Fall 2015

Rivalry between schools is fun on the football field, but when it comes to cyber security, universities need to stick together. To that end, U-M Chief Information Security Officer (CISO) Donald Welch is working with other CISOs to share IT security information and ideas through the Committee on Institutional Cooperation (CIC) Security Working Group.

"Attackers don't usually attack just one university at a time," says Don. "If we share information, we can help each other react to threats faster."

The CISOs are exploring how to collaborate on the use of security event logging tools for shared operational intelligence. They are also examining the feasibility of a joint framework for evaluating the security of third-party service providers. In addition, the CIC Chief Information Officers (CIOs), including U-M CIO Laura Patterson, have charged the CISOs with providing a list of the five top things CISOs need from their CIOs to provide good IT security.

The university is nearing the end of the process for selecting a vendor for an expanded multifactor authentication solution. Vendor demonstrations wrapped up in September, and the Multifactor Project team then conducted due-diligence exercises and explored pricing with the two vendors who remained under consideration. On November 18 and 19, the two vendors came to campus to demonstrate and describe deployment, administration, provisioning, and more in detail for their offerings. Once funding has been approved, contract negotiations will begin.

A group of representatives from ITS, Medical Center Information Technology (MCIT), the School of Dentistry, and the School of Information have been working together on a Multifactor Authentication Project to select a vendor in preparation for implementing multifactor authentication more widely across the entire university. Two new implementation partners recently joined the project: the Institute for Social Research (ISR) and Student Life. Both units are participating in the final stages of the vendor selection process and will participate in early implementation of the chosen solution.

Multifactor authentication means using more than one factor to verify your identity when you log in. It means using at least two of these three factor types: something you know (such as a password), something you have (such as a tokencode), and something you are (such as a fingerprint). U-M's new multifactor solution will include a smartphone app as an authentication factor.

U-M CISO Don Welch says, "The most powerful single thing that we can do to help protect both individuals and University of Michigan systems and data is to expand the use of multifactor authentication."

Once the new multifactor solution is in place, members of the university community will be offered the option to use it to protect all their U-M accounts. "We will encourage everyone to protect all their accounts with multifactor authentication," said Don.

By the end of December, all appropriate non-firewalled networks on the Ann Arbor campus will be protected by U-M's network Intrusion Prevention System (IPS). The IPS sits between university networks and the Internet, protecting those networks from malicious traffic. It is an important component of a comprehensive security program.

The IPS began protecting MWireless in September, and all appropriate non-firewalled networks in MiWorkspace units gained IPS protection by the end of October. ITS staff members are working now with Security Unit Liaisons in units that do not use MiWorkspace to implement IPS protection. Everything is on track to complete that work before the end of December.

Next year, ITS will work with U-M units to determine which networks currently protected by firewalls can be appropriately placed behind the IPS. Some specialized networks, such as those used by researchers with high bandwidth needs and those at the U-M Health System, are not appropriate for use with the IPS and are protected in other ways.

As ways of accepting credit card payments have expanded over the years, compliance with Payment Card Industry Data Security Standards (PCI DSS) has become more complex. During October, a new university-wide project intended to help U-M units with PCI-compliance kicked off. The Treasurer's Office and ITS are collaborating to develop consolidated PCI-compliant components and environments to help units, and the university at large, be able to more easily achieve PCI compliance.

"The Treasurer's Office worked very closely with ITS Information and Infrastructure Assurance (IIA) to make this project a reality," said Matt Deseck, assistant director, Treasurer's Office. "Once it's fully implemented, it will offer a set of very clear steps for university departments to follow when validating their PCI compliance."

Doug Cox of IIA, technical lead for the project, says new components may include a PCI-compliant network (including required logging), a PCI-compliant kiosk image, and more. Project team members are planning to have some of the new service components available for testing in spring 2016.

We all know how important it is to change our passwords on a regular basis. IIA recommends that everyone change their UMICH password twice a year. We also all know how hard it is to remember to do it, and some of us get rather attached to our passwords. The only way to guarantee that people keep their passwords fresh is to prompt and enforce regular changes.

As of November 4, Information and Technology Services (ITS) staff members and ITS sponsored affiliates are now required to change their UMICH password at least once a year. Their passwords are set to expire 365 days after they were last changed.

The passwords expire gently. ITS staff members with an expired UMICH password can still log in to their MiWorkspace machine, MWireless, and many other services. The only thing they can't log in to is Weblogin; they are directed instead to UMICH Account Management to change their expired password. They can change their password themselves and do not need to call the Service Center to get it reset. The intent is to require the password change with minimal disruption.

MCommunity sends automated email reminders 30, 7, 3, and 1 days before the password is set to expire, and the Weblogin screen begins providing reminders three days before expiry.

So far, everything is working well. ITS staff will monitor the new processes for several months to be sure everything continues to work as expected. While there are no immediate plans to offer password expiry outside of ITS, we anticipate being able to offer it to units in the future.

The connections, queries, transactions, and updates between systems are as vulnerable to attack as the systems themselves, yet the security of middleware (sometimes called "software glue") does not always get the same attention as the security of more visible systems.

A new U-M data standard calls attention to this need: Security of Enterprise Application Integration (DS-09). The new standard applies to the entire university, including the U-M Health System. It provides information security requirements for enterprise application integration that:

1. Integrate security across applications and infrastructure by implementing specific privacy and security safeguards.
2. Minimize the vulnerability of enterprise systems to external attacks, unauthorized disclosure of sensitive data, or unauthorized access to administrative interfaces or system configurations.

For an example of a situation where the new standard applies, see the Terms of Service for the U-M Directory of APIs.

Interested in the latest updates about IT security and privacy? Safe Computing offers several ways to stay on top of what's happening:

• IIA alerts, advisories, and notices. The latest IT security alerts, advisories, and noticesare listed at the top of the Safe Computing home page. You can also view an archive.
• In the news. On the same page, current news about privacy, IT security, data breaches, and more is posted almost daily in the "In the News" section. View older stories in the news archive.
• This newsletter. The U-M Safe Computing Newsletter is sent to the U-M IT Security Community and interested others at U-M. Members of the university community can subscribe by joining the Safe Computing Newsletter group in MCommunity.

Are you responsible for any old, unused systems, websites, servers, databases, or the like? If so, please take the time to plan for decommissioning them to ensure that they are not vulnerable to attack and compromise and that the information stored in them cannot be accessed inappropriately.

This work can sometimes seem like a low priority, but when sensitive university data is involved, it is important to remove unused devices from networks and to securely delete the data from them. For reference, see Secure Data Deletion and Media Disposal.

Making Sense of the Internet of Things
Boston Bar Journal, October 21, 2015
According to Peter M. Lefkowitz, the Internet of Things is "a set of devices that connect to and send or receive data via the internet, but not necessarily the devices people most often think of as being connected to the internet." These things include meters, refrigerators, fitness trackers, insulin pumps, sensors, networks, cars, and a whole lot more. In this article, Lefkowitz reviews some of the promise and peril of the Internet of Things, noting the practical and policy challenges of the emerging technologies and the evolving regulatory and legislative landscape.

U-M researchers are already grappling with these issues and more at the Mobility Transformation Center (MTC), the College of Engineering (Powering the Internet of Things), the Department of Electrical Engineering and Computer Science (Michigan Micro Mote), and more.

Can Campus Networks Ever Be Secure?
The Atlantic, October 11, 2015
Universities have long struggled to balance academic openness with the need for security across their networks. Josephine Wolff reports that while some believe academia has lagged behind industry in protecting its networks and other infrastructure, there are others who believe academia has much to offer industry in the way of strategies for securing networks while enabling collaboration. "For instance," she writes, "some hold up academic institutions as models for dealing with the security threats posed by bring-your-own device (BYOD) environments."

Network protection at U-M is increasing this year through the use of a network Intrusion Prevention System (IPS). (See "Non-Firewalled Unit Networks to Gain IPS Protection by End of December" above for details.) A number of services available at the university have gained the needed controls and agreements to comply with regulations such as HIPAA, increasing the options for safe storage of sensitive university data. See the Sensitive Data Guide for details.

Does your bank give you the option to use multifactor or two-factor authentication for your online accounts? Say yes! Do your social media accounts offer it? Say yes! How about the online file and photo storage services you use? Always say yes to multifactor authentication.

Multifactor authentication is the use of more than one thing, or factor, to prove your identity when you log in to something. It is the online equivalent of showing two pieces of identification or adding a deadbolt lock to your front door, and it protects you and your online accounts and information from fraud and theft.

When you say yes to multifactor, you agree to use something in addition to your password to prove that you are you. You might enter a tokencode from an app or text message, answer a security question, or provide a thumbprint. If your password is stolen, the thieves won't be able to access your accounts because they won't have your second factor.

More and more online services—from Twitter to Facebook to Amazon—are offering multifactor authentication, and that's a very good thing.

Many people at U-M receive phishing emails with links to fake Weblogin pages. The fake pages look exactly like the real one. When people log in to the fake page, their UMICH password is stolen, and their U-M account is compromised.

You can protect yourself against these password theft attempts by looking at the URL of the Weblogin page before you enter your uniqname and UMICH password. That URL may be your only clue that the web page is a fake.

Before entering your UMICH password on a web page, check that the page's web address/URL begins with this:https://weblogin.umich.edu/

• The https is important. It means your connection to the web page is secure.
• The slash after .edu is also important. There must be a slash (/) after the edu (.edu/).

For a screenshot showing how to check the URL, see Look Before You Log In.

Use caution when clicking web links in email messages. Check the URL by hovering over the link with your cursor. Learn more: Protect Yourself & the University from Spear Phishing (video).