February 2015

You may have noticed an increase in the number of IIA alerts and advisories in your inbox lately. This reflects the industry-wide increase in security vulnerabilities and malware. Unfortunately, we expect this trend to continue, so we are working to streamline and improve our process for keeping you informed about the vulnerabilities and malware that could impact the university.

We are piloting a new process for evaluating and triaging issues based on potential impact at U-M, likelihood of exploit, whether immediate action is needed, and more. Based on this analysis, we determine whether to send an alert, advisory, or notice. Our intent is to make sure you have the information you need to respond to emerging security risks.

We are getting input on the new process now from groups in ITS, and we'd like your input as well. For example, we recently heard from a recipient of one of our IIA alerts that it would be helpful if we provided some text that could be shared with users. We have added a section to our communication template to remind us to do that when possible and appropriate. We will publish our triage process in the IT Security Community section of Safe Computing soon. Watch for more detail in the next issue of the Safe Computing newsletter.

Thank you for continuing to monitor the security of the systems and machines you are responsible for and applying patches in a timely manner.

All U-M units have now reported the status of their implementation of Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33). Thank you to all of you for your attention to this important policy.

Departments/units have the discretionary authority to adopt additional expectations and restrictions beyond those outlined in SPG 601.33 for those in their department concerning the use of personally owned and self-managed devices with sensitive institutional data. About a third of units imposed additional unit-specific requirements or restrictions.

Resources to help you with implementation of, and education and awareness regarding, the policy and secure use and management of personally owned devices are on Safe Computing:

• Protect Personal Devices & Data. General resources for the entire university community. Has links to instructions for securing devices, traveling with technology, and more.
• University Data and Personally Owned Devices. Focuses on the policy and is targeted to U-M faculty and staff. Has links to a video, tipsheet, FAQ, and tutorial.
• Reviewing Your Department/Unit Implementation of SPG 601.33. The policy implementation toolkit remains available to you, but it has been renamed as a toolkit for reviewing rather than implementing the policy. We encourage you to review your unit's stance on the policy and refresh communication about it with those in your unit on an annual basis.

ITS has begun working with other university units to explore how we can expand the use of multi-factor authentication at U-M. Multi-factor authentication is the use of more than one authentication method or proof of identity when logging in. Options include passwords, PINs, tokens, security questions, security images, and more.

Many U-M administrative systems already require two-factor authentication to better protect the sensitive university data in those systems. Users must enter something they know—their UMICH password—along with something they have—the number displayed on their MToken. (MTokens, available as either a physical device or an app that people can store on their phone, display a different number every 60 seconds).

Examples of use cases for expansion of multi-factor authentication include:

• Managing sensitive personal information in Wolverine Access (for example, direct deposit information)
• Using IT administrative accounts
• Accessing sensitive research systems (for example, the Flux high performance computing cluster requires an MToken for login)

Currently, ITS uses SecurID from RSA to provide MTokens. Other university units use other two-factor systems, such as Duo. ITS is exploring, with other units, the possibility of working toward a single solution for the entire university.

If you would like to provide input to the exploration of multi-factor authentication options for the university, please contact DePriest Dockins ([email protected]), assistant director of Identity and Access Management, ITS.

U-M's new network Intrusion Prevention Service (IPS) went into production on February 15, and pilots of the IPS have begun. "First, we are connecting the network used by IIA staff in ITS and then some other ITS staff networks," said Dennis Neil, who is leading the IPS project.

The IPS sits between the Internet and any U-M networks that are connected to it. It monitors for malicious traffic and does not let that traffic through to the university. Features of the IPS include:

• Selective logging. The IPS won’t record all network activity. It will only log information when it takes action, meaning that the privacy of network users is maintained.
• Reputation-managed protection. The IPS subscribes to a reputation-based list of known malicious sites and domains, which it uses to proactively protect users.
• Multiple threat protection. The IPS offers protection against zero-day threats, mitigates brute-force password attempts, and offers automated mitigation of threats to availability, such as denial-of-service attempts.
• Dynamic threat response. The IPS can be fine-tuned to respond to particular threats, so if U-M is repeatedly faced with a certain threat, the system can be tuned to recognize these threats before it risks disrupting university business.

The service will be piloted in three Ann Arbor campus units this summer, with a phased rollout to other campus units to follow. If you would like to plan now for deployment in your unit, please contact the ITS Service Center.

Note that the IPS augments and, in some cases, may serve to replace current firewall services. The Virtual Firewall Service will continue to be supported.

Disaster recovery planning efforts help an organization recover quickly and keep operating with minimal disruption or downtime in the event of a disruptive event. ITS is in the process of developing disaster recovery plans for critical ITS systems using a template developed by IIA, which coordinates disaster planning for ITS. These plans are expected to be complete by the end of the fiscal year.

Units can now take advantage of the same template being used by ITS to develop new or refine existing disaster recovery plans for their own systems. The disaster recovery plan template, which can be downloaded at Disaster Recovery/Business Continuity Planning at U-M, allows units to perform disaster recovery planning without assistance from IIA. Units that would like more guidance for their disaster recovery planning efforts can request the for-fee Disaster Recovery Business Continuity Planning service.

January 28, Data Privacy Day, was the first day of Data Privacy Month, which runs through February 28. The day and month both center on respecting privacy, safeguarding data, and enabling trust. This year, we are celebrating with a new Privacy section on Safe Computing that brings together privacy tips, definitions, and resources.

Next year, we plan to organize a privacy-themed event and activities and provide additional resource materials. If you have suggestions about what would be useful to you and the people in your unit during Data Privacy Month, please send your ideas to [email protected] now so that we can consider them in planning for next year.

Slides from the February 17 U-M IT Security Community are now available on the Safe Computing website at IT Security Community Meetings. You will be prompted to log in with your uniqname and UMICH password; access is limited to members of the IT Security Community. Topics covered at the meeting included:

• State of the Hack
• U-M IT Strategic Plan Overview
• Identity and Access Management Update
• Updates on IT Policy Implementations and Revisions
• Updates of the Safe Computing Website

Enjoying the In The News section here? See more articles like these on the Safe Computing homepage. News headlines linking to full articles are posted on an almost-daily basis.

5 Information Security Trends That Will Dominate 2015, CIO, 12/10/14
This CIO article identifies five IT security trends for 2015 that information security professionals should understand. These are not new trends, but, according to the article, "What is new is the increase in complexity and sophistication."

1. Cybercrime. Cybercriminals are collaborating and exhibiting greater technical competency. According to the article, "organizations must be prepared for the unpredictable so they have the resilience to withstand unforeseen, high impact events."
IIA works hard to mitigate cybercrime. The new Intrusion Prevention System (see article above), along with the Security Essential service in MiWorkspace units, other IIA services, and the work that all of you contribute help to make the university more resilient to attack.

2. Privacy and Regulation. Many governments, including that of the United States, have created or are in the process of creating new regulations around data privacy. Organizations need to have resources in place to respond.
U-M has a coherent body of information technology policies, but many of them have not kept up with the changing times. Forward-looking revisions to a number of those policies have been proposed, with comments from you and the entire U-M community due at the end of February. IIA will continue to monitor emerging developments in privacy and related regulations.

3. Threats from Third-Party Providers. According to the article, "Over the next year, third-party providers will continue to come under pressure from targeted attacks and are unlikely to be able to provide assurance of data confidentiality, integrity and/or availability."
As more U-M services are contracted from third-party vendors, IIA is working hard to ensure that measures are in place to protect the privacy and security of U-M data. IIA developed the U-M Service Provider Security-Compliance Questionnaire to aid Procurement and IT staff in assessing the security of a third-party vendor that could provide a U-M contracted-for service. The Sensitive Data Guide helps individuals determine which third-party storage solutions can safely be used for sensitive university data.

4. BYOx Trends in the Workplace. The Bring-Your-Own trend is here to stay, with people bringing their own devices, accounts, and online identities into the workplace and expecting to use them at and for work. Policies and guidelines are needed to address the increased exploitation risk.
Your recent work to complete unit implementation of Security of Personally Owned Devices That Access or Maintain Sensitive Institutional Data (SPG 601.33) is a key factor in U-M's response to this trend. In ongoing support of the policy, brochures with device security tips are available to units, and detailed instructions for securing most devices are available on the Safe Computing website.

5. Engagement With Your People. People are our greatest asset, but also our most vulnerable target. According to the article, "Instead of simply making people aware of their information security responsibilities and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in 'stop and think' behavior becoming a habit and part of an organization's information security culture."
We are continually working to improve the education and awareness materials we provide, adding video, step-by-step instructions, and tutorials to the Safe Computing website, but there is more we can do. We have developed an education and awareness program focused on three key areas (anti-phishing, compliance, and Bring Your Own Device) with a number of supporting key messages. We are exploring the use of purchased data protection training. Watch for more information in the coming months. If you have ideas for better engaging the U-M community to foster safe IT practices, please send them to [email protected].

Do you need to dispose of or sell an older device you no longer need? Before you do, you should securely delete files and other information on the device.

See Secure Data Deletion and Media Disposal for information to help you remove data securely from computers, mobile devices, and media. The information is applicable to both personal and university-owned devices.

Criminals are crafting phish emails and webpages that spoof the look and feel of legitimate U-M emails and webpages. The two most important things to remember when asking yourself whether an email or webpage is really from U-M are these:

• U-M won't ask you to validate your account or provide your password in email.
• Check the URL of a webpage before entering your UMICH password.

Examples of actual U-M phishing and legitimate emails are on the Safe Computing website to help you distinguish between the two. See What to Watch for: Phishing Examples.

Additional information, including a list of recent phish emails received at U-M is on the Safe Computing Spam, Phishing, and Suspicious Email page.