Fall 2017

We remember our colleague Thomas Suter with fondness, and mourn that he is no longer with us. Thomas, a data security analyst with Information Assurance (IA), died on July 31. During his 15 years at the university, he worked with many members of the IT Community.

Before joining IA, Thomas worked for the Health Management Research Center (HMRC) as a system administrator and with the Office of University Development (OUD) as a senior network administrator. During his time with IA, Thomas was well-regarded by members of the U-M community for his IT security knowledge, and more so for his eternal optimism. He is greatly missed.

Gifts in memory of Thomas can still be made to the Thomas Suter Education Fund by way of the U-M Credit Union. Details are at the end of the MLive Obituary for Thomas.

There's a new address for reporting phishing emails at U-M: [email protected].

This new address helps streamline and automate threat intelligence and mitigation work being done by members of the IA Security Operations Center (SOC), which began operations in March. We have already begun using the new address on the UM-Ann Arbor campus; Michigan Medicine will wait for a while before rolling it out.

Use of the new address allows phishing reports to go directly to the SOC for immediate action. SOC staff members can update the threat intelligence used to block malicious websites, protect email, inform firewalls, and more based on the phishing reports. Phishing reports sent to [email protected] or [email protected] will get to the SOC, but they must be manually sorted from among many kinds of reports sent to those addresses.

Are you thinking about providing anti-phishing education through self-phishing in your unit? If so, be aware that any U-M unit considering such an effort is expected to abide by self-phishing guidelines and norms from Information Assurance (IA).

The guidelines are intended to contribute to the success of your anti-phishing efforts and to share IA expertise based in part on experience with U-M pilots of such programs. The guidelines specify, for example, that unit leadership must sign off on self-phishing plans and that the Information and Technology Services (ITS) Service Center and/or Health Information Technology & Services (HITS) Service Desk must be included well before test messages are scheduled and sent to allow for support and planning.

Affected community members must be informed before the campaign starts that the anti-phishing activities will be taking place and that they will be participants. Anti-phishing training should be offered before and after the self-phishing campaign.

Before doing self-phishing, contact IA for consultation, reviews, and approvals through the ITS Service Center. IA is developing capabilities to provide self-phishing engagements. Stay tuned for more on this as we make progress.

Pilots of anti-phishing education programs that feature self-phishing concluded this fall at Michigan Medicine and UM-Flint. Participants in both pilots improved their ability to recognize phishing.

Michigan Medicine. Two units—Family Medicine and Pathology—volunteered to participate in the pilot, and extensive communication was conducted with participants before and after simulated phishing email campaigns. Over a period of three months, three simulated phishing emails were sent. From 4% to 12% of participants clicked the malicious links in the messages, depending on the message. Those who responded to surveys reported a greater understanding of phishing and how to recognize it after the pilot.

Based on the pilot, Information Assurance (IA) and Health Information Technology & Services (HITS) now have a good understanding of the logistics involved in setting up and managing simulated phishing emails. Together, they worked out triage procedures for managing and tracking reports for both simulated and actual phishing simultaneously. IA and HITS staff members are planning to begin phasing in the anti-phishing education program across Michigan Medicine during 2018.

UM-Flint. UM-Flint Information Technology Services (ITS) sent three simulated emails over a period of three months. Staff members adapted and supplemented communications used for the Michigan Medicine pilot that were developed by Information Assurance (IA). ITS provided customized training for members of the UM-Flint community.

UM-Flint ITS staff report that the number of people who clicked the malicious link in the simulated phishing email fell dramatically over the course of the pilot, with 256 people clicking the malicious link in the first message and 59 clicking it in the third. ITS staff concluded that,"the campaign improved IT security knowledge and the ability of users to identify and report phishing threats."

A key initiative of the Enterprise Identity and Access Management (EIAM) Program this past year aimed to expand account creation options to allow U-M affiliates such as prospective students, parents, donors, patients, external researchers, and faculty to use their social identities (Google, Facebook, Yahoo, and so on) to log in to certain U-M provided services. This fall, two campus units successfully piloted social login and now use it:

• The Alumni Association allows alumni to log in with a social account for activities such as event registration.
• University Libraries provides social login as an option for guest login to HathiTrust’s digital library resources (see HathiTrust login page).

Social Login is now available to U-M units, and Information and Technology Services (ITS) is seeking partners for 2018 implementations. The ITS Identity and Access Management team will continue to assess demand and increase licensing if needed.

Social login fits best for:

• Low-risk services
• Guest access
• An alternative to Friend Accounts

To implement social login, you will first need to set up your service as a Shibboleth Service Provider to allow Shibboleth authentication (using SAML). If you want to explore implementing social login, contact the ITS Service Center.

A replacement of the uniqname-creation process for incoming students and employees on the Ann Arbor campus (excluding Michigan Medicine) was implemented in October. The old process required people to keep track of two numbers sent in two separate emails—a U-M ID number (UMID) and a one-time identifier (OTID). The new uniqname and account setup process replaces the OTID number with a clickable link.

The new process is easier for new students and employees to use and easier for the ITS Service Center to support. It is also more flexible, which will allow it to be extended to other U-M groups in the future.

Based on the input many of you provided at the September IT Security Community meeting and afterwards, the For IT Security Professionals section of Safe Computing has been completely revised so you can more quickly find the content and resources that are most useful to you. Thank you to all who participated in a session with our web usability experts—the end result is better for your feedback and insights.

"I encourage U-M units and departments hiring new IT staff to incorporate a review of For IT Security Professionals as part of their orientation and training and to increase their familiarity with U-M security policies, services, and resources," says Sol Bermann, university privacy officer and interim chief information security officer.

If you have additional feedback on the new section—or any part of Safe Computing—send your comments to [email protected].

Based on user interface recommendations stemming from a School of Information class project and feedback that some of you shared, we have redesigned the page layouts of the Sensitive Data Guide to move the most used information to the top of each page. We hope you find this helpful!

Controlled Unclassified Information (CUI) Compliance. The university is preparing to offer guidance and support for safeguarding research projects with CUI, including a U-M CUI FAQ. CUI is non-classified information created or possessed by the federal government that requires specific information security controls to secure and safeguard it. As U-M is a very large recipient of government research grants, some portion of research conducted at U-M is expected to fall under CUI requirements as of the start of 2018.

Multiple U-M units are working together on development of research infrastructure, policies, process, security templates, a new website, and other support for the university research community. If you have questions about CUI compliance in the meantime, contact the U-M Office of Research (UMOR) Research Information Security Program at [email protected].

General Data Protection Regulation (GDPR) compliance. ​The GDPR is a European Union (EU) law that will impose new privacy requirements on entities like U-M with operations (such as study abroad programs) in EU countries or that handle data of EU citizens. For background on why U.S. universities are affected by GDPR, read The General Data Protection Regulation Explained (EDUCAUSE Review, 8/28/17).

The U-M Privacy Officer and OGC are coordinating the university’s preparations for GDPR compliance. Watch for more information and updates in the coming months. If you have questions in the meantime, send email to [email protected].

It takes the entire U-M community to help protect against cyber threats. That's the message on posters sent to Security Unit Liaisons at the end of November. The 11 by 17-inch posters stress that IT security is a shared responsibility and we all have a part to play. In particular, they urge people to secure and protect any device used to access U-M resources.

• Want printed posters for your unit? If you'd like additional posters for your unit, send email to [email protected] and let us know which version of the poster you want (UM-Ann Arbor, UM-Dearborn, UM-Flint, Michigan Medicine, or U-M research), how many copies, and where to send them.
• Prefer digital? Download files for posting on U-M digital signs at Digital signs: YOU are our best defense (in U-M Box; U-M login required).

For the past 13 years, Information Assurance (IA) has engaged UM-Ann Arbor students, including medical students, with a basic online quiz designed to raise awareness of IT security issues. This year’s quiz had the highest completion rate yet. From October 30 through November 3, 2017, 7,864 students took the quiz. That's 17% of those who were emailed a link to the quiz, more than double the response rate for the original quiz in 2005.

This year’s 10-question quiz covered topics such as the risks of peer-to-peer file sharing, avoiding phishing scams, the advantage of two-factor authentication, and securing devices with software updates. Those who scored 90% or higher were entered into a drawing for prizes such as an Apple Watch, iPad Mini, Beats Solo headphones, and more.

IA believes strongly in the value of educating all of U-M about IT security best practices. Take the Computer Security 101 quiz and explore the Safe Computing website for tips on protecting your online privacy and security.

Did you miss SUMIT_2017 or one of the recent Dissonance events? Would you like to go back and hear one of the presentations or discussions again? Recordings of past SUMIT and Dissonance events are available on the Safe Computing website:

• SUMIT recordings and slides. SUMIT is a free annual symposium designed to raise awareness and educate the community about important cyber security and privacy issues.
• Dissonance recordings. Dissonance explores topics in technology, law, privacy, and security, from global and national perspectives.

You still have an opportunity to participate in the Privacy, Reputation, and Identity in a Digital Age teach-out, which was first offered in November. The U-M teach-out—co-taught by Sol Bermann, university privacy officer and interim chief information security officer, and Tim McKay, Arthur F. Thurnau professor of physics, astronomy, and education—will start again in January 2018 (enroll now).

Teach-outs are Coursera courses delivered by U-M faculty and staff that focus on specific, broadly relevant issues. They bring people together from across the globe to share diverse perspectives and allow individuals to engage in meaningful interactions about current topics.

In this teach-out, questions of privacy, reputation, and identity are considered using a case study approach. Participants hear from experts through videos and readings and engage in conversation about real-world scenarios across multiple topic areas.

Windows security: New BSOD scam emerges from fake tech-support swamp

ZDNet, 11/30/17

The latest variation on the tech support scam displays what looks like a Windows error message and prompts the user to "Click Next" to troubleshoot the problem. Next the user is urged to purchase a fake security product called Windows Defender Essentials. There are many versions of this scam to try to trick people into paying for bogus tech support. Safe Computing provides tips about tech support scams for you to share with your colleagues. Note that Information Assurance recommends free anti-virus software for personal computers.

Nobody reads privacy policies – here’s how to fix that

The Conversation, 10/9/17

U-M Assistant Professor Florian Schaub notes that privacy policies are "hard to find, read, and comprehend," in part because they serve different functions for consumers, companies, and regulators. Key to making them useful to consumers/users is to rethink their purpose. Through their work on the Usable Privacy Policy Project, Schaub and his colleagues developed a way to make privacy notices more effective.

With the holiday season in full swing, you may be doing some online shopping. See Online Shopping Tips to Protect Your Personal Information on the Safe Computing website for tips to help you protect your personal information and devices when you shop online. The tips fall into three categories:

• Secure your environment
• Know who you are dealing with
• Avoid the traps

Check out the tips and share them with your colleagues, family, and friends. An 8-1/2 by 11 inch poster is available if you’d like to post the information: Shop Online Safely poster.

Shortened URLs, such as those from bit.ly and goo.gl, make it easy to type in a web address quickly but hard to tell where your web browser will actually take you.

• Before clicking a shortened URL, check for the full URL. Most URL shorteners—including those used at U-M—include a preview feature. In addition, there are several URL checkers available on the web.
• Before creating or sharing a shortened URL, consider alternatives. If you must use one, make clear where it goes.
• Be aware that criminals use shortened URLs to direct people to phishing sites and initiate malware downloads. If you are suspicious of a shortened URL, don't click it.

Many popular services and websites offer two-factor authentication. Information Assurance (IA) encourages you to turn it on wherever it’s available to protect your personal information and accounts. Two-factor goes by many different names—two-step verification, login approval, login verification, and so on—but they all protect your information and accounts.

Duo may be an option. If you already use the Duo Mobile App for two-factor authentication at U-M, you might also be able to use it with your personal, non-university accounts.

• If a service mentions Google Authenticator, the Duo Mobile app can be used in its place.
• Websites that allow you to use Duo will display a QR code you can scan with the Duo Mobile app to get started.

Instructions. Refer to the following websites for lists of popular websites and services, whether or not they offer two-factor protection, and links to instructions for turning on two-factor where available:

• Two Factor Auth (2FA). List of websites and whether or not they support two-factor.
• Turn It On. A guide to two-factor authentication.
• Stop | Think | Connect: Lock Down Your Login. Includes links to instructions for turning on two-factor for many popular apps.