more secure Duo Verified Push authentication method.

Additional information about Duo two-factor authentication can be found at Options for Two-Factor Authentication and on the Safe Computing website.

The ITS Privacy Office and the Office of the Vice President for Communications (OVPC) released a new consent and preference management integration for U-M websites, replacing the OneTrust Cookie Consent module that had been in use since 2022.

The new integration, developed to accommodate U-M’s complex, decentralized web environment, offers the same functionality while allowing for additional flexibility, such as easy integration and customization and ability to implement the banner on non-umich.edu domains. Administrators of umich.edu websites with a deployment of the OneTrust module had until March 21, 2025 to integrate the new U-M Cookie Disclosure.

The majority of umich.edu websites using the cookie disclosure choose to activate it based on geolocation – only displaying to website visitors from the EU, where privacy laws require it. While there are no similar regulatory requirements for public institutions like U-M in the United States, website administrators are encouraged to consider general implementation of the disclosure, where all website visitors can easily accept or deny cookies. This aligns with best privacy practices and demonstrates the university’s commitment to respecting the personal information of its community members and guests. In 2022, the Safe Computing website led the way by implementing general cookie disclosure and we hope to see more umich.edu websites take action in the protection of privacy as a human right.

Contact the OVPC Digital Strategy team at [email protected] for technical questions about integrating the U-M Cookie Disclosure. For general web privacy inquiries or help writing a privacy notice for your website, contact the ITS Privacy Office at [email protected].

JD Jordan, Desktop Support Manager for the Executive IT team and Security Unit Liaison (SUL), has an office in the Ruthven building and supports the IT needs of the executives located there. In his role as SUL, an important responsibility is ensuring cybersecurity awareness and preparedness against phishing scams.

When asked if he ever visited the Natural History Museum when it was housed in Ruthven, JD had a chance to joke about his time as a U-M student. As he tells it, “The funny story is that I have never been in this building until I worked in this building. I was a student here. I lived in Alice Lloyd for, what, two years? I walked around this building a thousand times. I was in North Hall right across the way when I was in Air Force ROTC. I basically spent more time in this little area than anywhere else during all of my time as a student. I would take pictures with the pumas. I just never walked in. But yeah, nope. I was that horrible student who was more about going to Charlie's than going to the Natural History Museum.”

When JD was a student, he wanted to be an Air Force officer. And the Air Force told him that if you want to commission as an officer, you need to graduate with a computer science degree. As JD recalled, “I love technology. I love to play with technology and to tinker and figure things out. But I don't want to make the stuff. I'll just let you know, I hated computer science. I quickly learned that in my first year of EECS 100.”

When he was placed as an Air Force pilot as a junior, he asked “Hey, do I still need to do this computer science thing?” The ROTC said that to be a pilot he only needed to graduate. JD had already completed most of the prerequisites for a History degree, so he focused on that and loved it. In his words, “It was something that satisfied my thirst for understanding why things are.” When JD graduated, he went into the Air Force and started undergraduate pilot training. He remembers, “being okay at it, but not very good because my heart just wasn't in it.” JD decided on a change, and when the Air Force saw he had years of computer science credits, they put him in communications/IT. “So basically, full circle, I ended up just as if I would have finished with a computer science degree. The universe corrected itself and put me back where I was supposed to be all along.”

In terms of his SUL role, the IA Notices about phishing scams are super helpful for JD because he recrafts those messages to make them a bit more pertinent to his users. Then he blasts them out and says, ”Hey, be careful. This is something that ITS IA has identified as a threat.” JD knows his emails help people because they tell him, “Oh, wow, I got that email and I did this.” JD takes care to communicate to his users about emerging threats and appropriate action. In his words, “The most important thing is they become a little bit more aware and vigilant in their daily computing lives.”

Within Ruthven, JD’s neighborhood IT structure is just like any other ITS unit. People submit tickets and his team responds to them. JD says that “A difference for us is that the people we support, the president, the regents, the majority of the executive officers and their staff, are the top echelon of leadership at the university. So one of the things that we keep in mind is that everybody's important. Not just because they are members of the university community, but these are all people that have huge responsibilities and huge organizations behind them. And so our charge is to make sure that they get the best service possible, not just because they're ‘that person,’ but because if they can't do their job, it trickles down greatly. If you're a vice president of a huge organization and you can't do what you need to do, then the people you lead can't do their jobs.” JD’s team prioritizes speed and efficiency because problems can get big quickly and can affect a lot of people.

On a personal note, JD calls himself a “big kid” because he loves things like Rubik's cubes and Legos. He also spends a lot of time with his kids who are in sports. His oldest played NFL flag football, tackle football, travel baseball, and travel soccer this year, while his youngest takes swim classes and plays soccer. When he has time to himself, JD loves watching science fiction, and adds, “I love stories that just kind of grab you and then have a little bit of a twist.”

A new Data Classification Self Assessment tool helps identify the classification level of the data you are working with so that you can plan to store or process it securely. The tool is designed to align with existing Safe Computing guidance and tools, such as the Sensitive Data Guide, and help with informed decisions about how best to protect U-M's data.

The new data classification tool features questions about the data you are working with, and employs logic based on your answers to suggest data sensitivity level and applicable laws and regulations that govern it, or direct you to contact IA for further assessment.

It is important to remember that the results of the self assessment are meant to give you guidance as you prepare to work with institutional or research data. They are not dispositive and do not represent a final decision on the classification of the data. For data classified as High or Restricted, or for help with the classification of particularly sensitive and/or complex data, contact IA through the ITS Service Center. You can learn more about About Data Classification on the Safe Computing website.

IA is committed to offering data protection solutions for the U-M community. We hope that Data Classification Self Assessment will be another tool that helps you as we work to meet our shared responsibility to protect U-M's valuable digital assets.

The ITS IT Policy team is focused on ensuring all IT policies and standards are up-to-date and remain credible, implementable, and enforceable over time. In the last few months, we have released an IT standard on Endpoint Security Administration (DS-23) and published a significant revision to the Network Security (DS-14) standard.

A number of IT policies and standards are queued up for revision this spring, including:

• Updating the university standard on Security Log Collection, Analysis, and Retention (DS-19) to include new requirements for security log collection.
• Revising the university standard on Access, Authorization, and Authentication Management (DS-22) to remove outdated references and include new requirements for access to U-M systems.
• Modernizing the university policy on Institutional Data Resource Management (SPG 601.12) to reflect updates to technology and the revitalized U-M Data Governance Framework.
• Revising the university policy on Information Security Incident Reporting (SPG 601.25) to make it clearer and more concise.

We encourage SULs and security community members to regularly visit the Policies Under Review page on the website of the Office of the Vice President for IT & CIO to stay up-to-date on the latest updates and revisions. We welcome your feedback at [email protected].

A new DCE101: Cybersecurity and Data Protection at U-M training course is now available in My LINC. This course provides practical data protection guidance and cybersecurity awareness for faculty and staff across all U-M academic campuses. It is a slimmed-down version of the previous DCE101 training, but still covers all the relevant content for those with access to U-M systems and data.

In addition to providing a shorter, more accessible, and widely applicable course, the new course includes more engaging content, and will be updated more frequently. The new course should take no more than 10-15 minutes to complete, and will cover:

• The key points of data protection and the associated resources for finding more information.
• How to spot phishing scams and other cybersecurity threats.
• Basic guidance on how to protect yourself and your electronic devices.

This refreshed training replaces the previous DCE101: U-M Data Protection and Responsible Use course. It does not replace specific FERPA, HIPAA, or PCI courses that a unit may require. Effective Monday, April 7, 2025, those who request system access that has DCE101 as a training requirement will be directed to take the new course. Additionally:

• The course is also available to units to assign as a requirement to their staff.
• Contact [email protected] if you are interested in assigning the course within your unit.

ITS Information Assurance (IA) will be releasing a new set of online courses to provide Security Unit Liaisons (SULs) with important information about performing the SUL role, including expectations, guidance, and key responsibilities. The courses will be available in My LINC.

SUL: Role and Responsibilities
Describes the role, overall expectations, how SULs coordinate security activities within the unit and in collaboration with IA, and highlights key responsibilities with scenarios. (available May 2025)

SUL: Incident Response at U-M
Outlines the goals of incident response at U-M, defines what an information security incident is and what makes it serious (per SPG 601.25), provides initial steps to take when responding to an incident, and describes the overall incident response process. (available in May 2025)

SUL: Security Administration at U-M
Highlights capabilities IA offers in the areas of vulnerability management, endpoint protection, sensitive data discovery, and network security, and describes the SUL role in ensuring these capabilities are utilized in order to improve the unit’s security posture. (available in the coming months)

SUL: IT Security Risk Analysis at U-M
Provides an overview of the Information Security Risk Management process, describes when RECONs (Risk Evaluations of Computers and Open Networks) are required, and guides SULs through the process of performing risk evaluations. (available in the coming months)

Who should take this training

• New SULs will be required to complete the courses as part of the onboarding process for the SUL role.
• Current SULs will receive communication when the courses become available and will be asked to complete the training.

Revisit Data Privacy Day

The keynote presentation by Carnegie Mellon University’s Sauvik Das on January 28 explored “Privacy in the Age of Artificial Intelligence.” Das covered a wide range of AI impacts on privacy, including risks to personal data and opportunities to better protect privacy. An article summarizing the presentation is available on the Michigan Technology Community News website.

A recording of the event is now available on the Past Privacy@Michigan events page on Safe Computing. While you’re there, check out recordings of other past events, such as Dr. Alessandro Acquisti’s 2024 presentation, “The Economics of Privacy at the Crossroads,” including a panel discussion. 

Check out Privacy Portraits 2.0

Did you take the Privacy Portraits quiz this winter? Try the new Privacy Portraits 2.0, now expanded to nine unique portraits! Which one is yours? Answer a set of questions to receive your portrait and customized privacy advice. The results are private, of course–you can choose to share them with others or keep them to yourself.

Privacy@Michigan, a collaboration between ITS and the School of Information, hosts events and activities intended to raise awareness, promote best practices, and provoke thought and conversation on privacy topics broadly relevant to our community members and society at large.

Please remember that DPE110: Data Protection for Unit IT is available in My LINC. It provides IT professionals with an overview of their shared responsibility for protecting the university’s digital assets. This includes understanding data classification at U-M, gaining basic knowledge of FERPA, HIPAA, and PCI, and learning how to safeguard institutional data and stay safe online.

To have it assigned to IT professionals in your unit, contact [email protected].

See the Safe Computing website for information about other Training & Education opportunities in My LINC and on Safe Computing.

Misinformation has become a global concern, crossing international, political, and cultural boundaries. Stories such as, Meta vows to curtail false content, deepfakes ahead of Australia election, and China to crack down on stock market fake news as AI spurs misinformation, says state media highlight this trend. In The big idea: do we worry too much about misinformation? The Guardian suggests that "Seeing falsehoods everywhere is as damaging as believing too much. Our focus should be on helping people interpret information better."

In our effort to be part of the solution, Safe Computing has added a new page of guidance: Misinformation: How to Spot and Stop It. The page provides straight-forward techniques for assessing and making decisions about what you see and hear online as well as links to relevant U-M Library and U-M Center for Social Media Responsibility resources. You’ll also find links to other organizations committed to fighting misinformation, including games that allow you to test your skills. While you are doing your part to protect U-M's digital assets, why not contribute to the public good by stopping the spread of inaccurate, and even malicious, content?

Scams targeting university communities are increasingly sophisticated, such as recent scams involving login theft, fake job offers, and fake housing opportunities. These scams attempt to trick individuals into sharing personal information or making payments. Threat actors often impersonate real U-M faculty or departments to appear legitimate and convey a sense of urgency to get the individual to act without thinking.

Protect yourself by learning to recognize, avoid, and report phishing scams. You can do your part to protect the university community by sharing information with others about the following scams.

Remember to report phishing and suspicious emails or messages to [email protected].

Login Theft Scams

Scammers send a phishing email about a party invite or a document to review, then trick you into entering your U-M login credentials into a fake login form/page. They steal your login credentials. With this access, scammers can redirect your paycheck deposit, redirect financial aid payments, and more.

How to Protect Yourself

• Only enter your uniqname and U-M password on the official U-M Weblogin screen (weblogin.umich.edu) or UM-managed Microsoft Office 365.
• Do not enter Duo passcodes into any forms other than the official Duo screen.
• Do not share Duo verification codes or passcodes, or accept Duo push notifications unless they are initiated by you or requested by the ITS Service Center to verify your identity when you call for support.

See Login Theft Scams on Safe Computing for more information.

Job Offer Scams

In this scam targeting students, threat actors send legitimate-looking emails impersonating U-M faculty/departments attempting to lure them with job offers. They use sophisticated tactics to scam them out of money with fake check overpayments, or they try to steal your personal information.

How to Protect Yourself

• Do not reply.
• Look for signs that the email is fraudulent. See Spot Phishing & Scams for more details.
• Verify the sender's identity.
  • Do not reply through a suspicious message or by using the contact information provided in it.
  • Look up that sender's contact information in the MCommunity directory, then email or call them yourself using directory information.
  • Verify their identity even if they are someone you know, but the message seems suspicious.

See Job offer scams on Safe Computing for more information.

Housing Scams

This scam targets students and starts with an email impersonating a U-M Housing staff member requesting that the recipient complete a housing contract and send payment. It refers to the Regents of the University and uses other tactics to appear legitimate.

How to Protect Yourself

• Do not reply. If you receive a suspicious message that appears to be from someone at U-M, view Spot Phishing and Scams for tips on recognizing scams.
• Verify and Contact. If there are no obvious signs of phishing but the email content is suspicious (offers of jobs you have not applied for, or from someone you do not know), look up that sender's contact information in the MCommunity directory and email or call them yourself instead of using the reply-to in email or the information provided in the email.

See Housing Scams on Safe Computing for more information.

See Phishing & Scams on Safe Computing for information on what to do if you think you are a victim of a scam.

Spring is here and many of us are going on long-awaited vacations or important business trips. As you prepare to travel, you will likely take along some combination of a smartphone, tablet, laptop, and other mobile devices. Follow these tips to safeguard both your own and the university's data.

Before You Travel

Only take what you need:

• Don't take personal or U-M data or devices you won't need.
• Use encrypted devices when you travel with U-M data.

Update and prepare your devices:

• Update all software and operating systems.
• Backup your device.

Enable basic security settings:

• Use a passcode and auto-lock on all devices. Lock them when not in use.
• Turn on the find-my-device feature.
• Plan ahead for two-factor authentication. See Traveling with Duo.

If you are travelling outside the United States, see recently updated International Travel with Technology for important guidance.

While You Are Traveling

Do not leave your devices unattended in public.

Connect securely:

• Disable auto-connecting to WiFi.
• Use a VPN or cellular network for a more secure connection.

Avoid common security pitfalls:

• Do not leave your devices unattended in public.
• Don't use free charging stations.
• Never enter or access sensitive data when using a shared or public computer
• Be cautious about sharing location and other sensitive information on social media.

Visit Travel Safely With Technology on the Safe Computing website for more information and links to helpful resources, including guidance if your device is lost or stolen.

When you get that urge to spring clean this year, don’t forget to take a look at your life online as well. It’s good practice to review regularly what information you are sharing and with whom. The Safe Computing website offers a variety of options to guide you in this process.

• Protect Yourself from Online Harassment - guidance to help mitigate the risk of becoming a victim of online harassment
• Protect Your Privacy - lists basic privacy guidance as well as privacy settings and resources specific to U-M
• Practice Online Hygiene - practical guidance regarding limiting what you share online, controlling your online interactions, and more

Speaking of privacy, MCommunity now offers the option for faculty and staff to choose who can view their campus mailing address. It’s a good time to review and update all of your display settings on your UMICH Account Management Profile page (U-M Weblogin required). Learn more about Privacy and your MCommunity Profile.