Spring 2020

Thanks for continuing to be engaged and help support the shared responsibility we all have to protect U-M systems and data, even as we work remotely. ITS Information Assurance has rapidly developed a number of new Safe Computing resources to help you embed good IT security and privacy practices in this new normal:

• New on Safe Computing and in IT Security at U-M. New resources covering videoconferencing security and privacy, coronavirus scams, how to prevent Zoombombing, new videos, new entries in the Sensitive Data Guide, and more—all in one place.
• Awareness, Training, and Education. Ready-to-use options to help you provide training and education/awareness within your unit—including three new videos (described in articles below)!
• Michigan Medicine Information Assurance Educational Resources. Posters and videos for the Michigan Medicine community.
• Unit Security Checklists. Unit security checklists are sent via email to Security Unit Liaisons and IT directors every two to three months. They are intended to support units in their shared responsibility to protect U-M systems and data.

If you have suggestions for additional resources that would be helpful to you, please send them to [email protected]. Again, thanks for all you do to safeguard U-M.

Sol Bermann
Chief Information Security Officer
Executive Director of Information Assurance

To better help you secure your unit networks, ITS Information Assurance (IA) is preparing to increase the frequency of its universitywide scans and add internal network scanning. Beginning in late spring or summer, universitywide vulnerability scans will be performed monthly instead of quarterly.

The monthly scans will be similar to previous quarterly scans. The software begins by performing a TCP and UDP probe of common ports. It then attempts to intelligently enumerate the services running on them. With this knowledge, it will scan for a number of serious vulnerabilities identified by IA.

These scans cover the entire network address space registered to the University of Michigan. They come from a scanner positioned outside the university to give units the perspective of what an attacker can see from outside university networks.

Universitywide internal scanning will begin around the same time. The first couple of internal scans will be run on a test basis as IA fine-tunes the process. University networks will then be scanned monthly from inside the university to identify any potential vulnerabilities within U-M network space.

Results from both scans will continue to be sent to the network security contacts listed in NetInfo.

On-demand unit scans are also still an option. Whereas the universitywide scans check a list of commonly observed ports to find services to test, the unit-specific scans probe a larger number of ports. Results of these customized scans are sent to the specific contact people requested by the unit.

If you have questions about IA vulnerability scanning, you can contact [email protected].

You can now check the Sensitive Data Guide to find out which data types are permitted for three new services:

• Adobe Cloud Storage
• Zoom at U-M
• Zoom for Health at U-M

You can find out what's new or updated in the guide at any time at Recent Updates to the Sensitive Data Guide. There is a link to it from the box on the Sensitive Data Guide home page.

“It is absolutely vital that members of the U-M community report suspected IT security incidents,” said Sol Bermann, chief information security officer and executive director of ITS Information Assurance. With most people working from home, it’s even more important. It’s so much easier for people to ignore or dismiss things when they can’t talk with co-workers and compare notes on any online concerns they see.

• Video: Report an It Security Incident (1:47)

Every two to three months, ITS Information Assurance provides a unit security checklist to Security Unit Liaisons (SULs) and unit IT leadership. These checklists are intended to help units make incremental improvements to U-M’s and their unit's security posture, track their efforts, focus on key topics, and keep IT security in mind.

The April/May Unit Security Checklist is a special edition that focuses on securely working from home. Check it out, and share it with your colleagues. Unit security checklists are published on Safe Computing.

No matter where you are working from, you can use MitiGate to help you see at-a-glance some key unit security information. MitiGate aggregates data from these sources every morning:

• RECON Risk Treatment Plan items
• Vulnerability scan results
• Sensitive Data Discovery results

MitiGate makes it easier to manage and prioritize important IT security efforts, and provides a better overview of IT security risk in your unit. See details on Safe Computing at MitiGate for Units.

Why smart people believe coronavirus myths
BBC, 4/6/20

Scammers are taking advantage of the fear and uncertainty surrounding the coronavirus pandemic to distribute malware, steal personal information, trick people out of money, and more. This BBC article explores the reasons why some of us fall for the misinformation and fraud and offers suggestions for debunking the myths.

ITS Information Assurance is maintaining a new page on Safe Computing, Coronavirus Scams, with descriptions of the latest pandemic-related scams and links to articles with more information. That page also includes links to legitimate coronavirus tracking maps and sites.

Zoom Rushes to Improve Privacy for Consumers Flooding Its Service
The New York Times, 4/8/20

According to this article, “The features that allowed companies to hop on videoconferences also made it easy for trolls to hijack meetings and harass students.” Zoom has formed a council of chief information security officers from other companies to share ideas on best practices and has committed to improving the product’s security and privacy.

ITS Information Assurance provides resources to help you choose appropriate settings and manage your videoconferences for improved security and privacy:

• Video: Tips for Safe Videoconferencing (1:32). Tips for using U-M tools and being a good host to secure your videoconferences.
• Secure Your Videoconferencing: Instructions. Links to instructions for choosing security settings for meetings.
• Privacy and Videoconferencing. What U-M does, and what you are responsible for doing, to protect privacy while videoconferencing.

With most people working remotely now because of the coronavirus, you need to be able to share simple tips for working securely when working from home. ITS Information Assurance has just published a new video you can share within your unit that covers the basics: secure your devices, secure your connections, beware of phishing and scams, protect sensitive data, and respect privacy.

• Video: IT Security Tips for When You Work from Home (2:18)

We are all suddenly doing a lot of videoconferencing. Share this new video from ITS Information Assurance with your colleagues to provide tips that will help them keep unwanted guests out of their meetings and have a safer, more pleasant videoconferencing experience.

• Video: Tips for Safe Videoconferencing (1:32)

Watch for tax fraud during extended tax season

With tax filing deadlines extended from April 15 to July 15, the risk of tax fraud is extended as well. Be alert for fraudulent phone calls and emails from scammers pretending to represent the IRS. See Safe Computing: Beware of Tax Fraud for examples and more information.

Rely on the IRS for information about coronavirus economic payments

According to the Internal Revenue Service (IRS), most people do not need to take any action to receive the economic impact payment they are eligible for. The IRS plans to mail a letter about the economic impact payment to the taxpayer’s last known address within 15 days after the payment is paid. The letter will provide information on how the payment was made and how to report any failure to receive the payment.

The IRS provides this warning at IRS: Economic Impact Payment Information Center:

The IRS urges taxpayers to be on the lookout for scam artists trying to use the economic impact payments as cover for schemes to steal personal information and money. Remember, the IRS will not call, text you, email you or contact you on social media asking for personal or bank account information – even related to the economic impact payments. Also, watch out for emails with attachments or links claiming to have special information about economic impact payments or refunds.

We couldn’t resist sharing this cybersecurity activity book we came across. Take a break with cybersecurity-themed activities including a word search, crossword puzzle, anagrams, puns, and more.

• “Tired of Adulting” Fun Book for Cybersecurity Pros (Balbix)

And if your kids need something to do, share the activity book for kids with them:

• Cybersecurity Activity Book for Kids (Balbix)