Spring/Summer 2021

President Biden signed a cybersecurity executive order on May 12 that aims to significantly modernize and improve the nation's cybersecurity defenses. It is no coincidence that this order came in the wake of the Solar Winds attack, as well as a ransomware attack that took down a major gas pipeline provider. While the order applies directly to the federal government, it encourages others to follow the government’s lead and "take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents."

According to Sol Bermann, chief information security officer and executive director of ITS Information Assurance (IA), U-M already meets many of the items in the executive order and is well positioned going forward to continue to incrementally improve the U-M security posture. The executive order outlines seven goals:

1. Remove Barriers to Threat Information Sharing Between Government and the Private Sector. U-M engages in multiple threat sharing initiatives with organizations such as REN-ISAC, MS-ISAC, BTAA, and EDUCAUSE and hosts Michigan Intelligence for Threat Negation (MITN). U-M also receives threat feeds from a number of law enforcement groups.

2. Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. The order focuses on practices such as two-factor authentication, encryption, and cloud security. U-M already has Duo two-factor deployed for all faculty, staff, and students, and most centrally managed systems provide encryption. Bermann added, "U-M widely deployed CrowdStrike Falcon advanced endpoint protection early in 2021 and is exploring CrowdStrike’s cloud security offerings."

3. Improve Software Supply Chain Security. "U-M does vendor security-compliance assessments—including asking about secure coding practices—and has done so for years," said Bermann. U-M software developers are expected to follow secure coding best practices. "U-M hopes to benefit from improvements in vendor software security as the industry as a whole hopefully improves in this area," Bermann said.

4. Establish a Cybersecurity Safety Review Board. The governmental board will review lessons learned from major incidents and provide recommendations for improving cybersecurity and incident response practices. "U-M's academic campuses and Michigan Medicine engage, as appropriate, in lessons-learned activities," Bermann pointed out. These activities result in recommendations for improving cybersecurity and incident response practices.

5. Create a Standard Playbook for Responding to Cyber Incidents. U-M has standard policies, practices, and playbooks for responding to cyber incidents. "These are reviewed and refreshed periodically," noted Bermann.

6. Improve Detection of Cybersecurity Incidents on Federal Government Networks. U-M has a number of threat detection capabilities, ranging from vulnerability scanning to security operation center activities, to advanced endpoint protection tools, such as CrowdStrike Falcon for U-M units.

7. Improve Investigative and Remediation Capabilities. U-M has logging capabilities that allow for investigation and remediation activities and asks units to maintain unit-specific logs, as well as work with IA to get them into the ITS log repository when feasible.

"We can all sleep a little easier at night knowing that Enhanced Endpoint Protection powered by CrowdStrike Falcon has been deployed on university-owned desktop computers, laptops, and servers," said Sol Bermann, chief information security officer and executive director of ITS Information Assurance (IA). "This is making a significant difference in protecting university systems and data." Falcon protects MiWorkspace machines, MiServer Managed OS servers, and unit-managed university-owned computers and servers.

By the numbers. As of May 20:

• The Falcon Sensor is deployed to more than 35,000 devices with over 98% in Prevention mode.
• Falcon has reported approximately 1,400 detections in the past 30 days and performed 101 mitigation actions.
• Less than 5% of detections have been identified as false positives.

Michigan Medicine moving to CrowdStrike. Michigan Medicine has begun transitioning from its current endpoint protection provider to CrowdStrike Falcon. This will result in all three academic campuses and Michigan Medicine using the same tool.

Addressing missed machines. As we return to campus, ITS IA asks that you identify any unit machines that were turned off during the pandemic and get CrowdStrike Falcon installed and running on them, as well as work with faculty and researchers to do the same for self-managed machines.

"Thank you, thank you, thank you to everyone who contributed to the successful U-M deployment of CrowdStrike Falcon for enhanced endpoint protection!" said Sol Bermann, chief information security officer and executive director of ITS Information Assurance (IA).

"While only a small number of U-M Falcon admins were able to stop by the drop-in thank-you event hosted by IA on May 21, it was great to have a chance to thank some of you in person," Bermann said. "We will have other opportunities to celebrate this significant achievement together in the future."

You already use Duo two-factor when you log in to most U-M computing services, and many of you already use it when logging into the U-M VPN. Coming in fall 2021, it is anticipated that you will be required to use it when logging in to the U-M Virtual Private Network (VPN). That will provide added security not just for you, but for U-M networks and systems, too.

How to update

The Cisco AnyConnect app and profiles using Duo were made available on the ITS website in July 2020. When you log in using them, you see the U-M Weblogin screen and Duo prompt, just as you do when logging in to other U-M services. Download the app and profiles at ITS: Getting Started With VPN.

If you provide IT support to people who use the U-M VPN, please encourage them to download and use the AnyConnect app and the profile that uses Duo.

MiWorkspace and other managed computers updated for you

• Mac. If you have a MiWorkspace Mac or a Mac managed via ITS’s Managed Software Center (that is, those managed via Izzy), the Cisco AnyConnect client app with the VPN profile using Duo is available now on your computer for your use at Applications --> Cisco.
• Windows. MiWorkspace Windows computers are equipped with an "always on" VPN-like client called DirectAccess that does not require separate client software.Typically, the Cisco AnyConnect client is not necessary on a MiWorkspace Windows computer. However, those using it for special access needs will receive updated connection profiles with Duo.

Not required for alumni and retirees

Retirees and alumni—who use a different, designated connection profile—will not be required to use Duo for VPN.

As you prepare your unit's IT environment for those who will be returning in person over the coming weeks and months, keep IT security in mind:

• Ensure that CrowdStrike Falcon has been installed on all endpoints in your unit and that procedures are in place to install the sensor on devices that were turned off.
• Make a plan to update systems that have been turned off during the pandemic with the latest security patches before staff and students return to use them. You may need to set aside time to install numerous updates released during the months machines were turned off.
• Check for updates for printers, cameras, and other network connected devices as well and apply them.

Watch your email—and Safe Computing—this summer for a new unit security checklist to help you prepare to return to campus. The checklist will cover additional recommendations for security, passwords and accounts, awareness and education, and more.

Another day, another ransomware attack. From attacks on the Colonial Pipeline, to meatpacker JBS, to CNA Financial, to the Steamship Authority of Massachusetts to the DC Police, to the Irish health service, ransomware attacks are spiking.

• If you manage U-M or unit systems, computers, or data, you are responsible for taking steps to protect them from ransomware.
• If you use U-M computing services, you are responsible for learning not to respond to phishing emails, which often provide entry to ransomware.

What IT staff can do

• Install CrowdStrike Falcon endpoint protection on any unit computers you are responsible for.
• Implement Duo two-factor on any machine that allows authenticated connections from the internet.
• Keep hardware and software up-to-date. Apply all patches and updates as soon as possible after appropriate testing, and only use supported, up-to-date software.
• Report suspected ransomware to [email protected].
• Provide education and awareness in your unit. Use these ITS Information Assurance resources:
  • Print-and-post flyer: Beware of Ransomware!
  • Ransomware digital signs (login to Dropbox at U-M required).
  • Safe Computing webpage: Ransomware: Don't Pay the Ransom!
• Back up data! All U-M units and research programs should develop and document backup plans for U-M institutional data. See Back Up U-M Data.

What U-M does

The Information Assurance (IA) groups in Information and Technology Services (ITS) and Health Information Technology & Services (HITS) work with units across U-M to reduce risk and protect against cyberthreats, including ransomware mitigation.

• U-M data backups. ITS and HITS maintain appropriate system backups and storage snapshots of the data and systems they are responsible for.
• Network security. Monitors for and helps prevent unauthorized access or misuse of U-M computer networks and network-accessible resources.
• Endpoint protection. Protects U-M workstations (laptops and desktops) and servers.
• Vulnerability management. All U-M networks are regularly scanned for unpatched, vulnerable systems at risk of threat actor exploitation, including ransomware.
• Logging and monitoring. These activities can identify suspicious behavior, be used to proactively block attacks, and support the investigation of potential IT security incidents.
• Threat intelligence. Bolsters overall U-M IT security by feeding information about active threats into numerous other IT systems.
• Malicious email reduction. The university uses a variety of tools to stop spam, phishing, and other malicious email before it reaches users' inboxes.
• Cyber risk insurance. The Office of Risk Management maintains this insurance coverage, which requires that serious IT security incidents be reported to ITS IA ([email protected]).

As U-M employees and community members, we all share in the responsibility to help protect U-M IT systems and data. But how do you do that? ITS Information Assurance (IA) has developed a Safe Computing Curriculum that offers IT security and privacy/confidentiality best practices to help safeguard the university’s digital assets.

Self-directed curriculum

Work your way through videos, readings, and activities to help you understand your shared responsibility, secure your devices, spot phishing and other scams, work with sensitive data, and more. There’s a section just for IT staff with information about your additional responsibilities as stewards of IT systems.

You can check off items as you complete them and track your progress. IA does not track completions for individual uniqnames, but does track summary data (for example, overall numbers of completed activities).

Share it in your unit

If you are responsible for providing IT security and privacy/confidentiality education, awareness, or training in your unit, consider using the new curriculum. You can encourage people to work through all of it or share links to individual modules in emails or your employee newsletter.

Anyone with a uniqname and UMICH (Level-1) password can log in, go through the materials, and track their progress. Alumni and retirees will not, however, be able to take the included eLearning courses in My LINC.

Those without a uniqname and UMICH password can view the curriculum, watch the videos, do the reading, and do all of the activities except the courses in My LINC at the Curriculum Preview.

IT security is a shared responsibility, and we all need to do our part. Share this new video in your unit to help your colleagues learn about their shared responsibility to protect U-M computing resources and data:

• IT Security—Our Shared Responsibility (2:07). 
• A transcript is provided for those who prefer to read rather than watch.

The video explains that we can all do our part to protect the U by following common sense and expert advice. It provides a quick summary of cyber safety basics such as choosing a strong password, learning to recognize phishing emails and common scams, being mindful about privacy and compliance, and keeping up with latest information on the Safe Computing website.

If you've got questions about IT security or privacy, ITS Information Assurance (IA) experts are ready to help. Need help finding information on how to securely connect to campus resources? Have questions about where to store sensitive data? Want to understand requirements around working with third party vendors?

Bring your questions to our weekly Ask the ITS IA Experts office hours. Ask the ITS IA Experts sessions are open to all faculty, staff, and students.

Every Tuesday from 3:00–4:00 p.m., IA staff will be available for short one-one-one drop-in sessions to answer your questions and help you find the resources you need. Ask the Experts uses Remote Office Hours to connect you in an individual Zoom session; U-M login is required. Join the queue during office hours for an individual Zoom meeting.

Look for these updated and new resources on the Safe Computing website and share them with colleagues in your unit.

• A recording is available of the April 15, 2021, Coded Bias Panel Discussion.
• CrowdStrike Falcon for Units. Updated information and support for U-M Falcon admins.
• How U-M Reduces Malicious Email for You. The university uses a variety of tools to reduce the amount of spam and malicious email that reaches your U-M email inbox.
• Video: IT Security—Our Shared Responsibility. This new video provides an overview of how you play an important role in protecting U-M systems and information.
• Romance Scams. Warning signs, tips, and resources.
• Scammers Target Universities with Phishing. Lists reasons that scammers want U-M accounts and how they target members of the university community.
• Your Safe Computing Curriculum. As U-M employees and community members, we all share in the responsibility to help protect U-M IT systems and data. This curriculum offers IT security and privacy/confidentiality best practices to help safeguard the university’s digital assets.
• Sensitive Data Guide updates are at Recent Updates to the Sensitive Data Guide.

Cyberattacks Are Spiking. Colleges Are Fighting Back
Chronicle of Higher Education,  4/14/21

IT security is a well worn phrase, but that doesn’t make it any less important. Ransomware, phishing, and cyberattacks are on the rise and, increasingly, they target higher education. The most effective way to defend against them is to work together.

ITS and other U-M IT providers have many defenses in place to protect U-M data and systems and have added more in recent months. Here are just a few of them:

• ITS and U-M units just finished initial deployment of CrowdStrike Endpoint Protection for U-M computers.
• Information Security (SPG 601.27) and its 13 supporting standards provide a consistent and rigorous framework for cybersecurity across U-M. Guidance for meeting the requirements in the policy and standards is at Protect Your Unit’s IT.
• U-M reduces malicious email for you using a variety of tools.
• Duo two-factor authentication is required of faculty, staff, students, and sponsored affiliates. You are encouraged to use it for any unit systems you maintain.
• U-M provides secure networks, including Virtual Private Networks (VPN), to help you secure your internet connection.
• U-M provides secure storage services and guidance to help you use them in ways that protect sensitive university data and comply with data protection laws and regulations.

As U-M employees and community members, we all share in the responsibility to help protect U-M IT systems and data. That means protecting your U-M account, watching out for phishing, using the appropriate U-M services for the types of data you work with, and securing any personal devices that you use for U-M work. Every single one of us truly makes a difference when it comes to protecting the U.

Shoshana Zuboff Explains Why You Should Care About Privacy
The New York Times, 3/21/21

Although Shoshana Zuboff, author of The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, began her interview with The New York Times with a devastating remark about the state of privacy, she sees glimmers of hope ahead.

"The last 20 years have seen, especially the last decade, the wholesale destruction of privacy," said Zuboff. She noted that "the underlying norm of all software and apps designed now is data collection," and that "for all intents and purposes, all of them are designed to engage in surveillance."

However, she said she feels great about emerging regulatory possibilities. She called out privacy work that the European Union is doing and mentioned opportunities here in the U.S.: "And in March, what we saw for the first time was congresspeople that really have grasped the economic model here and the unaccountable power that has accrued to these companies. And for the first time, we heard them saying we understand this information is a byproduct of your economics. And this is going to end and we’re going to end it."

As U-M prepares the next generation of leaders, it is important to provide students with an understanding of privacy and opportunities to reflect on what it means to them and how they can protect it.

• In January, U-M launched ViziBLUE, a guide to personal data that provides information on what student information is collected at the University of Michigan and how it is used and shared.
• The Dissonance Event Series regularly hosts engaging conversations that focus on the confluence of technology, policy, privacy, security, and law.
• Each January, ITS Information Assurance recognizes Data Privacy Day with a Privacy@Michigan event for the U-M community. For more information on privacy at U-M, visit Safe Computing: Privacy.

Many people are so excited when they get their COVID-19 vaccination that they want to share the good news with everyone. But, just as you shouldn’t share other highly personal information on social media, please don’t share a photo of your vaccination card.

The Better Business Bureau (BBB) warns that scammers can use the personal information on your vaccination card—your full name, birth date, and vaccination location—to steal your identity and create and sell phony cards. Go ahead and share the good news, but leave out the personal identity information.

And while you are thinking about your personal information and social media, check your settings to see what you are sharing and with whom. Learn more at Safe Computing: Protect Your Privacy.

If you only want friends and family to see your posts, be sure that’s how your social media privacy settings are configured. Be aware that once you post something, those you shared it with can share it more widely. If you want something kept private, don’t share it on social media.

If you encounter an actual or suspected IT security incident, it is vital that you report it as soon as possible so that work can begin to investigate and resolve it. This applies whether you are working from home or on campus.

Take a minute to watch the ITS Information Assurance (IA) video: How to Report an IT Security Incident, which tells you where to report incidents (to [email protected]) and describes how IA responds. For more detail about reporting IT security incidents, see Report an IT Security Incident on Safe Computing.