Spring 2024

U-M IT professionals have a unique and important shared responsibility to do their part in navigating U-M through an increasingly sophisticated cybersecurity threat landscape.

This Spring, IA is renewing its focus on security as a shared responsibility in the daily work of all U-M IT staff. We will continue to drive widespread adoption of security capabilities, such as CrowdStrike Falcon, Tenable, and U-M’s VPN, and focus on improving critically-important processes and practices, such as elevated access and account management. These efforts require close collaboration among IA, the U-M Security Community, IT Directors and their staff, as well as a collective security-first mindset.

As part of this, IA is working to provide new resources to support the U-M IT community’s commitment to security. The Cybersecurity Checklist for IT Professionals outlines the steps that those who administer and access university systems must take to protect U-M as part of their job. Other resources are described below (see: CrowdStrike Endpoint Protection - Maximizing Adoption, and PlasmaPup: Hunting Down Active Directory Exposures), while others are in development and will become available in the coming months.

In closing, it’s important to recognize the important role two-factor authentication plays in securing U-M. Thank you to the IA and unit IT staff who worked closely on the smooth transition to Duo Universal Prompt in February.

Jeanne Horvath, Technical Resource Manager, retired this winter after 25 years at U-M – to the day! After working in MAIS for several years, she began as a Business Systems Analyst in IA in 2014. She contributed her wisdom and experience to many system implementations and updates, and was a frequent initiator of creative IA community-building activities.

Vasilios Pliakas, Operations and Service Manager, also concluded a remarkable 25-year run at U-M, to end his 37 years total in IT. He worked in ITD, MAIS, OUD, and ITCS before bringing his positive, steadfast leadership and engineering experience to IA. At his retirement gathering, Vasilios shared his strong sense of purpose and community which he developed over the years: “Each one of us has the joy, responsibility, and learning to do what needs to be done. It is accomplished together, not as individuals. It’s not the paycheck – it’s the project a little bit – but first and foremost it’s the people.”

Doug Cox, Data Security Analyst Senior, worked at U-M since 1992 in system administration and facilities operations before coming to IA. He has specialized in Linux and network security, and recently focused on PCI data security. Doug has always been generous with his time -- from teaching at Washtenaw Community College and Eastern Michigan University, to volunteering to present to ITS interns. Doug loves to see people come together to solve problems: “Reach out and talk to people,” he advised at his retirement celebration. Happy trails to Doug and his wife as they hit the road in their new, solar-ready RV.

As Identity and Access Management (IAM) technologies and processes continue to evolve, the team is taking the opportunity to adjust its organizational structure to align with that evolution. Changes include:

• IAM Operations and IAM Development are being combined, with the goal of reducing knowledge silos and further expanding DevOps principles and best practices.
• A new Service Improvement Team has been created and will focus on enhancing user experience and engagement with IAM services. Victoria Green will be the lead Business Systems Analyst for this team.

Speaking of changes … Congratulations are in order!

• Kyle Cozad was promoted this winter to IAM Engineering supervisor. He started with ITS as an intern in 2015, has demonstrated his ability to guide the architecture of complex systems, and generally is known for getting things done.
• Chris Hable was recently promoted to Assistant Director of Identity and Access Management. He has continuously proven himself as a skilled leader who genuinely cares about his team and the quality of services IA offers to the campus community. 

Here’s an overview of the new structure:

ITS Information Assurance (IA) is grateful for all its staff members. Together, as part of one ITS, they perform a critical role in supporting U-M’s missions. As individuals, they contribute their unique skills, qualities, and dedication to protecting U-M’s digital assets. 

We chatted with Michael Knight, Data Security Analyst Intermediate, about how an ITS Cross-Tier Optimization Program (CTOP) launched him into his current role in Cybersecurity in IA.

Michael began his technology career in U-M Ophthalmology, as a technician, and while it was interesting to him, it was just the beginning of his evolving journey. He joined the ITS Service Center in 2018 during Fall rush and dove into helping with Identity and Access services, sponsorship creation, targeted email campaigns, and fulfilling Online Access Request System requests.

Then, a weekly Service Center staff meeting turned into a pivotal moment, when Dennis Neil, Information Security Systems Assistant Director, gave a presentation about IA, and introduced the possibility of an CTOP opportunity. Knight says, “That immediately sparked my interest. As soon as the meeting was over, I ran back to my desk, wrote my letter of intent to apply for the program and work with IA, and handed it to my supervisors.”

Knight’s application was approved and he spent three months immersed in hands-on, mentored work in IA. He performed risk assessments (RECONs) with support from seasoned data security analysts, and worked with the IA Security Operations Center and Incident Response teams.  

Michael describes how Aaron Hudeck, Data Security Analyst Senior, and others guided him, “He greeted me on my first day, introduced me to people in other areas, and showed me tips and tricks along the way. Every other person that I was able to talk to in IA was just as helpful and willing to lend a hand in helping me understand the applications and processes of IA.”

In 2021, Michael applied for a position on the Responsive Information Security for Campus team, and he is now delighted to be a Data Security Analyst Intermediate. He attributes his success in part to the CTOP experience, “You put your best foot forward and you never know what's gonna come of it. I didn't think I was going to get a job within IA, but I wanted to show them that I was 100 percent involved with what they were doing.” 

Michael is all-in when he’s at work performing risk assessments and collaborating with units, but he also devotes time to his growth and wellness. He is pursuing his Bachelor’s Degree in Information Assurance & Cyber Defense at Eastern Michigan University. On top of all of that, he makes time for his well-being. He says, “I enjoy going to the gym several times a week. It’s great to escape mentally from my computer screen, and it keeps me in good physical shape.” He also literally escapes by taking trips to see the Detroit Lions play at different stadiums – seven and counting! Go Lions!

Starting in April, Information Assurance (IA) will be providing custom reports to units to help identify windows systems attached to UMROOT that may not be running Crowdstrike. This is part of an effort to ensure that all systems capable of running CrowdStrike Falcon Endpoint Protection do so.

To this end, Information Assurance has begun providing lists of active systems that do not appear to have CrowdStrike deployed to unit IT Directors, based on Active Directory Organizational Unit (OU).

• Initial lists were shared with IT Directors in early April 2024
• Lists will be shared with SULs and CrowdStrike Admins via email on a regular basis in the future.

Units are asked to:

• Locate hosts and deploy CrowdStrike on them.
• Inform IA if hosts are unable to use Falcon for technological reasons, or if hosts do not belong to the unit.

Next Steps

IA is working to determine mitigations and related  timeframes for machines identified not running Crowdstrike (e.g., blocking access from the internet); develop automated reporting that will identify Falcon sensor deployment gaps, potentially in real-time; and expand the methods for identifying gaps using additional sources, such as:

• More domains beyond UMROOT
• Unmanaged MiServer inventory
• More Linux/Mac, Cloud, etc.
• More data sources (network traffic analysis, additional inventory/asset data, etc.)

If you have questions, please submit an Enhanced Endpoint Protection service ticket with the ITS Service Center.

In the current landscape of constant cybersecurity threats in which universities are often targets, administrators of Active Directory (AD) environments do their best to institute security practices to protect valuable digital assets. However, the decentralized nature of these environments makes it challenging to maintain visibility to exposures and to implement security measures consistently.

This is where PlasmaPup, a Windows GUI app written at U-M, comes to the rescue. The aptly named sidekick to BloodHound can run on any Windows system and shows all accounts with write permissions to objects within a selected organizational unit (OU). PlasmaPup can be used by any system admin – Identity and Access Management (IAM) personnel, central IT service, and unit AD – and provides specific actionable analysis of permissions in their OU.

Campus units can run PlasmaPup against their own OU and periodically check for any unexpected users with permissions. Central IT groups at U-M, such as IAM, MiServer, MiWorkspace, or the Virtualization team, can run PlasmaPup to see what permissions might exist for legacy admins and users, or for forgotten services and processes.

Getting started with PlasmaPup is easy. The source code is available for download on GitHub. A setup project is included for straightforward installation on Windows systems.

For any questions related to PlasmaPup, please submit a service ticket and mention vulnerability scanning with PlasmaPup.

The Office of the Vice President for Communications (OVPC), in collaboration with ITS Information Assurance (IA), has released a new consent and preference management solution for U-M websites. The solution, powered by OneTrust, replaces a custom cookie consent and disclosure banner that was implemented in 2018.

Consent management pop-ups have become ubiquitous on websites, especially those attracting visitors from the European Union and California, where privacy regulations require consent before collecting personally identifiable information. These pop-ups assist in the user’s choice to allow or decline the collection of information about their website visits and interactions.

The new U-M consent and preference management solution allows users to opt in or out of analytics and advertising cookies. It is designed to be universally accessible on all umich.edu websites, and has already been deployed on websites that had previously implemented the legacy banner:

• For the majority of U-M websites, the solution is active based on geolocation and the banner is displayed only to users in the EU. 
• The ITS Safe Computing website has deployed the OneTrust service for all website visitors, regardless of geolocation.

Christopher Billick, Assistant Vice President for Digital Strategy and Michigan Commons, gives context to the new solution’s implementation: “Our university’s commitment to respecting and protecting privacy has grown and shifted from a compliance focus, to doing what is ethically right in addition to following the laws. We demonstrate our values by giving our audiences agency and respecting their choices.”

The OVPC Digital Strategy team has published instructions for integrating OneTrust consent and preference management on U-M websites. Robert LaRoe, Web Office Team Lead & Web Developer at the School of Social Work, was the first website administrator to implement the new service and shared his experience, “This is awesome. Installation was easy.”

Contact the OVPC Digital Strategy team at [email protected] if you have any technical questions about integrating the solution. For general web privacy inquiries, or for help with writing a privacy notice for your website, contact the U-M Privacy Office at [email protected].

This spring, Health Information Technology & Services (HITS) has begun the process to move to one common password. Michigan Medicine users have had two different passwords: UMICH (Level-1) and Michigan Medicine (Level-2). Once the project is complete, Michigan Medicine users will use their UMICH password for logins across U-M and Michigan Medicine. 

“With a common password, Michigan Medicine employees and students will be able to access most systems and resources at the academic medical center using one passphrase – making work a bit simpler and our data more secure," said Jack Kufahl, Michigan Medicine Chief Information Security Officer. “A passphrase without special characters or annual resets becomes easier to type and remember. The longer passphrase is also harder to hack, strengthening our data security. This is the first of several steps HITS is undertaking to streamline how we authenticate, so less time and frustration are spent navigating our technology to get work done."

In addition, as of March, most users with a Michigan Medicine affiliation are being redirected to the HITS Password Management tool for password management.

Information Assurance Identity and Access Management and the ITS Service Center have been coordinating with HITS on this implementation.

HITS will communicate with those impacted directly by the UMICH Common Password project as it progresses. 

• It does not affect campus users who have no affiliation with Michigan Medicine. 
• See the HITS UMICH Common Password page on hits.medicine.umich.edu if questions arise.

This year’s Internal Controls IA Certification Question focuses on alignment with information assurance requirements related to procurement of vendor-hosted products and services:

My unit understands Section VIII.A. (Security and Privacy) of the newly updated Procurement General Policies (SPG 507.01) and has aligned its procurement processes with the requirements in Third Party Vendor Security and Compliance (DS-20).

When looking to buy third-party services and products, it is more important than ever to consider and build appropriate data protections into contractual agreements. Section VIII.A of the newly updated Procurement General Policies (SPG 507.01) calls out specific security, privacy, and compliance requirements. The IT standard on Third Party Vendor Security and Compliance (DS-20) provides further details on units’ compliance responsibilities.

In preparation for responding affirmatively to the FY24 Internal Controls IA Certification Question, Security Unit Liaisons should work within their units to:

• Create broad awareness of the updated Procurement General Policies (SPG 507.01) and the IT Standard on Third Party Vendor Security and Compliance (DS-20).

• Review Safe Computing guidance on Third Party Vendor Security & Compliance.

• Ensure unit faculty and staff involved in procuring vendor-hosted products and services have incorporated the guidance in the unit’s procurement processes.

Security Unit Liaisons can send questions related to the FY24 Internal Controls IA Certification Question to [email protected].

ITS Information Assurance (IA) relies on engaged and knowledgeable Security Unit Liaisons (SUL) to support the U-M community in IT security, privacy, identity and access management, policy, and compliance. The liaisons are vital partners in supporting the university’s security posture. 

In this issue, we met up with Darin Gaston, Senior System Administrator and Security Unit Liaison at the Ross School of Business, and talked about how he uses IA tools and communications with those in his unit to support security.

As an IT security professional, Gaston, along with his colleagues, makes sure the Ross School of Business IT community stays informed of cybersecurity risks and issues, while appropriately securing data and systems.

Darin is part of a cybersecurity awareness team at Ross that gets together monthly to identify topics they should cover with the Ross community. Darin and his colleagues send out email communications, maintain information on their website, and hold Lunch and Learns for which they try to bring in guest speakers. (Coincidentally, he’s planning to invite Michael Knight, featured in our IA Spotlight, to speak.)

When he’s not busy sharing information with his unit, Gaston uses several ITS tools and capabilities to stay on top of securing his unit’s data and systems. He says, “I use Seeker to scan the workstations, which is very useful. It’s been handy to use RECON for mitigations, and I link up with IA to get their input. Those are good tools.” Gaston’s team also uses Tenable for scans, and they are ramping up to use Cloudflare for servers and Passwordstate as well.

Darin describes the dual roles of system administrator and a Security Unit Liaison as a juggling act, “It’s about keeping things organized, talking things out, and knowing what's most important at any given moment. Setting deadlines and using tools to stay on track can help keep all those tasks from piling up.” He also explains that it’s critical for the security team to stay in touch and says, “The sys admins at Ross go to the break area each morning to have coffee and discuss what we're working on to keep everyone in the loop on security issues or incidents so we can all jump in and handle them pronto.”

When reflecting on cybersecurity at the individual level, Gaston offers a tip, “I tell people to question everything they see no matter how real it appears. Before you respond to anything, make sure you know what you're getting.” He reminds people to “Hover over links, and do a search on the web.”

Outside of his work, Darin is fueled by his passion for writing. He says, “Over the years, I've dived into various genres, penning thrilling mysteries, gripping thrillers, and mind-bending science fiction novels.” Some of his works include, The Friday House, The Promise, and Wicked and Preternatural.  Lately he has ventured into writing comic books and self publishing titles like "PANTHEON: Escape" and "WORMS" under his own publishing company, Threat Level Comics. When he’s not crafting stories, Darin says he indulges in down-time, “immersed in the virtual worlds of video games.”

Stay tuned for future SUL interviews, and if interested, reach out to Bridget Weise Knyal ([email protected]).

Did Michael Knight’s story spark your interest in enhancing your cybersecurity knowledge and skills? IA is offering a pathway for U-M IT staff to engage in mentored, hands-on cybersecurity training.

Asmat Noori, Information Assurance Assistant Director, invites U-M units or ITS departments to collaborate on a limited-time, mentored training experience in which their IT staff members are embedded in IA. He describes the benefits of this collaboration, “This type of cross-training is a win-win for units and ITS as staff gain a robust and nuanced understanding of cybersecurity while IA enhances its connections with IT professionals at U-M who share the common goal of securing U-M.”

Those interested can contact Asmat Noori via email.

Safe Computing offers many resources to help you protect yourself and the U. 

Remember that the Unit Security Checklists provide detailed guidance regarding SULs’ vital work. This Spring we’ve added the IT Security Checklist for IT Professionals, which outlines security and privacy expectations for ALL U-M IT professionals. In addition, IA is developing MyLinc training that will align with and augment this checklist.

The Online Safety page is also a handy stop for valuable guidance that you can use and share with others in your unit. Recent page additions and updates include:

• NEW Protect Yourself from Scams - Learn how to protect yourself from scams, such as phishing email.
• UPDATED Protect Yourself from Online Harassment - Take steps to prevent and respond to online harassment and abuse.

STAC Summit

The STAC Summit on April 9 gathered unit IT Director with a focus on “cybersecurity information & action.” IA provided a high-level overview of the evolution of the cyber threat landscape, shared details about CrowdStrike Falcon adoption in units, and showcased a new tool, Plasma Pup, that will expand reporting on Active Directory unit-level permissions. In addition, representatives from CrowdStrike presented on current threats and trends in higher education and beyond. 

T. Charles Yun, Director of Computing at the School of Information observed, “STAC Summit was a great opportunity to speak with people from ITS and units about how CrowdStrike tools are being used.” The CrowdStrike presentations were informative. (Who knew the Nigerian Prince scam is ongoing, lucrative AND actually concentrated in Nigeria?!). Hearing how CrowdStrike uses its wider field of view and access to a diverse population was eye opening. While higher ed is a target, we are only a portion of the wider threat landscape.”

IA Open House

On April 11, more than 50 unit IT staff waded through April showers to meet the IA team on their home turf at ASB and chat about security, privacy, IAM capabilities, and more. Guests visited each IA group to talk shop, discuss what works, what is needed, and what the future holds. To encourage interaction IA provided a passport, and everyone who got their open house passport stamped at all stations received fantastic IA swag.

Sol Bermann, Chief Information Security Officer and Executive Director of Information Assurance shared his impression of the event, “We hosted this as a thank-you for the continued partnership, and to connect or reconnect the security community in a fun way. People took time to visit each IA group – raising questions and sharing ideas. Beyond conversations with the IA team, it was wonderful seeing people re-connect and network, with some guests hanging out after the event had ended. Always the sign of a good party.”

ITS Information Assurance knows you are BEYOND BUSY. You are responsible for the monumental, day-to-day work of securing U-M. That’s huge!

Getting the information you need is critical, and that’s why Safe Computing is designed, updated, and maintained for you. 

Check out these recent enhancements and tried-and-true favorites:

• Simplified menu options get you where you want to go quickly, when you’re looking to Protect Yourself, Protect the U, and Protect Privacy. 
• For IT & Security Professionals digs deep into topics and tools you need to do your job.
• Refreshed daily, In the News is a quick stop to grab curated, current IT security and privacy articles
• Alerts, Advisories, & Notices brings you details about the latest security threats and scams impacting U-M.
• The Sensitive Data Guide is your go-to resource to help you make informed security and compliance decisions.

For a quick way to catch up on what’s happening in IT at U-M in general, follow the ITS Instagram account! It’s geared up to give you U-M IT news, events, and fun.

Everyday Hero Prevents Major Cyber Attack

You may have noticed an Information Assurance (IA) Alert on April 2 describing a vulnerability inserted into some distributions of Linux. The incredible story of how the vulnerability was found reminds us that not all cybersecurity heroes wear capes, or even have big cybersecurity titles! Did One Guy Just Stop a Huge Cyberattack? 

Don't Get Fooled by AI Generated Images

We are reminded almost daily that AI has benefits and dangers alike. While many put it to work creatively to enhance their productivity, some use it maliciously, or just carelessly. From harmless silliness to the menace of deepfake porn, spotting fake AI images is becoming a necessary online skill. One Tech Tip: How to spot AI-generated deepfake images.

Spring is here, the sun is sometimes shining, and many of us are finally taking a long-awaited trip. Whether you’re embarking on a leisurely vacation or a quick professional trip, you will likely take some combination of a smartphone, tablet, laptop, and other mobile devices. Follow these tips to safeguard both your own and the university's data.

Before You Travel

• Require a password, passcode, or PIN for access to your device, and set the screen to lock after 15 or fewer minutes of inactivity.
• Turn on the app or feature that helps you find your device and/or erase its contents if it is lost or stolen.
• Plan ahead for two-factor. If you will be away from your usual Duo two-factor option, set up an option in advance to use when traveling. See Traveling with Duo.

During Your Trip

• Always use a secure Internet connection, and turn off optional network connections (WiFi, Bluetooth) when you are not using them.
• Keep your device with you and/or physically secured.

Visit Travel Safely With Technology on the Safe Computing website for more information.

As U-M students approach graduation, ITS emails them with detailed information about the end of their IT services, and details what they should do to retain or transfer their accounts.

If you help to support students, you may want to familiarize yourself with the following tips and share them.

Graduating students should:

• Review their current storage usage in Google to ensure they are below the 15GB limit allotted to alumni. If necessary, they can download or export their Google data to stay under the 15GB limit before graduation.
• Download, export, or transfer any files, folders, or cloud recordings they wish to keep from U-M storage services (like Dropbox) to a personal account or computer.
• Transfer ownership of files, folders, and shared drives to others who will remain at U-M, if appropriate. (e.g., data that a faculty member or non-graduating student would like to keep)

For more details and tips:

• Review Information for Graduating Students.
• Download the U-M Tech Cheat Sheet for Graduating Students (PDF) for a summary of the U-M computing services that graduates keep or lose as an alum.