Fall 2022

On behalf of ITS Information Assurance (IA), I extend my gratitude to the entire Security Unit Liaison community and thank you for all you do in fulfilling your shared responsibility to support and promote a security mindset at U-M.

Whether it is piloting new functionality, coordinating a service retirement, or spreading the word on a new training course, the work you do is invaluable to the university. It is only through this meaningful and productive partnership that we are able to protect and empower the U-M community. I wish each of you a relaxing Thanksgiving, and I look forward to our continued work together!

ITS Information Assurance (IA) is excited to announce the completion of Phase One of the Insecure Remote Access Protocol (IRAP) project. For several months, the IRAP team has worked with ITS and Unit IT groups to identify protocols that may be putting the university and its resources at risk. Insecure protocols have the potential to open U-M systems, data, and individuals, to an attack that allows for essential software to be discovered or credentials to be compromised.

Phase One of the IRAP project focused on insecure protocols that had one or more of the following criteria:

• Internet use for this protocol is not necessary for university business.
• The protocol has less risky alternatives that can be reasonably implemented before IRAP mitigation.
• The protocol can be utilized via VPN instead of directly accessed from the internet.

IA worked with the ITS Network team to restrict the final list of identified protocols by blocking them at the network border using an Access Control List (ACL). Users can continue to use blocked protocols by implementing simple process changes that significantly reduce the risks introduced by IRAP, including VPN and DirectAccess.

While they can’t fully measure all of the security benefits of IRAP mitigation, the team can measure the amount of unwanted network traffic that was blocked. For example, in the first 24 hours after implementing Phase One, more than 700 million unwanted network packets were blocked from entering the Ann Arbor campus network from the internet. Blocking this unwanted traffic improves our security posture, even if we can’t tell whether it directly stopped any specific credible threats.

Thank you to the IRAP project team and those who partnered with IA to review the list of identified protocols, provide information on whether these protocols were needed for university business, and offer additional feedback on assistance needed to move away from them. The completion of Phase One is a win for all of U-M.

Check out the Insecure Remote Access Protocol project site and stay tuned for more information about Phase Two in early 2023.

The recent Virtual Sites upgrade project took Virtual Sites from running on VMWare from MiDesktop to Microsoft Azure for a virtual desktop environment. The Virtual Sites service allows students, faculty, and staff remote access to the Campus Computing Sites catalog from any device by connecting to a Windows environment with access to most of the software titles provided on physical Campus Computing Sites Windows workstations.

The new solution offers the U-M community a more straightforward, user-friendly experience with a common, streamlined user interface. In addition, using the Microsoft Azure platform improves performance at a reduced cost, while providing increased flexibility, Azure enhancements, and new features. This project was a significant shift that required participation from across the ITS organization. The ITS IA Identify and Access Management (IAM) team operates Azure Active Directory and had a role in this project that considerably impacted the ability to deliver, including:

• Establishing two Active Directory domain controllers in Azure, which provide additional resiliency.
• An Azure AD Connect v2 upgrade.
• The Ann Arbor to Azure synchronization interval increased from 3 hours to 15 minutes!
• Implementing Azure ExpressRoute to replace the VPN connectivity.
• Implementing a Grouper upgrade that included enhancements for integration with Azure.

These achievements position ITS, and U-M, to use the Azure Active Directory for consuming other application services in the cloud. In addition, Azure-hosted domain controllers provide increased performance and additional resiliency by enabling machines to fall back to domain controllers on-premise if necessary.

Thank you to all IAM staff members who contributed to this important upgrade.

Information assurance is a shared responsibility, and every member of the U-M community has a part to play in supporting IT security, privacy, identity and access management, IT policy, and compliance efforts. Part of this responsibility is for each unit, school, and college to designate a staff member as a Security Unit Liaison (SUL). ITS Information Assurance (IA) staff and SULs partner to enable unit missions while promoting security awareness, education, monitoring, and compliance. This partnership is fundamental in supporting the university’s security posture, and IA is committed to maintaining strong and productive relationships with SULs, listening to their feedback, and supporting their needs.

We asked Skylar West, Data Security Analyst on the U-M Flint campus, to answer the following questions to help us understand his experience and priorities.

1) What do you see in your units regarding measures staff take to protect themselves and their data?
Our technical staff has done well keeping our servers updated and responding to new vulnerabilities promptly. In addition, I see more technical and non-technical staff reaching out to us about security policies and general advising on workflows (big and small), which is always great to see. Tickets often come by reporting phishing and unusual emails as well.

2) What IA tools, capabilities, and resources do you leverage within your unit?
General sensitive data handling approvals, the Safe Computing resources and alerts, security policies, and information from the Security Operations Center have been very helpful. In addition, we also look to better leverage RECON and compliance-related capabilities in the near future.

3) What are some of your security concerns at Flint and other areas or U-M?
Educating users on data handling, data classification, and more recent cyber threats. (i.e., job scams, spoofed emails, trickier phishing emails, 2FA Push fatigue). The ever-present threat of zero-days and new attack vectors is always on our radar.

4) What are some things you do within your unit to spread awareness?
From a technical standpoint, I have news and advisory feeds tailored to our environment that I check daily, reaching out on security issues where applicable. Additionally, slowly leveling up my ability to search and alert on potential problems on our network has proven helpful.

From a non-technical view, I have begun work to update our security awareness training for new staff on-boarding, reaching out more regularly regarding policy enforcement to departments, and continuing to build working relationships around campus to increase our security posture.

For several years, UM-Dearborn maintained a “shadow” local LDAP directory, which, among other features, handled emailing groups of various populations of staff, faculty, and students. When they began to sunset this LDAP directory a few years ago, they quickly realized that some of the ways moderated MCommunity groups functioned caused significant issues.

One issue that came to light early on was the lack of notification to moderators of restricted MCommunity groups when they were the only ones to receive an incoming email. For example, U-M-Dearborn Registrar sent an important message to their faculty members regarding the due date for grades. When the sender received no response, they assumed their message was received, which was not the case. The new MCommunity group functionality now includes a bounce back to the original sender when emails are not received in restricted MCommunity groups.

The newly implemented features and functionality of MCommunity groups also enabled UM-Dearborn to retire a script they were previously reliant on, which required manual notification and additions to moderated groups. In addition, it was one of the last pieces of functionality which required the UM-Dearborn specific LDAP directory. Retiring that “shadow” directory in favor of MCommunity has been a departmental goal for the past six years, and it will be accomplished this winter.

Joe Lubomirski, Infrastructure and Security Manager at UM-Dearborn, said he believes the most significant impact comes from the notification to moderators that they are the only ones to receive the message and unpermitted messages being bounced back to recipients. “These new features solve all of our previous issues with moderated MCommunity groups and allow us to completely step away from being involved in a workaround.” Carrie Shumaker, Chief Information and Strategy Officer at UM-Dearborn, said, “We are really benefiting from recent upgrades to groups in MCommunity. This is a great story of moving to use shared functionality over custom and then being able to eliminate our old LDAP and completely rely on ITS IAM-provided tools. It’s projects like this that enable us to improve our efficiency.”

Thank you to the IAM MCommunity Project team and all of you who helped with user testing and feedback! Refer to the MCommunity Transformation project site for more information on new features and functionality in MCommunity.

This year’s Security at University of Michigan IT, SUMIT Reimagined, was our third since moving U-M Cybersecurity Awareness month events online due to the pandemic; it has also been one of the best! ITS Information Assurance (IA) experts offered more online sessions than in years past, and the U-M community responded by joining in greater numbers, asking thoughtful questions, and engaging in meaningful conversations. 

SUMIT’s online sessions included:

• SUMIT Keynote: Adventures in Securing At-Risk People: Runa Sandvik focused her keynote presentation on securing journalists and newsrooms. A conversation following the presentation was facilitated by Elodie Vialle, Fellow at Harvard's Berkman Klein Center - Institute for Rebooting Social Media. Be sure to check out the session recording.
• Protecting Research Data: ITS IA’s Asmat Noori and Svetla Sytch were joined by Jake Carlson from the University Library to discuss the changing research data landscape and the resources available to support researchers and share in the responsibility of safeguarding research data. 
• Remediation of Insecure Remote Access Protocols (IRAP): The IRAP project is an effort to further improve the U-M security posture by remediation of insecure protocols exposed to the internet. Members of the IRAP project team walked through the need for IRAP remediation, network analysis results, and communication and outreach to understand the use of insecure remote access protocols and plan blocking activities. 
• MCommunity Privacy and Security Settings for Individual and Group Profiles: Melissa Minuth and Kyle Cochrane demoed recent changes to MCommunity individual and group profiles, improvements to the user experience, and accessibility improvements. 
• Safe Computing for Everyone: IA’s Matt Martin, Matt Ranville, and Jen Wilkerson discussed how IA’s Education and Engagement team develops educational materials and creates awareness around privacy and security for the U-M community. The team also showcased a recently developed training course and new Safe Computing web content. 
• Cosign Retirement Drop-in Sessions: For IT staff managing services that need to move from Cosign to Shibboleth, Ken Gray from the ITS IA Identity and Access Management team presented different options for using Shibboleth and answered questions, and provided assistance for attendees. 

Refer to Past SUMIT Events for more information on sessions from previous years, and sign up to join an email list to receive information on future Information Assurance and Dissonance events. And feel free to share thoughts and ideas for future IA programming.

This year marked the 20th year that ITS Information Assurance (IA) has invited U-M students to take an online quiz to raise awareness about IT security issues and promote security and privacy best practices during October’s National Cybersecurity Awareness Month.

All U-M students on the UM-Ann Arbor (including medical students), UM-Dearborn, and UM-Flint campuses who scored 90% or higher on a 10-question quiz were entered into a drawing for prizes. Over 9,150 people took the quiz this year, almost 1,000 more than last year, and this year ITS awarded the most prizes ever to 68 students across all campuses.

ITS IA provides a number of tools that help educate the entire U-M community about the importance of IT security and privacy best practices. You too can test your knowledge of cybersecurity!

• Take the Cybersecurity Challenge - test your knowledge using the same quiz that students took.
• Visit the Safe Computing website to find more IT security and privacy tips, including details about a job offer scam targeting university students.
• Learn about clues that reveal phishing emails and what to do if you take the bait in the Look Before You Click. Beware of Phishing! course in My LINC.

The Michigan IT Symposium is an annual event for the entire U-M IT community to gather and learn new skills, discover what advocates and innovators across the university have been working on, and connect with U-M technology professionals and leaders.

ITS Information Assurance (IA) had a strong presence at this year’s event, hosting three breakout sessions and three poster sessions.

Putting the Spotlight on Web Privacy
IA’s Klare Savka and Svetla Sytch partnered with Chris Billick from the Office of the VP for Communications to talk about the state of web privacy and U-M’s approach to being transparent about how we collect and use personal information on websites we host. The presenters shared privacy assessment results from the top 80 umich websites and walked the audience through best practices for protecting and respecting the privacy of website visitors.

Preparing for a Crisis: An Introduction to Business Continuity and IT Disaster Recovery
In this breakout session, Stephanie Henyard, Sasha Womble, and Jessica Johnson discussed the critical need for Continuity of Operations Plans (COOP) and IT Disaster Recovery (DR) Plans. They shared resources from DPSS Emergency Management and ITS Information Assurance that units can leverage to accomplish this important work.

Using Technology to Enable Inclusion
A dynamic group of presenters from IA (Chris Hable and Patrick Steffes) and ITS Support Services (Maggie Davidson and Rebeca Steffen) showcased the importance of technology in creating an inclusive campus. Focusing on support of pronouns, they discussed features in MCommunity and Zoom, and introduced ideas for building inclusion in the development lifecycle.

Grouper at U-M: Automating Access Management
The poster introduced Grouper as an official service at U-M. It aimed to spread the word about the tool’s capabilities and shared access management challenges Grouper is able to solve across the University. The IA Identity and Access Management team would like feedback on the current service and is open to exploring new use cases for the tool. Presented by Chris Hable.

OneTrust Info Sec Risk Management
This poster’s subject was our new risk assessment platform, OneTrust. The SaaS solution supports third-party vendor risk assessments, as well as IA’s internal risk assessments. Attendees learned about the evolution of the RECON risk assessment process and the many benefits of the new platform. Presented by Jeffrey Tomaszewski.

The MCommunity Transformation Project: Accessibility and DEI
Among the many improvements delivered by the MCommunity Directory Transformation project were a number of important enhancements that meet accessibility standards and exemplify diversity, equity and inclusion principles. This poster features the results of the collaboration between the project team and the ITS Accessibility team to deliver upgraded technology and content that benefit all members of the U-M Community. Presented by Kyle Cochrane & Chris Hable.

All session recordings and posters will be posted on 2022 Michigan IT Symposium by mid-December. It has been a great year of collaboration and innovation across Michigan IT. IA is always open to opportunities to partner with schools, colleges, units, and departments in pursuing technology and process improvements that benefit the university. Contact [email protected] to let us know what you're working on and if you need IA’s expertise!

Veterans Day is a time to think about the veterans in our lives and their sacrifices for our liberties. Following military service, many veterans continue to serve their country and protect our freedom by fighting against ever-growing cyberthreats.

Why veterans are a natural fit for cybersecurity:

• Military personnel are trained to think like their adversaries. In both combat and cybersecurity, this means anticipating the next steps.
• Teamwork is fundamental in the military and cybersecurity work as everyone understands that the mission is critical and is accustomed to working with a shared purpose.
• The common value of being dedicated to protecting others is at the core of working in the military and cybersecurity.

One of our veterans, ITS Information Assurance IT Security Design and Engineering Manager, Dennis Neil, stated, “Veterans, in the course of their service, may be unknowingly preparing for a career in cybersecurity. Both are required to work closely on a team, remain calm and think clearly during a crisis, and prepare and practice response plans. Once a veteran is in the field of cybersecurity, the opportunity is to find a way to think creatively and outside the box.”

The synergies between military service and cybersecurity are not going unnoticed. Employers and government agencies at the federal and state levels are actively working on training and recruiting military personnel to work in cybersecurity:

• Department of Homeland Security and Hire Our Heroes partnered to provide veterans access to free online cybersecurity training and scholarships for cybersecurity-related degree programs.
• Cyber Vets Virginia is a comprehensive initiative to provide veterans with access to cybersecurity training and resources to enter the cybersecurity workforce.
• Fortinet, which develops and sells cybersecurity solutions, developed a Veterans Program to help transition veterans into the cybersecurity industry.
• LinkedIn, Walgreens, and Capital One partner with military advocacy organizations like HirePurpose to actively recruit veterans into cybersecurity positions.

Military veterans are problem-solvers who understand the importance of a strong defense when dealing with an active threat and have direct experience with critical situations that have high stakes. We are incredibly thankful for our ITS veterans’ service and their contributions to the ITS mission and values.

One of ITS Information Assurance’s core responsibilities is to provide guidance to the entire university community on IT security and privacy compliance best practices and help individuals protect university systems and data, as well as their own personal information. We are always on the lookout for innovative and compelling ways to engage our students, faculty, and staff. Remember the #SecureLifeofPets campaign?

We were quite taken by TikTok-creator-turned-influencer Kristen Sotakoun, who consensually doxxes people to teach them about social media privacy. She is no cybersecurity or privacy expert and claims that “any normie can do this.”

Yet, she is so effective that her following grew from 36 to over 257,000 in just over a month. Her method relies on her followers’ presence on the internet and cracks in their social media security. “There’s a level of smugness to everybody when they do comment, like ‘Wait, I genuinely think that you couldn’t find me.’”

According to one of her subjects, “friends are the weakest link” when it comes to keeping your personal information private. So as you get ready for the holiday season, keep the privacy of friends and family in mind when you interact on social media.

If you have ideas for sharing our Information Assurance content more broadly across U-M’s diverse community and beyond, let us know by dropping us a line at [email protected]. And don’t forget to catch up on the latest IT security and privacy news, curated daily, in the In the News section of the Safe Computing website.

Many of us are getting an early jump on online shopping for the holidays. Read on for easy ways to protect yourself while looking for that perfect gift:

• Use a credit card, not a debit card. Credit cards have added protections most debit cards do not.
• Use secure devices and software. Keep web browsers, software, and devices up-to-date. Avoid public or shared computers.
• Use a safe network. Avoid public and free WiFi, and use a VPN if you can't.
• Shop with trustworthy sites and sellers. Stick to businesses you know and trust, and compare descriptions and prices from multiple sellers to help spot scams.
• Be suspicious of unusual offers. Avoid "too good to be true" offers from places you don't know. Ignore email from unknown senders offering unusual deals that could be phishing.
• Protect your personal information. Don't save credit card numbers and other personal information in your web browser. Check out the privacy policy of shopping sites to find out how they use and share your data.
• Avoid traps in email and pop-ups. Check links in email to make sure they really go to the right website. When in doubt, browse to a site yourself and avoid following links in email. Ignore pop-ups, especially if they direct you to another site.

See Protect Your Online Shopping for more information, and consider sharing tips with family, friends, and colleagues by sharing our PDF poster Shop Online Safely.

The holidays are a great time to travel, but they are also prime time for cybercrime. Whether you are visiting family or friends or taking time to see some sights and shop, make sure to protect yourself and your data.

Update software and apps. Check that your device operating systems and applications are all up to date before you leave town. Consider turning on automatic updates to save yourself from having to remember to update manually.

Backup your data. A backup of your device protects you from malware, ransomware, theft, or even just accidental loss of a device. Back up to a drive you'll keep somewhere safe at home, or use a cloud storage service for extra protection and portability.

Avoid online shopping when using a public network. Never trust free and public networks with important data like credit cards and bank info. Free wireless networks are often havens for malware or ransomware and can provide a channel for attackers to get into your device. Use secure networks and turn off wireless auto-connect. If you need to get online, use a known, secure network, or use the hotspot of your cell phone. If you must connect over a free/public network, use a VPN to help secure the data you send and receive.

Keep your devices locked. Keeping your device locked is a simple and easy way to keep out prying eyes. Set devices to lock themselves after a few minutes of inactivity, and get in the habit of locking them after you look at what you need.

Don’t announce your travel plans on social media. Announcing travel plans on social media adds another level of risk to being away, especially if your home will be unattended while you're gone. Instead of broadcasting your plans to your entire social network, use direct messaging before and while traveling. You can come back and wow all your online friends with stories and photo albums after!

Don't forget kids’ devices! Devices that are set up primarily for kids to play with might not regularly access your bank account, but they still contain important, personal information. Protect your family's privacy and data by making sure devices are updated, locked when not in use, and kept in a safe place. If kids access social media or communicate online, be sure to talk with them about digital safety.

A little preparation can protect you, and your loved ones, during the holiday travel season. Check out Travel Safely With Technology for more tips about tech and travel, and Safe Computing website for more on protecting yourself and U-M.

Getting some cool new tech this holiday season? Replacing some old devices or cleaning up unused phones and computers that are sitting around? Make sure to secure your new devices and safely dispose of your old ones to protect yourself and U-M.

Take the time to review the privacy and security settings for new devices and accounts. Adjust the defaults to secure your data, protect your privacy, and protect the university. Turn on auto updates; letting them apply automatically saves you having to remember to do it manually. Check out our Secure Your Devices section for tips on securing most types of devices. You can also find advice on Protect Your Privacy to help you keep personal data and accounts away from prying eyes.

Devices you no longer need or want can contain personal data, and in some cases U-M data if you used those devices for work. Keep that data from falling into the wrong hands by either securely deleting sensitive data before disposing of the device or securely destroying it. Even devices that you decide to sell or hand down to friends or family should be properly erased or reset before you pass them on. Check out Erase Personal Devices Before Disposal for more.

Remember that if you use your personal devices for U-M work, you need to follow Security of Personally Owned Devices That Access or Maintain Sensitive Institutional Data (SPG 601.33) to secure them appropriately and properly and to dispose of them.

Need a hand erasing a personal device? Contact ITS Tech Repair for information about their device sanitization services.