Summer 2023

Originally designed at U-M more than twenty years ago, Cosign was once widely used across higher education. The degree to which U-M had integrated Cosign into countless applications was a testament to its success. However, the user base dwindled at U-M and across higher ed as institutions transitioned to more modern authentication protocols (OIDC and SAML). At U-M we now use Shibboleth.

Over the past year, Identity and Access Management (IAM) has partnered with units across all U-M campuses and with colleagues in ITS to discontinue use of Cosign. “Cosign retirement is a significant milestone that paves the way for the implementation of advanced IAM functionality in the future,” said DePriest Dockins, Director of IA’s Identity and Access Management team. “We understand this change was not without challenges, and we’re so grateful to our campus partners for their support and effort in helping the university meet this important goal."

A key stepping stone was implemented in May, 2023, when the IAM team updated Shibboleth to perform both authentication and authorization without reliance on Cosign. This was a fundamental change that required significant planning and testing. Additionally, the U-M Weblogin logout screen was updated to reflect best practices when logging out of Shibboleth-protected services. 

Although thousands of sites had transitioned off Cosign gradually over the past several years, there were still about 900 Cosign integrations at the start of 2022. The retirement of Cosign involved many system changes by both ITS and units, which were accomplished without any unanticipated outages or disruptions to university business functions.

For a summary of activities and resources that supported the Cosign Retirement, visit Cosign at U-M.

As of July 2023, ITS Information Assurance has a new home. 

The updated space in the Administrative Services Building (ASB) features an open, cafe-style common area as well as conference rooms, cubicles and offices.

Being closer to Ann Arbor’s central campus creates opportunities to meet and collaborate with campus partners more easily. The conference rooms are well-equipped for in-person and virtual meetings.

Sol Bermann, U-M Chief Information Security Officer, highlights the benefits of the updated office space, “Not only is the space new and modern, but most importantly it enhances opportunities for in-person connections, which we have not had in recent years. We want to encourage enthusiasm, creativity, and fun in our shared work experiences in IA and having a space to meet in person supports that. We are fortunate to have such an excellent team, and now we have a place to bring everyone together.”

Just For Fun: Here’s the Ann Arbor District Library’s archival photo of 1009 Greene St. when it was being built.

In the last few months, IA has welcomed one new staff member, who brings experience and enthusiasm to the important work of securing the University of Michigan:  

Bridget Weise Knyal joins the IA family as the Lead Performance Support Analyst on the Education and Engagement team. She comes to us from ITS Infrastructure, where she most recently developed communications and documentation for the Telephone Upgrade Project. She brings years of experience in instructional design, education, writing, and communications. She enjoys hiking, gardening, travel, and spending time with her family and friends.

Photo Credit: "Welcome" by Bob5D

The IA interns are a tightly-knit, easy-going group of nine bright students hailing from UM-Ann Arbor, UM-Dearborn, Eastern Michigan University, and Michigan Technological University. They have become close while working on a variety of assignments and projects in account management, cybersecurity, identity and access management, security operations, and disaster recovery planning.   

These young IT professionals came to the internship program with many talents and accomplishments, but continue to learn and grow under the guidance of their IA colleagues. “I'd just done pure code before, but there's so much more that goes into putting out code to production,” shares Emily Chen. “Working as a team doing code reviews and working with pipelines–all of that was really new to me. Also, it's so much nicer to be able to apply those skills in a technical environment with other employees.” 

Steven Hou reflects, “This internship has really taught me the amount of collaboration needed to get a project done. Even though I've had experiences as a student seeing a project go from nothing to something, seeing the collaboration that's needed is mind-opening.” 

“The internship offers me the chance to be in a workplace where things are constantly changing, yet you always get to learn something new,” adds Riya Munot.

Learning more about the university as a workplace and the capabilities Michigan IT staff support has been eye-opening for the group of eager students. “The University is a big institution with a lot of departments. It's really interesting to see how connected they are and how the University deals with that,” says Anthony Tan. 

The tour of Michigan Stadium also left the students impressed. "It was like the Wizard of Oz–like peering behind the curtain,”recalls Mitchell Carter. “We saw how technology is integrated within a set, aesthetic environment. When I think of IT, I think of a dusty room, people sitting around on computers, but this IT is the central infrastructure for every event, every stadium, every place where exciting things are happening.”

The IA interns recognize and appreciate the many opportunities to build relationships with Michigan IT colleagues. “You meet so many people who know people, and people you can stay in contact with to get future opportunities," reflects John Umbriac.

Brandon Huynh shares that he is learning a lot from his manager, who is also his mentor and instructor. Kurt Holland highlights his experience with cohort project selection, “They (U-M internship coordinators) had people come in and present project options from LSA, Michigan Medicine, and all across the board.”

As their internship experience draws to an end, the students reflect on its value to their future endeavors. “I'm feeling more confident about going through the next year and then graduating because I think, Oh, yeah, I'll be able to find a job. I have a lot of skills,” Courtney Banks sums it up.

Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks by Scott J. Shapiro weaves at least five compelling story lines:

• A history of hacks—recounted in detail.
• An exploration of the psychology and development of hackers.
• A dive into ethics and human behaviors that enable hackers to thrive.
• The evolution of the efforts of governmental agencies and tech giants trying to stop hackers.
• A critique of the thinking behind approaches to protecting ourselves from harmful hacking.

That is a mouthful of story lines, but “weaving” is an oversimplification of the balancing act the author performs to sustain them throughout the book. Just before a reader detects a need to learn more about the psychology of a hacker, that storyline enters stage left and picks up the plot. When one needs a dose of technical explanation to comprehend how difficult a hack would be to regulate, it appears from the wings. Shapiro’s empathy for the reader is the invisible force that directs all the moving parts.

To top it off, it is witty. Shapiro’s commentary elicits more than a handful of chuckles out loud. It is a well-researched, elegantly-written story told with humility and humor by a real storyteller.

For an in-depth review, see Jennifer Szalai’s Book Review: ‘Fancy Bear Goes Phishing: Tales of Harmful Hacks’ in The New York Times.

Note: To access this article through your University of Michigan-provided subscription, use this link and log in using your U-M Single Sign On.

For more fiction and non-fiction books related to data privacy, check out bookauthority.org’s 20 Best Data Privacy Books of All Time.

In late June, the Sponsor System, which is used to create uniqnames and online identities for sponsored affiliates, was successfully upgraded. The Sponsor System allows units to sponsor people as members of the U-M community for specified periods of time. Sponsored affiliates include, for example, short-term guests, contractors, incoming faculty/staff who need access to U-M resources before the hiring process is complete, and others.

The upgrade provided users with an improved interface that is more intuitive and better meets accessibility standards. While most business functions and processes remained the same, some enhancements were as follows:

• Self-service password creation was expanded so that all sponsored people with regular uniqnames choose their own passwords. All uniqnames require a non-UMICH email address that may be used by the sponsored person to set up their initial password.
• The process for creating multiple temporary uniqnames by uploading a list of names and email addresses can be used by all users. Previously, some users submitted spreadsheets to the ITS Service Center to be uploaded, which is no longer necessary because of improvements to processing speed and reliability.

For more information:

• Visit the Sponsored People page to learn about the Sponsor System.
• See the Sponsor System Upgrade, Summer 2023 - Overview of Change for details about the recent upgrade.

Vulnerability Management is fundamental to proactively identifying and remediating vulnerabilities in U-M systems, and is a critical part of the university's IT security program. ITS Information Assurance (IA) provides Vulnerability Management scanning (Tenable) for units to enhance unit IT's ability to find and fix vulnerabilities on their systems.

Units can improve their scanning results and gain deeper local knowledge by installing the Tenable agent on unit systems. This allows units to engage in vulnerability scanning similar to the scans of systems on U-M networks run by IA. The agent is low-impact and can provide scanning whether or not the system is on a U-M network; an important capability in the age of remote work.

Some other advantages of the Tenable agent are that it allows units to:

• Specify unique groups to use for system scanning (e.g., MyCampusUnit Windows Servers, MyCampusUnit Linux Servers, MyCampusUnit Workstations).

• Create, edit, and execute Tenable scans independently and when desired.

• View and analyze results from performed scans.

• Obtain a high-level or drilled-down view of scan results across their unit's systems.

• Control who in their unit has access to Tenable via an Active Directory group.

Units that have not yet added the Tenable agent to their systems can contact IA through the ITS Service Center to begin the process of using Tenable to help meet our shared responsibility of keeping U-M systems and data secure.

Duo has released a new Universal Prompt to replace their traditional two-factor authentication prompt that U-M currently uses. ITS Identity and Access Management (IAM) is planning to switch U-M Weblogin to use the Duo Universal Prompt in early 2024. Visit the Upcoming Changes to Duo page on Safe Computing to see an example. 

The advantages of the Universal Prompt include:

• Streamlined login experience for users, such as defaulting to the last-used authentication method and requiring automatic Duo push notifications when that option is used.
• Designed and tested to meet Web Content Accessibility Guidelines (WCAG) 2.1 at the AA level.
• Support for more types of hardware security keys.

Users will not need to change anything to log in with the new Universal Prompt. 

• There is no change to the Duo Mobile app.
• All the methods that people currently use to log in will carry into the new prompt.

Units that have their own instances of Duo applied to their logins will receive detailed communications from IAM on how to prepare for and implement the new prompt.

It is challenging for others to access personal information left in a U-M account after you leave the university, particularly if you are no longer present to assist them. The university cannot always guarantee access for next of kin or U-M colleagues, so it’s important to be proactive in order to avoid future delays or frustration.

Plan Ahead

While the University permits some latitude for employees to use University resources to conduct personal matters (see SPG 601.11), U-M encourages you to move personal information to personal accounts (or into a folder marked “personal-private”). 

Taking these steps may save your loved ones from delays or frustration in the future:

• Store (or move) your personal files, folders, email, or other personal data you may need to share with others to a personal account or to a folder marked “personal-private” on your U-M device.
• If you are leaving U-M, be sure to appropriately share or transfer business documents. In addition, verify that you have moved personal information to a personal account.

U-M Protects your Privacy

• Many users retain access to U-M standard computing services when they leave U-M as detailed in Leaving U-M. These services are provided to you as an individual who has a qualifying relationship with the university.
• Access to your accounts or file storage is not intended to be shared with others and U-M will generally not provide access to your accounts or files.

If family or others with appropriate legal standing need access to someone's personal data when that person is no longer able to provide it, those persons will need to follow the process for Requesting Account Access for Next of Kin and Others. This process is not a guarantee of access, but U-M will consider requests on a case-by-case basis.

ITS Information Assurance relies on engaged, excellent Security Unit Liaisons (SULs) to support the U-M community in IT security, privacy, identity access management, policy, and compliance. The liaisons are vital partners in supporting the university’s security posture.

ITS thanks the SULs and shines a spotlight on their unique work.

For this issue, we met up with Sonam Yadav, Data Security Analyst/IT Security Specialist, U-M Facilities and Operations.

Sonam Yadav is driven by her lifelong love of learning and sustained by a never-give-up attitude that she cultivated as a young person going to school in India.

“I am a very positive person. I prefer to never give up. That is my practice. There is some solution, and I just keep trying until I find it,” she says.

Yadav lived with her grandparents most of the time as a child because her father was in the Indian army and was posted all across the country. Her grandfather, who was her role model, professed high hopes that she would be a doctor. When she was in first grade and her grandfather picked her up from school each day, he greeted the teacher and said, “‘Send my doctor.’”

Yadav worked diligently in school to pave the way for her future. At the advice of her grandfather, she spent hours practicing math, which did not come easily, and was often at the top of her class. 

Yadav suffered a setback when she experienced personal upheaval and changed schools during secondary school. She recalls, “I failed my final exam, but I didn’t give up. Next time, I passed.” After that, she received excellent grades and was placed in a good college for engineering.

Ultimately, she studied computer science in college. Her grandfather was pleased – he had only wanted her to be happy and independent. She has applied her knowledge in the workplace and powered through two Master’s degrees–one in computer science and one in cybersecurity.

Yadav reflects, “I always like to learn new things. Cybersecurity is a field for people like me who like to learn new things every day.” This serves her well as an analyst and in her role as a Security Unit Liaison for Facilities and Operations.

Yadav notes, “Facilities and Operations has a very broad and diverse infrastructure.” Although she has only worked at U-M for approximately a year, she has learned to spread the word to the diverse departments she represents. 

Yadav sends emails to unit staff and disseminates alerts, patches, and updates that come from Information Assurance. She says, “Safe Computing is a huge resource for getting information and staying compliant.” She highlights Safe Computing content in her regular meetings. Her team also has an Operational Support newsletter for Facilities and Operations, as well as regular all-staff meetings for Information Services. She notes, “Collaboration is the key that makes us successful in achieving our goals.”

Other ways Yadav’s team stays current and compliant include:

• Completing external assessments with Information Assurance to stay compliant with policies, in addition to performing internal security assessments.
• Scanning internally and in collaboration with Information Assurance in order to improve their security posture.
• Participating in the Sensitive Data Discovery program.
• Learning about new technologies at next-generation security meetings.
• Ensuring staff are up to date with training.
• Following the principle of least privileges based on the roles and groups.

When asked to share advice for others just starting out in cybersecurity, Yadav offers:

• “Security plus functionality together is best. If you are trying to make something 100% secure but you do not give access to anything, then what is the point?”
• Focus on detecting indicators of compromise. 
• Do not miss any upgrades or patches.

Yadav recognizes that she does not do this work alone and is grateful that she works with “a very proactive and collaborative team” that is “supportive and inclusive.” 

Stay tuned for future SUL interviews, and if interested, reach out to Bridget Weise Knyal ([email protected]).

This past spring, Information Assurance (IA) sent an email to all current and incoming students to warn them to be on alert for phishing emails offering fake jobs. However, email communication may not reach everyone who needs the information at the right time. Please share the following as appropriate with students and student-facing staff to help us spread the word.

If a student receives an email offer for a U-M internship or job, they should follow these tips:

• Ask yourself questions before acting on the email: How likely are you to get an offer like this without applying for the position or having an interview? Do you know the person offering the job?
• Check email addresses carefully! Is that a real U‑M address? Is it in MCommunity? Does the reply‑to address match the sending one? See more information in How to Spot a Spoof.
• Check with the sender. If you think the offer could be real, look up the sender in MCommunity and email or call them using the contact info listed there to make sure you aren't replying to a possible scam.
• Do not respond. Do not click any link in the message, or provide personal information or money.
• Report phishing or other email abuse to ITS IA. IA publishes Phishing & Scam Alerts that are active in our community. Get more information about these and other scams on the Safe Computing website.

Additional toolkit resources to help spread awareness include:

• Phishing Alert: Job Scams Targeting U-M Students
• Phishing & Scams 
• Job Offer Scams
• Posters, Tweets, and Videos on Phishing

ITS Information Assurance (IA) publishes unit security checklists to support units in their shared responsibility to protect U-M systems and data. 

This time, we are providing an online hygiene guide and a special edition guide designed to help faculty, staff, and students.

• Practice Online Hygiene
• Special Edition: Protect Yourself from Online Harassment

Please check them out and share them with those in your unit. They are linked in the Be Safe Online section of the Safe Computing website.

In mid-July, U-M’s ITS Information Assurance (IA) team hosted the Big Ten Academic Alliance’s summer meeting of CISOs. This CISO working group meets regularly and is uniquely open and collaborative–sharing ideas and innovative solutions to support the vital mission of higher education information security.

Rich Nagle, Associate Vice President and CISO at Ohio State University describes his experience with the group, “Everyone outside of the Big Ten really sees it as a sports conference. When I explain how we work together, people are surprised.” He adds, “I have so much trust in the members of this group. If I have a question and I reach out, within an hour I have incredible partners opining on the issue.”

The group discussed developments in higher education information security and privacy, including generative AI, the latest in threats, and how to best support research initiatives in a secure and compliant manner. The ITS IA team also spotlighted U-M’s innovative tools and capabilities, such as Michigan Intelligence for Threat Negation (MITN) (shared threat intelligence), Blacklight (web privacy), and the Network Border Infrastructure System (security threat detection and mitigation).

Vice President of Information Technology and Chief Information Officer Ravi Pendse, made a guest appearance and shared his insights on the state of higher education information security. He also described how empathetic and flexible leadership, as well as creative collaboration with campus units, build critical pathways to success.

In what might be one of the farthest-reaching data breaches in recent years, hackers compromised the managed file transfer (MFT) software MOVEit. By attacking the point of file transfer, instead of individual companies, the hackers were able to acquire access to data from a much larger number of organizations than they would have by attacking each separately.
 

Explainer: How MOVEit breach shows hackers' interest in corporate file transfer tools.
(Reuters)

Modern biobanks collect huge amounts of data and share it with researchers, leading to breakthroughs in public health and medicine. They may also need to find new ways to explain how this complex system works to research study participants so that they feel their privacy is protected.
 

Researchers can learn a lot with your genetic information, even when you skip survey questions – yesterday’s mode of informed consent doesn’t quite fit today’s biobank studies.
(The Conversation)

Artificial Intelligence (AI) tools are rapidly promulgating and being experimented with across all sectors and disciplines. At U-M, the Generative AI Committee is exploring its implications for the university; and ITS has even released the beta U-M GPT that uses Generative Pre-trained Transformer (GPT) and other AI language models to provide human-like responses to questions or requests. In addition the committee has provided its detailed assessment of opportunities and challenges posed by generative AI in the Generative AI Committee Report.

One important consideration is how to protect sensitive information and U-M institutional data while exploring new possibilities with AI. ITS Information Assurance has published Artificial Intelligence and U-M Institutional Data on the Safe Computing website for guidance and resources to ensure appropriate use of data with AI. 

Guidance for protecting U-M data when using AI includes:

• AI tools should only be used with institutional data classified as LOW.
• Do not use ChatGPT or other AI with information such as student information regulated by FERPA, human subject research information, health information, HR records, etc.
• AI-generated code should not be used for institutional IT systems and services unless it is reviewed by a human, as well as meets the requirements of Secure Coding and Application Security (DS-18).

As is the case with rapidly-evolving technology, AI will be undergoing further institutional review and analysis, and you can expect this guidance to change. For now, please take care and follow the guidance above when using U-M institutional data with AI tools.