Summer 2018

U-M is taking two steps that will improve IT security at U-M:

• Publication of the revised Information Security Policy (SPG 601.27), which now better addresses the cyber risks facing the institution. More about implementation of this policy will be shared in the coming weeks and months.
• Turning on two-factor for Michigan Medicine employees and sponsored affiliates on October 10. Michigan Medicine is expanding its use of two-factor authentication using Duo to improve IT security. Two-factor enables users who enter passwords to verify their identities using a second factor. A campaign encouraging faculty, staff, and sponsored affiliates to expand their use of Duo begins in August. Everyone will be asked to become early adopters and turn on two-factor for Weblogin before the deadline.

A Distributed Denial of Service (DDoS) attack took down a residence hall network switch at the University of Maryland (UMD) over spring break 2018, but it could have been a lot worse without the collaborative threat information sharing partnership of U-M and other universities.

90% of Attack Traffic Blocked
"If we hadn't been using our shared threat intelligence, we would have likely lost internet access across campus, caused serious disruptions of all UMD IT services, and negatively impacted a disaster recovery plan test that was being conducted at the same time," said Bertrand Sobesto, IT senior engineer, Division of IT-Security at UMD. Activity logs showed that "90% of the attack traffic had been blocked thanks to the shared intelligence framework we are part of."

Shared Across the Big Ten
The threat intelligence information resides in a repository hosted and facilitated by U-M Information Assurance (IA) and shared across the Big Ten Academic Alliance (BTAA), with seven schools participating in threat intelligence sharing. The repository resulted from collaboration among BTAA chief information security officers.

"Attackers frequently go after more than one university with the same approach," explained Sol Bermann, U-M privacy officer and interim chief information security officer. "They often try an attack out on a small number of targets, fine tune it, and then go after additional targets. By sharing information across the Big Ten, we can help each other react to threats faster—and even end them before they begin."

The repository contains Internet Protocol (IP) addresses, domains, email addresses, and more that are known to be malicious. U-M IA staff gather and compile the information from multiple trusted sources, including REN-ISAC, Spamhaus, and others—as well as threats detected at U-M. The BTAA universities contribute their own information and then use the shared intelligence to configure firewalls, network intrusion prevention systems (IPSs), malware filters, and other security services.

U-M Is Smitten with the MITN
While it began with a shared repository, U-M IA expanded that by developing a framework for collecting, generating, sharing, and using threat intelligence, now known as MITN—Michigan Intelligence for Threat Negation. At the heart of MITN is the “Collective Intelligence Framework” (CIF), a threat intelligence application developed by REN-ISAC. CIF is widely used in the higher education community to share threat data among universities. Some of the BTAA schools have their own CIFs, which they have connected to MITN to synchronize data. Others use the MITN data directly.

"MITN data makes email infrastructure, network IPS, and other services stronger and more effective," said Matt Coons, senior incident responder and threat analyst. "We now have more than 25 open source threat feeds, data from our BTAA peers, and threats we’ve identified at U-M.” All of that adds up to more than 60,000 actionable indicators updated hourly. We use it to block 300,000–500,000 threats daily on our IPS alone."

"We are smitten with the MITN," said Kevin Cheek, university incident response lead, with a grin. "At U-M, we share the data with Michigan Medicine and UM-Dearborn. We are working to extend its protection to additional systems, add more threat intelligence sensors, and make the threat intelligence generation more modular so it is easier for others to use."

Stay tuned for more as universities throughout Michigan and across the country potentially leverage MITN to protect their systems and data.

Resetting a forgotten UMICH (Level-1) password can be easy—but only if you've set up account recovery information ahead of time. When you save your account recovery information—a non-university email account and/or your mobile phone—we then know where to send your password-reset code in case you ever forget your password.

To make this process easier, Information and Technology Services (ITS) will begin gradually rolling out a new reminder prompt later this summer. Sometime in the next year, when you log in through the Weblogin page, you'll be prompted to set or check your UMICH account recovery information. You can ask to be reminded later or dismiss the prompt if you are in a hurry.

There's no need to wait for the prompt. You can set your account recovery information anytime at UMICH Account Management.

You can request that Information Assurance (IA) check your unit's computers and storage twice a year (or more often as requested)—in May and November—to help ensure that sensitive and regulated data is not being stored unnecessarily. The Sensitive Data Discovery service, provided automatically to MiWorkspace units, is now available to all U-M units on request.

IA uses a software tool to check for two types of sensitive data: Social Security numbers (SSN) and credit card numbers. The tool looks for numeric patterns formatted like Social Security and credit card numbers and produces a report listing potentially sensitive files and their locations. The tool can check for additional patterns if desired. For example, if researchers in your unit want to check for numbers that could potentially be medical record numbers or some other type of number, you can request that.

The tool is designed to respect privacy. It does not review or examine content; it simply looks for numeric pattern matches.

Learn more about Sensitive Data Discovery on Safe Computing. Contact the ITS Service Center to request it for your non-MiWorkspace unit.

• UMIDs Associated with Names Require Additional Protection. The data classification by level chart has been revised to break U-M identification (UMID) numbers into two types with different classifications and provides new guidance on safeguarding them:
  • UMIDs not associated with names are classified as Low.
  • UMID numbers associated with names are classified as Moderate.
• Guidelines for Domestic and International Travelers. Information Assurance (IA) is asked with some frequency about what faculty, administrators, and staff traveling to countries with restricted internet access or that ban certain encryption technologies can do to be prepared for electronic communications. Safe Computing's guidance was recently revised to better account for issues travelers to countries like China may experience. Check out the two-page handout on Device Security Guidance for International Travelers (available in the Guidelines) that provides details on what are deemed to be the most productive steps to take before traveling and while in other countries.
• Privacy. Pages within our section on privacy have been reorganized to help you find useful privacy information and resources at U-M and beyond. There's also a new listing of current privacy-related articles.

As in prior years, the official Internal Control certification request will be distributed to the key administrators of the 46 certifying units across U-M at the end of August, with signed copies due by the end of September. Information Assurance works with the Office of Internal Controls to help ensure that units are ready to respond affirmatively to the information assurance question.

This year’s question deals with compliance with the new Electronic Data Disposal and Media Sanitization Standard. Security Unit Liaisons (SULs) and unit IT staff can use the guidance on Safe Computing to support their unit’s response.

Plan now to attend the annual Security at University of Michigan IT (SUMIT) day-long conference on Thursday, October 25, at Rackham Auditorium on the UM-Ann Arbor campus. This year’s theme is the world-class security and privacy research and work that is done right here at the university. Watch for more information in the coming months as speakers and topics are finalized.

Getting a Flood of G.D.P.R.-Related Privacy Policy Updates? Read Them
The New York Times, 5/23/2018

Europe's new General Data Protection Regulation (GDPR) has caused companies around the world to rewrite their privacy policies, and we are all seeing notices of privacy policy updates from those who collect and use data about us. According to this article, those notices are worth reading. They are a good reminder and opportunity to revisit your own privacy settings and take action to protect your privacy. You can learn more about how GDPR may affect you and the university at General Data Protection Regulation (GDPR) Compliance.

Net Neutrality Is Officially Dead. Here's How the Changes Could Affect You, According to Experts
Money, 6/11/2018

With the end of net neutrality in June, experts are debating the likely implications. This article quotes several experts, including Florian Schaub, U-M assistant professor in both the School of Information and the College of Engineering. "ISPs could curate what online content and services most people will have access to, and which ones will only be available to those who are willing to and can afford to pay extra," said Schaub, though he thinks changes will be incremental over time.

Schaub is one of many IT security and privacy experts who participate in U-M's Dissonance Event Series, a collaboration where expert speakers address timely digital-age subjects such as election hacking or personal privacy. You can suggest a topic or a speaker for future Dissonance events and see news and papers by and about Dissonance speakers on Safe Computing.

Safe Computing's In The News page now lets you view news articles by category. Select one or more categories from the View By Category list, and the page will update to show only articles in those categories. Categories include "Fraud & Scams," "Privacy," and more. Information Assurance staff members curate the articles list to keep you abreast of the latest IT security and privacy news. The three most recent news articles are listed on the Safe Computing home page.

You have an important university email to send, but how do you craft it so it looks like the official, trustworthy, communication it is? In other words, how do you keep people from thinking it is a phish?

Email users are rightfully suspicious of unsolicited email, but that can sometimes cause them to ignore or delete your important, legitimate communications. When you send email on behalf of your unit or office, focus on helping recipients verify its legitimacy so they know it is safe to open and the information can be trusted.

• Make it easy to verify the sender. The From address for your email should be an address that is clearly associated with your unit, preferably one that people can verify online. The signature line should also be verifiable, with the person's name and/or unit name spelled correctly and matching the name on your website. Use appropriate U-M branding elements, and be sure to use them correctly. See U-M Office of Communication Brand Standards (U-M login required).
• Make link locations clear. Use descriptive link text with the full URL. The descriptive text lets people know what to expect if they click the link. They can see the full URL by hovering over the link with their mouse.
• Refer to supporting information. Refer to information on U-M websites that people already know and trust.

For more tips, see Guidelines for Writing Emails that Don't Look Phishy on the Safe Computing website.

Illicit cryptocurrency mining has displaced ransomware as the number one cyber security threat, according to industry experts (Forbes, 3/4/18). It can harm institutions by using significant and costly amounts of computing time and electricity and slowing system performance.

Don't Use U-M Resources for Mining
You are prohibited from using university resources (including computing equipment, network services, and electricity) for cryptocurrency mining activities outside of faculty-approved research and coursework according to Responsible Use of Information Resources (SPG 601.07). This use is essentially theft.

Protect Yourself from Mining Malware
Attackers use phishing techniques to trick victims into clicking links that load cryptocurrency mining code on their computers or infect websites with malicious code. The only sign of this victims may notice is a slowing of their computer's performance.

Protect yourself against unauthorized use of your own computer by following IT security best practices: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks.

Learn more on Safe Computing:

• Notice: Do not use U-M resources for cryptocurrency mining
• Phishing & Suspicious Email

U-M Social Media in the Office of the VP for Communications and the new School of Information Center for Social Media Responsibility have collaborated on a new Social Integrity website.

The new website promotes good digital citizenship and offers resources to help members of the university community and general public protect their privacy, spot fake news, and learn how best to deal with bad behavior on social sites. The Social Integrity site includes tools to help you understand your digital footprint, protect yourself online, and cultivate civil social media communities.

"Social Integrity is about educating social media users to create a more productive online space and empowering them to use the tools for the betterment of society," said Nikki Sunstrum, U-M director of social media.

Safe Computing has additional content encouraging good digital citizenship as well as listing actions we all can take to maintain our privacy appropriately while using social media:

• Digital Citizenship
• Social Media Privacy