Spring 2022

ITS Information Assurance (IA) is looking forward to welcoming the latest group of interns from the ITS Internship Program in early May. These internships are open to all college students and offer a diverse range of technical and non-technical opportunities. The intern positions are paid and provide students with valuable on-the-job experience while making professional connections. ITS has 36 full-time positions available, and IA is hoping to welcome eight interns this spring. The IA interns will assist with design and development of tools and applications, data set analysis, script development, social media campaigns, training and awareness materials, and production support. Since the start of the ITS Internship Program, IA has hired five interns as full-time employees. We are committed to providing this year’s interns with a meaningful experience and will be sure to share their accomplishments with you at the end of the summer.

As you know, there has been some recent attrition in IA, but we are excited to be moving forward with hiring new IA staff. We have four positions in different stages of the hiring process: Data Security DevOps Engineer, Security Systems Administrator, IT Policy, Privacy and Governance Analyst, and Data Security Analyst. Stay tuned for announcements in the next newsletter or at the next security community meeting.

The ITS Identity & Access Management team (IAM) has finalized plans to reach key milestones that will remove dependencies on the Cosign authentication service by summer 2022.

Cosign has been part of the university’s secure, single sign-on, web authentication system for more than 20 years. Originally designed at U-M, the open source software was once widely used across higher education. Now only a handful of universities still use Cosign, and the open source community that once maintained and developed it has dwindled to almost nothing.

Shibboleth authentication, already in use across U-M, will replace Cosign and can be installed now. Shibboleth at U-M can be set up to use either Security Assertion Markup Language (SAML) or OpenID Connect (OIDC), two industry standard protocols. IAM recommends OIDC for applications that do not allow federation-enabled logins by members of InCommon-member institutions. OIDC allows for simple installation via configurable extensions or plugins.

Since ITS began preparing for the retirement of Cosign three years ago, the number of U-M applications using Cosign has decreased from 1,600 to less than 600. Although ITS can identify traffic from applications using Cosign, it cannot identify the specific applications or departments that own them. To provide support to units that need to switch to Shibboleth, ITS will send broad email communications to applicable groups and offer drop-in support labs via Zoom.

Key milestones in this transition process are:

• May 7, 2022: Units will no longer be able to use the self-service options for installing Cosign with new applications.

• July 16-August 15, 2022: Currently, Shibboleth uses Cosign for the actual authentication prompt. This relationship will be reversed so that Cosign will use Shibboleth for the authentication prompt. Shibboleth will not rely on Cosign going forward.

• August 15-TBD: Cosign will continue to work while the IAM team works with units to ensure a smooth transition away from Cosign.

• June 2023: Units discontinue use of Cosign.

This effort directly supports the requirement for units to discontinue their use of Cosign, or have defined plans to do so by June 2023, as outlined in the FY22 Internal Controls certification process in the area of information assurance.

Questions? Send email to [email protected].

ITS Information Assurance (IA) partners with U-M’s campuses to provide security and privacy guidance, and information that helps U-M community members adopt IA services, follow best practices and fulfill their responsibilities for protecting the university’s systems and data. In addition to working with the security community across U-M, IA staff have been engaging with faculty members in academic units to present in classes on topics related to IT security and privacy. Help us spread the word to faculty and instructors that we are here to bring our knowledge and expertise to their classrooms.

One such presentation was recently requested by a faculty member in the School of Public Health whose students will be collecting and working with sensitive data. Asmat Noori, Information Assurance assistant director, joined the class and provided a comprehensive overview of the sensitive data landscape, including aspects that impact how we work with sensitive data such as remote work, privacy considerations, phishing attempts, and the tools IA provides to ensure a secure computing environment for the U-M community.

Dr. Laura Powers, clinical assistant professor of epidemiology, who requested the presentation shared her experience: “Asmat and the Information Assurance team are an invaluable resource for our students and faculty. As part of our Epidemiology Professional Development Course, Asmat shared information about safe computing and protecting sensitive data. This is especially important as we prepare our students to collect and analyze data; they need to know what sensitive data is and how to work with it in a safe, secure manner. The students learned about important resources on campus and have more awareness of safe computing issues. As the instructor, I always learn something new that I can apply in my own work and personal life.

Others in IA, including Svetla Sytch, assistant director of privacy and IT policy, and Sol Bermann, executive director of information assurance and CISO, have also been invited by faculty to present in classes. IA is passionate about our students learning how to be good stewards of university IT resources. We are also here to help them prepare for future work in IT Security, Privacy, and IT Policy. To request an IA presentation for your unit, event, class, or U-M organization, contact us through the ITS Service Center.

Information assurance is a shared responsibility, and every member of the U-M community has a part to play in supporting IT security, privacy, identity and access management, IT policy and compliance efforts. Part of this responsibility is for each unit, school, and college to designate a member of their staff as a Security Unit Liaison (SUL). Together, ITS Information Assurance (IA) staff and SULs work to enable unit missions while promoting security awareness, education, monitoring, and compliance. This partnership is fundamental in supporting the university’s security posture and IA is committed to maintaining strong and productive relationships with SULs, listening to their feedback, and supporting their needs.

We asked Dion Taylor, IT Help Center and Security Manager at the School or Dentistry, and a Security Unit Liaison, to answer three questions to help us understand his experience and priorities.

1) What measures does staff in your units take to protect themselves and their data?

The comfort level our staff has with security topics, measures, and changes has increased over the last 4-5 years. Duo removed some of the intimidation attributed to adding security measures to devices and daily routines, and some felt empowered by setting it up for themselves. Since then, I've seen an increase in the number of Dentistry staff and faculty who report suspicious messages, ask about sharing and collaborating securely, and make the extra effort to send data securely using our secure email service.

2) What are some top-of-mind security concerns in your area?

The dreaded security “firehose” of information and the constant barrage of critical vulnerabilities and zero-days when you compare it with the number of skilled information security professionals and system administrators who are charged with responding to these threats. Pivoting from daily activities and projects to remediation can get overwhelming, especially with pandemic staffing challenges.

3) What are you doing within your unit to spread security awareness?

One goal I have is to identify security projects and tasks that can be accomplished by other IT team members:

• Phishing education really set in over the past 2-3 years, and more staff are identifying the characteristics of a suspicious message. I’m beginning to make use of animations made in Camtasia to highlight key parts of phishing messages and distributing those school-wide.
• People now understand that we have CrowdStrike, but don’t necessarily know what it does. We still need to educate staff about security products and safe browsing habits.
• One of our web developers recently revamped our InfoSec website, so I’m looking forward to adding Dentistry-specific content and pointing to the Safe Computing site.

I love how IA and Safe Computing have evolved over the years, from the vulnerability notifications, to the tools on the website, and the engagement the IA team has with the SULs. I hope to leverage that more by inviting IA staff to discuss topics with our IT team.

Stay tuned for future SUL interviews, and if interested, reach out to Jen Wilkerson ([email protected]).

In early 2020, UM-Dearborn ITS staff made the decision to deploy the Tenable vulnerability scanning agent to all servers and workstations. The Tenable agent provides significantly more efficient, accurate, and complete vulnerability scanning results when compared with remote network scanning. While UM-Dearborn ITS couldn’t continue the Tenable agent deployment to all managed devices due to the pandemic, priorities shifted when the December 2021 Log4J zero-day vulnerability surfaced. They used that as an opportunity to complete the deployment of the Tenable agent.

UM-Dearborn ITS staff created a script for the results of the vulnerability scans to create an incident in TeamDynamix for each IP Address found in the scans and assign the ticket to the appropriate support team depending on the type of machine with the detected vulnerability. The script developed also uses DS-21 to match appropriate dates to the ticket to ensure each incident is resolved within the appropriate timeframe.

The UM-Dearborn ITS staff can now download reports from TeamDynamix on detected vulnerabilities, including timelines and other follow-up information, which enable them to assess and make changes going forward. Joseph Lubomirski, infrastructure and security manager at UM-Dearborn, said, “Having the Tenable agent, and the script converting those results to our ticketing system, has been a game-changer for us. It allows us to integrate vulnerability remediation with our existing production support instead of treating it with a separate process. Since deploying the Tenable agent, one of the biggest changes has been on the workstation side. Vulnerabilities are often detected due to applications that aren’t being used and updated, so it’s caused us to think about our provisioning process. For example, we install two web browsers, but most users only use one or the other.”

To learn more about the different types of vulnerability scanning, refer to the Unit Monthly and On-Demand Vulnerability Scanning FAQ or contact IA through the ITS Service Center.

RECON (Risk Evaluation of Computers and Open Networks) is a risk assessment methodology developed for U-M. U-M has a comprehensive assortment of information assets, including regulated data, personally identifiable information, and intellectual property. Campus units, research programs, and clinical care settings often have unique risks and vulnerabilities, and risk assessments are an integral part of U-Ms risk management process. The RECON methodology provides information and tools for unit IT to make informed decisions around risk mitigation, risk acceptance, and the allocation of resources for U-Ms most important information systems and data. 

Units should use RECON to assess the security of their systems as these assessments are a part of U-M’s ongoing Information Security Risk Management process and required for any system or applications that are mission-critical and/or have systems that create, process, store, or transmit sensitive data that is classified as Restricted or High. There is no cost to RECON assessments, including when IA staff performs these assessments. IA staff perform RECON for any until with data classified as Restricted or High. Unit staff can be trained as self-assessors to perform RECONs on systems with moderate data. 

Once RECON assessments have been completed, IA recommends logging into the MitiGate Recon Dashboard monthly to assess progress made on Risk Treatment plans.  Though IA performs RECON, systems owners are responsible for follow-up and all control implementations. In addition, SULs play an important role by communicating with the appropriate individuals in your units to ensure RECON assessment and associated follow-up for all Risk Treatment plans.Refer to IT Security Risk Analysis (RECON) for more information on training required to perform RECON in your unit or more details on how IA performs RECON.

UM-Dearborn students and IA staff have joined forces on a Capstone project to analyze U-M vulnerability scanning data and identify trends, hotspots, and other insights that will improve how we communicate and respond to vulnerability scan findings.

IA provides an array of tools and capabilities to help protect U-M’s information systems and data. Vulnerability scanning is an important capability in IA’s portfolio. The IA team conducts regular scans of the university's owned and managed networks and scan reports are automatically sent to system administrators to remediate vulnerabilities. IA also periodically assesses vulnerabilities to identify required remediation actions. 

Vulnerability scan assessments involve working with large amounts of data from various systems, applications, and other U-M resources. The data volumes make detailed analysis challenging, yet deeper investigations could help alert departments with critical, recurring, or resurfacing vulnerabilities and allow for more targeted and timely remediation. 

IA frequently collaborates with faculty and students on projects that support the academic experience at U-M and align with the mission of Information Assurance. We are excited to partner with Dearborn students on an effort that will benefit the entire U-M community. Look for more updates as the project progresses.

Information and Technology Services, the Wallace House, and the Dissonance event series invite you to participate in a free viewing of the film “The Feeling of Being Watched,” followed by a post-viewing discussion. 

Algerian-American investigative journalist and filmmaker, Assia Boundaoui, grew up outside of Chicago, in an Arab-American neighborhood where most people believed they had been under surveillance for over a decade. In search of the truth, Assia begins an investigation that eventually produces tens of thousands of FBI documents proving her hometown was indeed the subject of one of the most extensive counterterrorism investigations conducted in the United States pre-9/11.  

Join us for a virtual screening of “The Feeling of Being Watched” from March 28, 2022, through April 7, 2022. On Thursday, Apr 7, 2022 at 4 p.m., join Assia, moderator Lynette Clemetson (Director, Wallace House), PhD Student Tanisha Afnan (UMSI), and Asst. Prof. Roya Ensafi (EECS, CoE) for a discussion about the film, surveillance in minority communities, and how that surveillance impacts individuals. Join us on Zoom.

In November 2021, the Internal Revenue Service (IRS) put forward an initiative to require taxpayers to use facial recognition for access to their IRS accounts. The IRS did so to attempt to alleviate issues related to fraud, security, and productivity and efficiency. What the IRS did not anticipate was backlash from advocacy groups and lawmakers on both sides of the aisle, that focused in on three areas:

Trust in Government

With public trust in the government remaining low, there was an unanticipated reluctance to share biometric information with federal agencies. The IRS move was seen by some as government overreach. In a letter to the IRS Commissioner, Senate Finance Committee Chair Ron Wyden, D-OR,shared: “Americans should not have to sacrifice their privacy for security. The government can treat Americans with respect and dignity while protecting against fraud and identity theft.”

Trust in Private Business

Red flags were also raised by the prospect of a third-party service provider, private company ID.me, collecting and processing biometric data on millions of Americans. In another letter to the IRS Commissioner, Senate Republicans shared concerns around private sector companies having “unfortunate history of data breaches” and that “ID.me is not, to our knowledge, subject to the same oversight rules as a government agency, such as the Freedom of Information Act, the Privacy Act of 1974, and multiple checks and balances.” Four congressional Democrats joined their GOP colleagues writing to the IRS Commissioner to express concerns with “lack of transparency in both the IRS’s contract with ID.me and ID.me itself.”

Trust in Technology

In their letters, Senator Wyden and congressional Democrats also shared that facial recognition technologies can be biased and disproportionately impact vulnerable groups, citing a 2019 NIST study on the Effects of Race, Age, Sex on Face Recognition Software. The concerns were echoed by privacy advocates and digital freedom groups. 

Under mounting pressure, the IRS announced a transition away from mandatory use of third-party facial recognition tools, and made available new features for online account registration.

Can you spot digital lies? (BBC News)

The world can feel confusing and dangerous enough without the pervasive misinformation online. Here are some tips from the folks behind Safe Computing on making sense of confusing digital information and closing the door on misinformation.

Get the news: Reputable news sites usually report the same facts, even if those sites have slightly different political or editorial leanings, and good sites will separate opinions and editorials into their own section. Try to read stories on two or more sites. Some of our favorites include BBC News, New York Times, Wall Street Journal, Bloomberg, AP News, The Conversation, and NPR. You can stay up to date on a sampling of what folks in IA are reading by checking out our In the Media page. Sort the stories by topics such as Privacy, Data Breaches, or things related to Dissonance events (subjects like AI, surveillance, and the actions of nation states). Check more than one filter or leave them all unchecked to see everything.

Fact check like a pro: Harmless and silly fun are internet staples, but some false information and trickery are dangerous, including lies about international events and health issues. Check amazing claims by using a reputable fact checking site like Snopes, FactCheck.Org, or Politifact. Get information on specific subjects from reliable agencies, such as IRS.gov for taxes and CDC.gov for health.

Avoid fraud and scams: Complex misinformation is growing and too-good-to-be-true offers are often the hook in phishing, texting, and social media scams, which remain favorites of people trying to steal our money and personal information. Safe Computing is loaded with resources to help you avoid fraud and scams. A few key pages to check out include:

• Phishing & Scams has information and links to help you avoid the many tricks used by fraudulent email to steal money or information.

• Phishing & Scam Alerts contains examples of phishing and other sorts of scams reported by members of the U-M community.

With a little information on our side, we can all navigate the pitfalls of the digital world and be better lie detectors.

Looking for more resources to encourage your unit to help protect yourself, your unit, and the U-M Community? Use the resources below, and others available on U-M Safe Computing, to send to your unit in email! Remember, IT security is a shared responsibility.

It is tax season and hopes of receiving a check from the IRS can be dashed by identity thieves stealing your refund by filing fraudulent tax returns in your name. Common frauds this tax season may include text-message scams, e-mail schemes, phone scams, and unemployment fraud. The sender may claim false problems with your return tax documents or promise a more significant refund. Refer to Beware of Tax Fraud for more information on how tax fraud works, steps you can take to prevent it, and what to do if you become a victim of a tax scam.

Protect yourself and your unit by sharing information on how to stop criminals from stealing your identity and tax returns. Review and share our Prevent Tax Fraud poster with tips for preventing tax fraud, spotting tax-related scams, and getting more information and assistance.

Identity theft can happen any time of the year, but be on high alert during tax season. Identity theft is when someone steals your personal information and uses it without your permission. Refer to Identity Theft for information on the U-M Identity Theft Prevention Program and how to protect your personal information, financial information, and your privacy.