Winter 2021

CrowdStrike Falcon, an enhanced endpoint protection solution for laptops, desktops, and servers, provides antivirus, anti-malware, and advanced threat detection and mitigation capabilities, all of which provide even stronger protection against ransomware than previous tools. ITS Information Assurance (IA) is working with units across the UM-Ann Arbor, UM-Dearborn, and UM-Flint campuses to implement the new endpoint protection by the end of February (Michigan Medicine currently uses a different solution).

"The university has made great progress installing Enhanced Endpoint Protection powered by CrowdStrike Falcon on university-owned desktop computers, laptops, and servers, and I can't tell you how much I appreciate everyone's efforts so far," said Sol Bermann, chief information security officer and executive director of ITS IA.

"Installation of Falcon is critical to secure and protect U-M systems and data. Falcon has already detected or prevented a number of potentially serious incidents at U‑M," said Bermann. "Without CrowdStrike, those incidents could have been much, much worse. In short, this technology works."

ITS and the Crowdstrike Project Team are ready to help you complete your Falcon installation by the end of February. Contact them through the ITS Service Center.

Your data and devices are a bit safer from attack from one of most significant botnets of the past decade—EMOTET. In January, investigators took control of EMOTET's infrastructure through a multinational collaborative effort.

Discovered as a banking trojan in 2014, EMOTET grew into a botnet—a network of compromised computers—over the years. Cybercriminals worldwide purchased access to EMOTET to secretly install trojans, ransomware, and other malware on victim's computers in millions of costly cyberattacks. According to the U.S. Cybersecurity and Infrastructure Security Agency, EMOTET infections cost local, state, tribal, and territorial governments up to $1 million per incident to remediate.

"The takedown is great news," said Kevin Cheek, university incident response lead, ITS Information Assurance (IA), "but cybercriminals never give up." They continue to use existing botnets, malware and other attack vectors.

EMOTET most frequently got onto computers through phishing emails that enticed recipients to open infected attachments or click malicious links. Once it was on a computer, it allowed criminals to load additional malware and to use more sophisticated techniques to infect other machines.

"We all need to continue to do our part to protect the university and each other from malware like this," said Sol Bermann, chief information security officer and executive director of ITS IA. "That means deploying advanced tools like Crowdstrike Falcon and continuing to 'secure the human' by learning to recognize and avoid phishing, not opening unsolicited attachments, and not clicking suspicious links." Learn more on Safe Computing:

• Phishing & Suspicious Email
• Office Doc Dangers: Macros & Enabled Content Pose Risks

Learn more about the EMOTET takedown in these articles:

• FBI, Partners Disarm Emotet Malware (FBI, 2/1/21)
• International police effort takes down 'world's most dangerous' malware network (CNN Business, 1/28/21)
• World's Most Dangerous Malware EMOTET Disrupted through Global Action (Europol, 1/27/21)

To continue to improve IT security at U-M, Area 1 Security has been added to the mix of anti-phishing defenses. Go live for all U-M campuses—UM-Ann Arbor, UM-Dearborn, UM-Flint, and Michigan Medicine—will be during March.

• No action is needed on your part.
• For U-M Google users, incoming emails that Area 1 identifies as likely phishes are moved to your Spam folder.
• For Michigan Medicine Outlook Exchange users, the phishing emails are automatically deleted.

To enable Area 1 anti-phishing, a behind-the-scenes update is being made during March to the U-M Google mail forwarding address listed in your MCommunity profile settings. The update will modernize the forwarding address from @go.itd.umich.edu to @go.mail.umich.edu). Michigan Medicine mail forwarding addresses in MCommunity are not changing. For all members of the U-M community, your U-M email address remains youruniqname@umich.edu.

MCommunity documentation has been updated to reflect the name change. If users notice and ask you about it, please let them know this is simply a domain name modernization update, and they can ignore it.

To improve security, ITS will remove support for Transport Layer Security (TLS) 1.0 and 1.1 from its Identity and Access Management (IAM) services in early May 2021. TLS 1.2 will continue to be supported.

This change may impact some of your systems or appliances (such as VPNs) that authenticate users or check group membership via LDAP or Active Directory. If you are using an unsupported tool to communicate with an ITS application, please plan ahead to upgrade or replace it.

Affected applications. ITS IAM applications that will no longer support TLS 1.0 and 1.1 include:

• U-M Weblogin
• Active Directory (UMROOT)
• MCommunity Directory (website and LDAP)
• UMICH Account Management

Replace or upgrade this software. The following outdated software, which is unsupported, will need to be replaced or upgraded to work with TLS 1.2 and newer on any systems or devices that connect or log in to the applications listed above:

• Java 7
• Redhat Enterprise Linux 5
• Windows XP and Vista
• Windows Server prior to 2008 R2
• Android 4.4

The annual Internal Control certification request will be distributed to the key administrators of the 46 certifying units across U‑M at the end of August, with signed copies due by the end of September. ITS Information Assurance works with the Office of Internal Controls to help ensure that units are prepared to respond to the information assurance question.

Fiscal Year (FY) 2021 Question: My unit has deployed Crowdstrike Falcon, which provides enhanced endpoint protection, including antivirus and anti-malware, on U-M owned computers and servers identified through the ITS Information Assurance survey process, and

• Has plans and processes in place to deploy Falcon on machines that are currently inaccessible due to the pandemic.
• Has plans and processes in place to support deployment in an ongoing manner.

Responses to FY21 Question:

• Yes. My unit has deployed Crowdstrike Falcon, which provides enhanced endpoint protection, including antivirus and anti-malware, on U-M owned computers and servers identified through the ITS Information Assurance survey process; has plans in place to deploy Falcon on machines that are currently inaccessible due to the pandemic; and has plans and processes in place to support deployment in an ongoing manner.
• Partial. My unit has deployed Crowdstrike Falcon, which provides enhanced endpoint protection, including antivirus and anti-malware, on some U-M owned computers and servers identified through the ITS Information Assurance survey process; has plans in place to deploy Falcon on machines that are currently inaccessible due to the pandemic; and has plans and processes in place to support deployment in an ongoing manner.
• No. My unit has not deployed Crowdstrike Falcon, which provides enhanced endpoint protection, including antivirus and anti-malware, on U-M owned computers and servers identified through the ITS Information Assurance survey process; has no plans in place to deploy Falcon on machines that are currently inaccessible due to the pandemic; and has no plans and processes in place to support deployment in an ongoing manner.

All units should be able to reply yes or partial to the FY21 question. Security Unit Liaisons (SULs) and unit IT staff can use the guidance on Safe Computing to support their unit’s response.

When working from home or elsewhere, you are highly encouraged to use Duo two-factor protection for additional security with the U‑M Virtual Private Network (VPN). While use of Duo with the VPN is not currently required, we anticipate it will be in the coming calendar year.

Use it on your personal computer

Visit ITS: Getting Started With VPN and choose your operating system to get VPN profiles—plus the Cisco AnyConnect client—that prompt for Duo at login. Profiles incorporating Duo are available for macOS, Windows, and Linux. The Duo "Remember me" feature does not currently work with AnyConnect on Mac or Linux; it does work with AnyConnect on Windows.

MiWorkspace and other managed computers updated for you

• Mac. If you have a MiWorkspace Mac or a Mac managed via ITS’s Managed Software Center (those managed via Izzy), the Cisco AnyConnect client app with the VPN profile using Duo is available on your computer for your use at Applications > Cisco.
• Windows. MiWorkspace Windows computers are equipped with an "always on" VPN-like client called DirectAccess that does not require separate client software.

Duo to be required for VPN later

• ITS anticipates Duo for VPN will be required in 2021.
• ITS will work with U-M units and communicate extensively before making use of Duo for VPN access required.
• Retirees and alumni—who use a different, designated connection profile—will not be required to use Duo for VPN.

ITS Information Assurance helped develop a new online training course that supports those at U-M who interact with student education records. The course provides information about responsible use and compliance with federal law.

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. As an educational institution, the university must be compliant with its requirements. The comprehensive new course teaches faculty, researchers, staff, and students how to responsibly handle student information. RO100: FERPA at U-M is available via My LINC. It takes less than an hour to complete.

For more about the training, including the working group that created it with input from university stakeholders, see New FERPA compliance training encouraged for U-M faculty, staff (The University Record, 1/21/21).

Have you ever thought about getting your Social Security number (SSN) tattooed on your arm? A number of people did just that during the early days of the SSN, according to acclaimed author Sarah Igo.

Igo, the Andrew Jackson professor of history and director of the Program in American Studies at Vanderbilt University, shared that and other stories about SSNs at her U-M Data Privacy Day webinar, Nine Digits: A Brief History of Data, Privacy, and the SSN, on January 28. The webinar was co-sponsored by ITS Information Assurance, the U-M School of Information, and the Dissonance Event Series.

Igo traced the SSN from its enthusiastic welcome as a public sign of inclusion in the American dream, through years of growing suspicion and distrust, to its role in today's world of big data, where SSNs are now considered to be very private, personal information.

In 1935 when the SSN was introduced, "The promise of economic security seemed to outweigh the spectre of big brother," said Igo. Most Americans quickly accommodated themselves to being numbered. For a while, there was a booming market for plaques, rings, bronze plates, and more engraved with one's SSN.

That changed quite suddenly in the 1960s with a major debate about privacy, noted Igo. She said that concerns were twofold: There were "technological fears of things like wiretapping and computing and political concerns stemming from distrust of authority around things like the war in Vietnam."

Said Igo, "SSNs hold a special place in today's pantheon of data privacy worries." Over time, a symbol of security came to be seen as a symbol of privacy insecurity. "It's unquestionable that we're living in a moment of deep unease about big data, about social media, and about what is more and more now called surveillance capitalism," said Igo.

Denise Anthony, professor of health management and policy at the U-M School of Public Health, facilitated a question and answer session with Igo in which they discussed shifting ideas of privacy. "Part of what changed in the story of the Social Security number is who American citizens put their trust in," noted Igo.

A recording of the presentation (57 minutes) is available, along with a transcript.

"When I started at the university, data privacy was at the bottom of the list of things I cared about," said Himaja Motheram of the student group Tech for Social Good at the February 2 Student Data, Privacy, and ViziBLUE webinar. "I didn't understand everything that I did online left a digital footprint behind. But that was a simplistic view of data privacy."

Motheram, a former ITS intern, joined fellow former interns Tianyu Jiang and Julia Silverman, along with Taylor Murray and Ceciel Zhong of Tech for Social Good, for the webinar, which was part of the Privacy@Michigan event series recognizing Data Privacy Day. Svetla Sytch, assistant director of privacy and IT policy in ITS Information Assurance, facilitated the discussion.

The panelists shared their perspectives on privacy and introduced the new student guide to personal data—ViziBLUE. On ViziBLUE, U-M students can find out what personal information the university collects and how it is used and shared. Silverman walked participants through a typical day in the life of a U-M student, pointing out what data is collected during routine activities like getting a library book or connecting to WiFi. Information about that data collection and use is on ViziBLUE.

Jiang, who designed and conducted student interviews as part of her work on ViziBLUE through the ITS internship program, explained that "U-M wants to improve transparency about students’ data with ViziBLUE." Based on the interview results, the project team refined the amount of information and its layout on the ViziBLUE dashboard to better meet student needs and interests.

Added Sytch: "U-M is committed to the responsible and ethical handling of your information. When it comes to privacy, ask questions and take action."

Zhong said, "Our student group Tech for Social Good is committed to creating space for folks who want to advocate for social justice causes through the lens of working in technology." The panelists said they see privacy as very much a social justice issue.

Said Murray, "Marginalized people especially are at risk of increased harm when their privacy is taken advantage of." She added: "I want to inspire more people to talk more about privacy with other people. I want a culture where we are more open to talking about our privacy concerns."

The panelists said that their understanding of privacy has changed as they have learned more. "Now data privacy is something that's never an afterthought for me," said Motheram, "and to me it means power to the people in a very specific sense."

Slides from the webinar are available.

ITS Information Assurance's (IA) own Svetla Sytch, assistant director of privacy and IT policy, described some of IA's privacy engagement efforts in a January 28 EDUCAUSE Review blog post: Data Privacy Day 2021 Outreach: Six Words about Privacy.

In the blog post, Sytch explained that Six Words About Privacy at U-M came about through conversations with the chief information security officers at U-M and the University of California, San Diego (Sol Bermann and Mike Corn). It was inspired by the Race Card Project, which invited people from all walks of life to say—in six words—what "race" means to them. Six Words About Privacy invites people to share their thoughts about privacy in six words.

Sytch analyzed all the submissions received so far, looking for themes. "Of the almost 250 words, 14% refer to the notion of having control and being able to make choices when it comes to privacy," she wrote. "The second most popular theme, with 12% of the words, involves freedom, autonomy, and self-determination."

After you check out the blog post, consider visiting Six Words About Privacy on Safe Computing. Share your six words and read what others have submitted.

Look for these updated and new resources on Safe Computing and share them with colleagues in your unit.

Endpoint Protection

With your help, the university has just about finished deploying the enhanced endpoint protection solution CrowdStrike Falcon. Safe Computing's antivirus pages have been revised and expanded to cover endpoint protection and Falcon implementation.

• CrowdStrike Falcon Implementation. Falcon replaces Defender (Windows) and Sophos (Apple/Mac) as the primary endpoint protection solution. Falcon should be installed on university Linux machines, although ClamAV for Linux may still be of use.
• Enhanced Endpoint Protection for U-M Computers. If users in your unit want to know how U-M uses Falcon to protect university computers, direct them here.
• Endpoint Protection (Antivirus, Anti-Malware) for Personal Computers. While we do not recommend specific products, we urge everyone to use endpoint protection for their personal computers.
• Endpoint Protection: Data Collection, Sensitive Data, and Privacy. Details about what Falcon does and does not monitor and record.
• Understanding CrowdStrike Falcon. How Falcon functions within U-M's IT environment.
• Internal Controls Security Question for FY21. This year's IT security question for the internal control annual certification process asks about Falcon deployment in your unit, reflecting the critical importance of getting Falcon on university-owned computers and servers.

Events

The Safe Computing Events Calendar is updated frequently for you with new events that are free and open to the public. Recordings or slides for the recent Privacy@Michigan events are now available:

• Sarah Igo - Nine Digits: A Brief History of Data, Privacy, and the SSN (recording with transcript available)
• Student Data, Privacy, and ViziBLUE (slides available)
• Privacy Powered by Virtru (slides available)

Privacy

Check out the new and updated information in Safe Computing's redesigned Privacy section. The whole section is worth browsing, but here are some highlights:

• History of Privacy Timeline. Scroll through major milestones—from the U.S. Constitution to the California Consumer Privacy Act—that have defined and redefined privacy.
• Privacy Engagement. This new page connects you to U-M privacy events and Six Words About Privacy. Share your six words and read what others have submitted.
• Privacy at U-M. Review our five privacy principles and follow links to privacy policies, regulations, and laws that govern personal data collection and use. Get documentation, tools, and resources to help you understand and control your privacy as a member of the U-M community.
• ViziBLUE. The ViziBLUE guide to personal data provides information on what student information is collected at U-M and how it is used and shared. For a quick overview, watch the ViziBLUE at U-M video.

Sensitive Data Guide updates

You can check for updates anytime at Recent Updates to the Sensitive Data Guide.

• Two new service entries were added: Virtru at U-M and Microsoft Teams at U-M.
• The Virtru at U-M entry was updated with additional guidance after Virtru was approved for use with Export Controlled Research in January.
• The Zoom for Health at U-M entry was removed and the Zoom at U-M entry was updated. The two services have been consolidated, and Zoom at U-M can now be used for Protected Health Information (HIPAA).

Learn more

• Information Assurance Capabilities. ITS Information Assurance (IA) provides some capabilities to the university at large and makes additional services available on request. In addition, IA provides IT security and privacy guidance, best practices, and information.
• Tutoring Overpayment Scams. This new page describes how to recognize a variation on the common check-overpayment scam. Essentially, someone posing as a customer overpays the tutor with a fraudulent check and then asks to be refunded the "extra" payment.

Why WhatsApp’s New Privacy Rules Are Sparking Alarm
Bloomberg, 1/11/21; updated 1/21/21

According to Bloomberg, planned updates to Facebook Inc.'s WhatsApp privacy policy "have caused an outcry among technology experts, privacy advocates, billionaire entrepreneurs and government organizations and triggered a wave of defections to rival services." WhatsApp says the changes are needed for improved integration with other Facebook products.

Consumers are increasingly aware of, and concerned about, use of their data. While WhatsApp conversations are encrypted, you may already be sharing information about your usage and device with WhatsApp and its parent company, Facebook.

Check privacy policies and be aware of what information about you is collected and used so you can make informed choices about the services you use. U-M is committed to the responsible and ethical handling of data and has just introduced ViziBLUE, a guide to what student information is collected at U-M and how it is used and shared.

The facial-recognition app Clearview sees a spike in use after Capitol attack
The New York Times, 1/9/21

Clearview AI, a facial-recognition app used by law enforcement, saw a spike in use after the January 6 attack on the U.S. Capitol Building, reporting a 26% increase in searches over its usual weekday search volume. Clearview, which is used by more than 2,400 law enforcement agencies, relies on a database of more than three billion photos collected from social media networks and other public websites.

Photos you share of others in social media, as well as photos on public sites like U-M's, can be used by AI facial recognition databases. Be aware of university privacy policies and guidelines (see Privacy at U-M), and handle all Personally Identifiable Information, including photos, with appropriate care.

2021 EDUCAUSE Horizon Report: Information Security Edition
EDUCAUSE, 2/16/21

This report profiles important trends and key technologies and practices shaping the future of information security and envisions a number of scenarios and implications for that future. It is based on the perspectives and expertise of a global panel of leaders from across the higher education landscape. U-M is a member of EDUCAUSE.

The "Student Data Privacy and Governance" section of the report calls on institutions to adopt privacy management tools for student use and highlights U-M's new ViziBLUE as an example of such a tool. ViziBLUE provides students with detailed information about collection and use of data about them at U-M.

Beware! It's that time of the year again! As you read this, criminals, fraudsters, and identity thieves could be working to file fraudulent tax returns in your name and steal your tax refund. ITS Information Assurance offers the following tips to help you protect yourself from identity theft and tax fraud:

• File your taxes as soon as possible to reduce the likelihood of criminals filing under your name.
• Beware of phishing emails and phone scams. The IRS does not initiate contact with taxpayers by email, text messages, or social media channels, nor do they call to demand immediate payment. And they never demand payment via gift card.
• Be suspicious of ads for tax filing services that promise you large or expedited tax refunds. These are often scams to steal your personal information.

Extra protection from the IRS. The IRS has expanded the Identity Protection PIN Opt-In Program to all taxpayers who can properly verify their identities. An Identity Protection PIN (IP PIN) is a six-digit number that prevents someone else from filing a tax return using your Social Security number. The IP PIN is known only to you and the IRS and helps verify your identity when you file your electronic or paper tax return. Visit the IRS website to get an IP PIN.

Check out Beware of Tax Fraud—where there are more details and links to helpful information from the IRS—and share the info with your colleagues, family, and friends. And print or share our Prevent Tax Fraud poster.

If you are adding or upgrading to new tech devices, you might have old ones you or U-M are ready to dispose of. Old disks, flash drives, smartphones, and computers can all contain personal data, and, in some cases, U-M data if you used those devices for work.

Keep that data from falling into the wrong hands by securely deleting it before disposing of the device. Even devices that you decide to sell or hand down to friends or family need to be properly erased or reset before you pass them on.

For devices owned by U-M or personal ones used for UM-related work, follow the advice at Securely Dispose of U-M Data and Devices. Remember that UM-owned devices need to be disposed of by working with Property Disposition—U-M Departments (U-M login required) whether they are being disposed of or sold.

Any personal devices you decide to sell, give away, or just throw out should be erased to protect your personal information. Follow the guidance at Erase Personal Devices Before Disposal. This protects you from criminals and simple mishaps.

Not comfortable doing it yourself? Get help from Tech Repair Secure Device Sanitization.

However you go about it, remember to protect yourself and U-M by safely disposing of your old tech!