Summer/Fall 2020

The COVID-19 pandemic has not slowed down cybercriminals and other threat actors. If anything, the resulting move to remote work and study has left some computers more vulnerable. Phishing, ransomware, and other attacks continue to increase, with universities, school districts, government, and health care targeted.

“Strategic investments to improve security were needed more than ever,” said Sol Bermann, chief information security officer and executive director of ITS Information Assurance (IA). “To help you protect U-M and your unit’s data and systems from increased risks, we are excited to be rolling out CrowdStrike Falcon for enhanced endpoint protection and Virtru, a new email security tool.”

CrowdStrike Falcon

This fall, the university is replacing its existing anti-malware software for university-owned computers (Sophos for Mac, Microsoft Defender for Windows, and ClamAV for Linux) with CrowdStrike Falcon, an enhanced endpoint protection solution for laptops, desktops, and servers. Falcon, already in use on MiWorkspace and many MiServer machines, provides antivirus, anti-malware, and threat detection and mitigation capabilities, all of which provide even stronger protection against ransomware than previous tools. ITS IA is working with units across the UM-Ann Arbor, UM-Dearborn, and UM-Flint campuses to implement the new endpoint protection; Michigan Medicine uses a different solution. Watch for more information in the coming months.

Virtru

U-M faculty, staff, and students can add an extra layer of security to their U-M GMail email messages by using Virtru, which provides end-to-end encryption for email, and more! Virtru also lets you see whether the recipient has opened the email, set an expiry date beyond which the email cannot be read, and revoke the ability to read an email after it has been sent. Watch for broader communication about Virtru as we move into National Cybersecurity Awareness Month in October. Virtru is available now. For details, see:

• Virtru: Added Security for Your U-M GMail (on Safe Computing)
• Virtru Enhanced Email Security for U-M GMail (printable one-page handout)
• Sensitive Data Guide: Virtru at U-M

You can now see more information about your unit's IT security in MitiGate, your online gateway for viewing IT security risk data. Two new sections have been added:

• Alerts, Advisories, Notices. MitiGate now pulls in an RSS feed from the Safe Computing website of the IA alerts, advisories, and notices about the latest software vulnerabilities and scams affecting the U-M community.
• CIS-CAT results. MitiGate now includes a list of all of the systems in your unit for which CIS-CAT results have been submitted to ITS Information Assurance (IA), what assessment was used as a benchmark, and what score each system received. The Center for Internet Security’s Configuration Assessment Tool (CIS-CAT) can be used to scan systems against a predetermined benchmark and recommend areas of hardening that need to be addressed.

In addition, the MitiGate Vulnerabilities section has a new toggle switch that allows you to exclude MiWorkspace devices and focus on unit-managed machines.

MitiGate is intended for use by Security Unit Liaisons (SULs), unit IT leaders, and unit leadership. Access is provided only to those who have a U-M business need to see the IT security risk information it contains.

Next time you change or reset your UMICH (Level-1) password, you will need to meet new password strength requirements. Existing passwords are not affected by the new requirements and can remain as is.

The new requirements, which took effect August 15, align with current best practices and National Institute of Standards and Technology (NIST) guidelines for passwords. Now, newly created, changed, or reset UMICH passwords:

• Must be 15 characters or longer. Tips for creating long passwords have been added to the documentation.
• Are dynamically assessed for strength using an algorithm that calculates a strength score.
• Are checked against a database of known breached passwords.

“The updated password requirements reflect the latest thinking in password strength and better address the evolving threats the university faces. I really appreciate the IAM (Identity and Access Management) team and the IAM Advisory Council pushing this forward,” said Sol Bermann, U-M chief information security officer and executive director of ITS Information Assurance.

You can now use Duo two-factor protection with the U-M Virtual Private Network (VPN) for the UM-Ann Arbor campus. With faculty, staff, and students already benefiting from Duo two-factor authentication at Weblogin, ITS is working to further extend this protection to other university services.

Try it now on your personal computer

Visit ITS: Getting Started With VPN and choose your operating system to get VPN profiles—plus the Cisco AnyConnect client—that prompt for Duo at login. Profiles incorporating Duo are available for macOS, Windows, and Linux. The Duo “Remember me” feature does not currently work with AnyConnect on Mac or Linux; it does work with AnyConnect on Windows.

MiWorkspace and other managed computers updated for you

• Mac. If you have a MiWorkspace Mac or a Mac managed via ITS’s Managed Software Center (that is, those managed via Izzy), you do not need to do anything at this time; you can keep using the built-in Mac VPN connection method if you wish. You can, however, gain Duo two-factor protection for VPN by using the Cisco AnyConnect client. It is available on your MiWorkspace computer in Applications --> Cisco.
• Windows. MiWorkspace Windows computers are equipped with an “always on” VPN-like client called DirectAccess that does not require separate client software. If you use the Cisco AnyConnect client on a MiWorkspace Windows computer, you will use the updated connection profile with Duo.

Duo to be required for VPN later

• ITS anticipates Duo for VPN will be required at some point during the 2020-21 academic year.
• ITS will work with U-M units and communicate extensively before making use of Duo for U-M VPN access required.
• Retirees and alumni—who use a different, designated connection profile—will not be required to use Duo for VPN.

Connection profiles without Duo will remain available for now for those who want to continue using them.

Units now have greater flexibility when contracting with third party vendors that will store or process some levels of sensitive university data. Changes to Third Party Vendor Security and Compliance (DS-20) prompted by suggestions from a number of you have been approved by the chief information security officer and the vice president for information technology. That standard and its related guidance on Safe Computing will be updated soon.

The changes were proposed by a working group with representatives from the College of Literature, Science, and the Arts; the College of Engineering; Procurement; the School of Information; the School of Education; and the School of Social Work. The working group was formed after ITS Information Assurance received feedback from a number of units at the Standards Working Sessions held in 2019 and in follow-up conversations.

Here are the changes by data classification level:

• Low. A Data Protection Agreement (DPA) is no longer needed if the vendor will store or process sensitive university data classified as Low.
• Moderate (non-FERPA). The standard previously required a DPA. Now, if a DPA cannot be obtained, alternative documentation (such as public privacy policies or terms of use) can be used instead if they cover the same basic information. If alternative documentation cannot be obtained, units can now accept the risk on their own with senior unit leadership signoff.
• Moderate (FERPA). A FERPA agreement (sometimes called a DPA lite) can be used in place of the full DPA.
• High and Restricted. No change. A DPA is still required, along with the U-M Service Provider Security-Compliance Questionnaire (UMSPSCQ) (or equivalent) and a Business Associate Agreement if the vendor will store or process Protected Health Information (regulated by HIPAA.)

Two-year SSL server certificates are no longer available. Sectigo, the company that makes these certificates available to the U-M community through InCommon, stopped offering the two-year certificates this summer and now only offers certificates that last up to one year (up to 398 days including a 30-day grace period).

This change was part of an industry-wide change. Web browsers and devices from Apple, Google, and Mozilla now do not trust any two-year certificate issued after August 30, 2020.

• Two-year certificates received from ITS will continue to be accepted by web browsers through the end of the certificate's original lifetime. You do not need to renew any existing certificates early.
• There are no changes to the maximum lifetime for code signing certificates.

The U-M Shibboleth Production Identity Provider (IdP) will be upgraded from version 3.4.7 to 4.0.1 on Saturday, October 3, 2020.

Shibboleth is federated identity management software used to provide single sign-on. It allows members of the university community to log in to university-provided cloud services with their uniqname and UMICH (Level-1) password.

These additional enhancements will be implemented during the IdP upgrade:

• Shibboleth at U-M will begin to use its own internal authentication instead of Cosign. This is a “behind the scenes” change with no user impact. Cosign at U-M will not be affected and will remain available.
• The logout function for Shibboleth with U-M Weblogin will change slightly. People who click log out from within an application will be logged out of only that specific application instead of all web-authenticated resources.
• New IdP servers will be installed to modernize the infrastructure and improve reliability.

ITS has been communicating with unit contacts who use U-M Shibboleth with their Service Provider applications to ensure their configurations are updated and tested. You can send questions to [email protected].

Ransomware is on the rise, and everyone at U-M has an important role to play in protecting U-M data and systems. Ransomware attempts often begin with a phishing email.

When the recipient opens an attachment or shared document or visits a malicious website, ransomware or other malware is installed on their computer. It can then infect and encrypt files on their computer and connected systems. In other cases, attackers gain access to install ransomware on a system that is exposed to the internet through vulnerabilities in software that is not kept up-to-date.

Once systems are infected, the threat actor demands a ransom (usually to be paid through cryptocurrency) to restore your access. They may also threaten to publish or delete the data if you don't pay.

You can help protect the university from ransomware by doing the following:

• Recognize and avoid falling for phishing and suspicious email.
• Keep your software up-to-date. Apply software updates promptly, and ensure that security software (such as antivirus) is running and up-to-date.
• Back up your data. See Back Up U-M Data for requirements if you are responsible for managing university data and/or systems that store it.

Resources to share. See Ransomware: Don't Pay the Ransom! and Ransomware Mitigation for additional details, and print and post this 8-1/2 X 11 inch poster—Poster: Beware of Ransomware! Digital signs are also available.

Has a system you are responsible for been compromised? How would you know? What should you do? Almost all IT professionals at some time in their career have faced these questions.

ITS Information Assurance (IA) offers guidance for checking your systems for signs of compromise or suspicious activity. Start by checking system and software logs for the following components to be sure they are running as expected and have no unexpected configuration changes:

• Antivirus and malware detection software
• Network activity
• Changes to the operating system or files and directories
• Unexpected changes, including to protections like firewalls

Checking Systems for Signs of Compromise covers these points and more to help you know when you could be facing a potential IT security incident. If you are, or just need help with checking a system, IA is there to help. Contact IA through the ITS Service Center.

Sensitive U-M data? If a system contains sensitive U-M data and you suspect it has been compromised in any way, report it immediately to IA at [email protected].

When you have an urgent need to contact the ITS Information Assurance Incident Response team outside of normal business hours, you can call the ITS Service Center at 734-764-4357. Service Center staff have a new on-call phone number they can use to reach a member of the Incident Response team for you.

The Incident Response team is on call outside of normal business hours for serious security incidents (see Information Security Incident Reporting (SPG 601.25) for definition) and emergency IT User Advocate issues.

Each October we celebrate Cybersecurity Awareness Month by reminding members of the university community about their shared responsibility to protect themselves and the U and by sharing IT security and privacy tips. This year's theme is Do Your Part. #BeCyberSmart.

Virtual Sessions

While we won't be hosting our usual in-person SUMIT cybersecurity conference this year, we are planning a number of virtual sessions on topics such as Virtru enhanced email security, use of federated identities, privacy, remote IT security, and more. Watch your email and the Safe Computing: Cybersecurity Awareness Month 2020 page for details about these and other activities as more information becomes available.

Resources on Safe Computing

We encourage you to share resources from Safe Computing in your unit. Please consider sharing some of the information in the New and Updated Info on Safe Computing for You article below and the Tips to Share section at the end of this newsletter in your unit, as well as our Awareness, Training, and Education resources.

Many new resources were added to Safe Computing over the spring and summer to help you and those you support in your unit. Start with the new video You've Got a Site for That—Safe Computing (1:55), a quick “flyover” overview of the many resources available on the Safe Computing website. Then check out these resources on important topics:

Working and Learning Remotely

• IT Security & Privacy for Remote Work & Study. Updated to include even more resources.
• Video: IT Security Tips for When You Work from Home (2:18). A summary of tips to help you work securely from home.
• International Access to U-M IT Resources. Lists of the countries that block access to Zoom, BlueJeans, Google, and Canvas.

Privacy and Security for Videoconferencing

• Video: Tips for Safe Videoconferencing (1:32). Tips for using U-M tools and being a good host to secure your videoconferences.
• Recording Class Activities: (Some) Rules of the Road. Privacy guidance for instructors who want to record lectures, discussion groups, and other course-related activities.
• Privacy and Videoconferencing. What U-M does, and what you are responsible for doing, to protect privacy while videoconferencing.

Protect the U

• Checking Systems for Signs of Compromise. What to look for if you suspect a system you manage may be compromised.
• Video: How to Report an IT Security Incident (1:47). It is vital that you report suspected IT security incidents so that they can be investigated and responded to as soon as possible.
• Slides from the August 27 IT Security Community meeting are now available on the IT Security Community Meetings page on Safe Computing (U-M login required; members of IT Security Community only).

Protect Yourself

• How to Spot a Spoof. Clues that indicate an email might be spoofed or forged.
• Text Message (SMS) Scams—Smishing. Beware of unexpected text messages from numbers you don't recognize. Don't reply or open links.
• Consider a Password Manager. Have a lot of passwords to keep track of? See this page for advice on choosing and using software to help you safely and securely create and store them.

Ransomware attack threatens to release stolen Michigan State University files
MLive, 5/28/20

Ransomware And Zoom-Bombing: Cyberattacks Disrupt Back-to-School Plans
ThreatPost, 9/10/20

The Week in Ransomware - September 11th 2020 - A barrage of attacks
Bleeping Computer, 9/11/20

Universities moved up the list of major targets of ransomware attacks in 2020. Ransomware has caused increasing numbers of headaches for corporations like Garmin, and municipalities like Lafayette, and now for an increasing number of universities, such as fellow Michigan school Michigan State University, and school districts.

Ransomware encrypts files so that a criminal can hold them for ransom or demand payment to unencrypt them or keep them from being made public. See Ransomware: Don't Pay the Ransom! and Ransomware Mitigation for information on protecting yourself and U-M.

University of Michigan: Leaked emails, passwords were from ‘3rd-party data breaches’
Detroit Free Press, 7/4/20

ITS IA Advisory: No U-M “data breach”—U-M user info used on 3rd party sites exposed
Safe Computing, 7/4/20

It doesn’t have to be your systems or data getting compromised to give you an IT security headache. That was the case for U-M and a number of other universities when large pastebin dumps of non-university account names and passwords were made public. These dumps take email addresses and passwords stolen in various data breaches, collect them, and make them publicly available. When people reuse their U-M password for personal accounts outside the university along with their U-M address as their user ID, that puts their personal information and university resources at risk.

Protect yourself and U-M by using a unique password for each site or service you sign up for outside U-M, so that if any of those sites experience a data breach, your other accounts, especially your U-M account, remain secure. Head to Safe Computing to get tips to help Manage Your Passwords. And Consider a Password Manager if you have too many passwords to remember.

With quick tips for securing connections and devices, avoiding phishing, and keeping videoconferences private, IT Security & Privacy for Remote Work & Study offers you a one-stop location for remote work IT security and privacy guidance.

For even more IT remote work information, see the ITS Remote Resource Guide.

Wondering if that weird email you just got is a scam? Need to know how to get a new phone set up to do Duo two-factor? Wondering how to secure your home network now that you are working and learning from home? Need to provide cybersecurity or privacy tips to a customer or colleague?

You've got a site for that: Safe Computing.

Check out this new video for a virtual flyover of the many resources available on Safe Computing:

• You've Got a Site for That—Safe Computing (1:55)

Please share with others, especially people new to U-M or unfamiliar with ITS resources.

Are you creating new MCommunity groups to help you collaborate and stay in touch with people while working or learning remotely? Group owners are responsible for ensuring that members of their group have a good experience. The MCommunity Directory includes options to help you do that.

If you own a group, your responsibilities include:

• Having a clear purpose for your group, so group members understand what the group is for. It is helpful to describe the purpose in the Description section of your group.
• Respecting the privacy of group members by choosing appropriate privacy settings. For example, set your group so that only the members can see the other members if privacy is needed.
• Including group members only with their permission.
• Removing group members who ask to be removed.
• Having more than one owner, particularly for groups that are used for university business.
• Remove groups promptly when they are no longer needed.

See a detailed list of group-owner responsibilities, as well as instructions for updating groups in Managing MCommunity Groups that You Own.

Some email scams are easy to spot. Other types of scams, like emails with forged or misleading sender addresses, can be harder to catch.

Such emails are often referred to as “spoofed.” Scammers “spoof” by trying to make you think the sender is someone you know and trust in an attempt to get you to send money, disclose personal information, download malware, and so on.

Spot the spoof

• Compare the address with the display name. Often the name will be familiar, but the actual address will not be.
• Look for a previous email you received from the sender and see if the address is the same.
• Check the spelling. Scammers often change a single letter in the name of the person they are impersonating.
• Compare the From and Reply-To addresses. Be suspicious if the From address is clearly a U-M address, but the Reply-To address is not.
• Check that email from someone at U-M is from a umich.edu address. Scammers often create free email accounts from Google or Yahoo with names similar to those of U-M officials.

Additional clues on Safe Computing

See How to Spot a Spoof for other clues about the sender you can examine. For example, you can review typical scam emails on Safe Computing to learn what sorts of requests (like requests for gift cards) are suspicious. You can also look at the full or original headers of the message for additional clues.

You know to be wary of phishing emails and phone scams, but did you know that crooks also send text messages to steal your identity and money?

These scams, called “smishing”—the word comes from SMS + phishing—appear to be increasing during the COVID-19 pandemic.

Warning signs

• Consider any unexpected text message from an unknown number suspect. Smishes may prompt you to click a link or reply—usually by offering you something or provoking your curiosity or fear. Here are some common smishes:
• You are told you have been in contact with someone who’s tested positive for the coronavirus and asked to click to schedule a test. This is a scam designed to steal your personal information.
• You are offered a free coronavirus test kit—from an unknown number with no details. The scammers usually ask for your credit card number to cover shipping for a test kit that will never arrive.
• You are told your package has arrived—but you didn’t order one. The fake tracking link will take you to a site asking for your credit card number to cover shipping costs for a package you will never receive.

For more examples, see Safe Computing: Text Message (SMS) Scams—Smishing.

If you get a smish

• Do not reply. That alerts the sender that the number is active.
• Do not open links from unknown numbers or unsolicited, unexpected texts.
• Check with the sender if you aren’t sure and think the message may be legitimate. Use a verified phone number or email address to contact them.