U-M Safe Computing Newsletter

As always, I am grateful for those that engage in the shared responsibility of protecting U-M systems and data.

This year, I want to highlight the retirement of Cosign, 20 years after its inception at U-M, as an important milestone in U-M IT history. As part of the retirement,  in November, we celebrated with an open house to share memories, including with some who pioneered and maintained it.

Retiring Cosign involved many complex systems and required collaboration within ITS and across all U-M campuses. We should all be proud of this accomplishment, which was achieved without any disruptions to university business operations. I am thankful for the ITS and Michigan IT colleagues who came together to complete this project. You have proven yet again that we are stronger when working in collaboration. 

In a spirit of gratitude and in support of our shared responsibility to protect the university, ITS Information Assurance would like to offer a SANS Institute Cybersecurity & Certification Course voucher to the first three Michigan IT staff members who contact Kim Wheeler at [email protected]. 

Thank you to the entire U-M IT Security community for your incredibly valuable partnership and unwavering commitment to protecting the University of Michigan.

Sol Bermann

Executive Director of Information Assurance and Chief Information Security Officer

In the last few months, IA has welcomed two new staff members, who bring experience and enthusiasm to the important work of securing the University of Michigan:  

Andrew Durand joined the Design and Engineering team in IA as a Technical Writer. Andrew has been a technical writer for 7 years and comes to us from Workforce Software where he collaborated with software engineers and product managers to develop user guides, release notes, and configuration documentation. Andrew has a Master’s degree in Technical Communication from Eastern Michigan and enjoys short walks through downtown Fenton, paddling in his kayaks, and hiking on the nearest trail. He is assisting IA and ARC efforts by writing technical documentation required for regulatory compliance.

Jeenali Kothari joined the IA family as a Data Security Analyst. She is pursuing a master's in Cybersecurity and Information Assurance at UM-Dearborn, looking to graduate in December. She is a certified Ethical Hacker and brings experience in Information Assurance, Penetration Testing, and Digital Forensics. She enjoys doodling, traveling, cooking, and kayaking.

U-M will transition to the new Duo Universal Prompt on Tuesday, February 20, 2024, in preparation for when Duo ends support for its current prompt experience on March 30, 2024. Duo is implementing this prompt change across their entire platform, not only for U-M.

The advantages of the Universal Prompt include:

• Streamlined and more intuitive login experience for users
• Automatically prompts users to approve via their last-used authentication method
• Improved Web Accessibility
• Supports more types of hardware security keys

Users will not need to change anything to log in with the new Universal Prompt. 

• No change to the Duo Mobile app
• Authentication methods currently in place will carry over into the new prompt

Over the coming months, ITS will provide transition support to unit application owners who have integrations with Duo applied to their system-specific logins. This includes detailed communications and support sessions to prepare for and implement the new prompt.

To see an example and learn more about Duo’s new Universal Prompt, visit the Upcoming Changes to Duo page on Safe Computing.

The University of Michigan adopted CrowdStrike Falcon as our enhanced endpoint protection for U-M devices in March 2020. The value and impact were immediately apparent and, since then, CrowdStrike has matured as a valued partner for protecting the university and its digital assets. In that time, CrowdStrike Falcon has been a critical tool in blocking, detecting, and remediating numerous threats to the university.

Endpoint Protection

As an endpoint protection product, Falcon replaces what many "antivirus" or "antimalware" tools have done in the past. Just a few of its endpoint protection functions include:

• Preventing a wide variety of malware and potentially dangerous downloads and code executions.
• Providing ITS Information Assurance (IA) staff and unit partners with alerts of possible danger or compromise.
• Facilitating deployment of rules to protect data and devices, and providing for granular control of exceptions, making it adaptable to many use cases.

Evolving and Maturing

In October 2023, IA announced that U-M has expanded its use of Falcon to include the CrowdStrike Falcon Complete service. This service provides 24/7 managed detection and response support from CrowdStrike, with their analysts acting as an extension of the IA SOC team. This additional support allows the IA team to more rapidly deploy additional CrowdStrike functionality, including Identity Threat Protection and Exposure Management.

New and Upcoming Enhancements

As we near the end of 2023, we are beginning a CrowdStrike Cloud Pilot. This new capability protects cloud assets in the same way CrowdStrike Falcon protects our other systems. If your unit wants to be involved in the pilot, please submit a ticket through the ITS Service Center.

Reminder: All U-M computers, including laptops, desktops, and servers, capable of running the CrowdStrike sensor must have Falcon installed for endpoint protection. This applies to physical or virtual machines, and any virtual machines hosted on cloud services (e.g. Amazon), which are running a compatible version of Windows, Mac OS, or Linux.

If you or your unit need help getting CrowdStrike Falcon installed on your systems, please contact IA through the ITS Service Center.

ITS Information Assurance relies on engaged and collaborative Security Unit Liaisons (SUL) to support the U-M community in IT security, privacy, identity access management, policy and compliance. The liaisons are vital partners in protecting the university’s digital assets.

We asked Matt Bidlingmeyer, IT Program Manager in the College of Literature, Science, & the Arts (LSA) and a Security Unit Liaison, to chat with us about his experience and priorities.

Stay tuned for future SUL interviews and, if interested in participating, reach out to Bridget Weise Knyal ([email protected]).

Expanding Awareness

Matt Bidlingmeyer, IT Program Manager in LSA, has a large audience to consider when sharing cybersecurity information across the LSA community. Because he knows people consume information in different ways, he makes a point to use digital signage, articles in the Innovate Newsletter, and blurbs in the Chief Financial Officer’s weekly administrative emails. His topics include what is top-of-mind in cybersecurity and the scam of the month.

While these methods have been successful, Bidlingmeyer notes, “We can send things out, and people can read them, but we also know people can ignore them.” His security team strives to enhance their connection with departments by meeting with them about their unique security concerns given their business or research needs.

During this type of meeting, Bidlingmeyer points out: “Here are the things that you might get specifically targeted for” and reinforces the message “Here's how to reach us. We are here to help.” Also, he emphasizes that these meetings are a valuable opportunity to put a face with a name.

New Security Fellowship Program

Bidlingmeyer is excited about taking engagement a step further with LSA Technology Services’ (TS) new Security Fellowship Program. Beginning as a pilot in January 2024, their cybersecurity team aims to build awareness and foster career development of interested TS staff. Bidlingmeyer elaborates, “Participants will spend five months working with the cybersecurity team to learn the ins and outs of cybersecurity operations in LSA. After the pilot, any of the 180 full-time employees in TS can express interest in being invited into the rotating fellowship program.”

One goal of the program is that a staff member who has been through it can bring awareness and knowledge gained during the experience back to their role in their department. Bidlingmeyer explains, “That person might be in Tier One or talking to a faculty member, and they can help reinforce the message because hopefully we've done a very good job teaching them what's important and why it matters.” 

(ITS has a similar program called the ITS Cross-Training Opportunity Program.)

Tips that Resonate

When talking with people who are not immersed in cybersecurity, Bidlingmeyer recommends trying to “engage with people to understand where they're coming from based on their experiences and meet them where they are, which is not necessarily where we think they are.” For example, he finds that some instructors may not think they work with sensitive data because they’re thinking of social security numbers and not the FERPA-protected student information they work with regularly. 

As another example, when a person does not see their device as having anything important on it, he uses smart light bulbs as an example: “You know, threat actors can leverage the internet of things – devices like smart light bulbs. If your computer is connected to the network, it can be a vector of attack.” Finding a message or example that resonates is key to Bidlingmeyer’s approach.

When it comes to phishing emails, Bidlingmeyer is intentional about encouraging reporting. He and his team make a point to say, “Thanks for reporting this. We love that you're paying attention.” If the email is legitimate, they add, “This one happens to be legitimate, but if there's ever any worry, please reach out. We would love to see all sorts of false positives rather than something that actually is an issue go unreported.” Bidlingmeyer’s staff uses this approach to combat what he calls a cultural tendency among staff and faculty to feel they are bothering IT.

Helpful Tools and Resources

Bidlingmeyer values Crowdstrike Falcon as an endpoint detection and response (EDR) tool because it has a low rate of interference. He elaborates, “We need to do very minimal allow-listing of applications or programs. We have so many researchers doing so many unique things that if it didn't have a low rate of interference, the exception list would either have to grow ridiculously, or our researchers would be frustrated with us.”

ITS Information Assurance was engaged by Bidlingmeyer to develop a new resource this past summer – the Online Harassment & Abuse Mitigation Checklist. He collaborated with a team led by Sol Bermann, Executive Director of Information Assurance and Chief Information Security Officer, and Asmat Noori, Information Assurance Assistant Director to create tools for Dr. Earl Lewis, Thomas C Holt Distinguished University Professor of History, Afroamerican and African Studies, and Public Policy; and Director/Founder of the Center for Social Solutions. Bidlingmeyer says the checklist will provide comfort and resources to people across the university as more and more people are affected: “Even if they're not getting harassed, they know their colleagues are, even if they're at other universities. We're giving them tools to both proactively and reactively approach those scenarios.”

As a go-to resource, Bidlingmeyer always appreciates the Safe Computing website, particularly the Sensitive Data Guide. He notes, “I love the examples because they really resonate with people. The information about where people can store their data is just as important.”

One of the ways in which ITS Information Assurance (IA) works to protect the university and its community members is by developing and disseminating education and engagement materials. Over the years, we have released training courses, articles, posters, videos, and social media campaigns. We have hosted event series and developed innovative web resources, such as the Sensitive Data Guide and ViziBLUE. 

We always strive to partner with the U-M security community to gather feedback and promote these materials. In 2024, we will convene an IA Education and Engagement working group to discuss new ideas for reaching our broad and diverse audience, as well as review IA resources and campaigns that are in the works.

Are you passionate about education? Do you have an eye for design? Do you have ideas for compelling ways to improve security and privacy awareness for U-M students, faculty, and staff? Express your interest in joining the working group by writing to [email protected].

For over 20 years, ITS Information Assurance (IA) has invited U-M students to test their awareness of IT security and privacy issues and best practices. This year, the Challenge will run from Monday, January 15, through Friday, February 2, 2024 and include even more privacy topics in recognition of Data Privacy Day (celebrated annually on January 28).

• The new Cybersecurity + Privacy Challenge will be offered to U-M students on all campuses (including medical students). Those who score 90% or higher on the 10-question quiz will be entered into a drawing for prizes. 
• New this year! The prizes will be ITS Tech Shop gift cards instead of specific tech merchandise. Students on all campuses will be able to choose the items they want or use the gift cards toward larger technology purchases.

ITS IA promotes IT security and privacy best practices and provides educational resources to help protect U-M community members and the university. Here’s how you can join us on this important mission:

• Spread the word to students in your unit about the upcoming Challenge by using this promotion toolkit. It contains digital signs, banner images, a QR code, and a poster
• Look for information coming soon about Privacy@Michigan events; and access recordings of past speakers from security, privacy and Dissonance events at  ITS Information Assurance Events.
• Visit the Safe Computing website for IT security and privacy tips.

Data Privacy Day is on January 28 and, every year, we celebrate it with a variety of university-wide Privacy@Michigan events in the months of January and February.

Celebrations of Data Privacy Day 2024 will feature:

• Speakers co-hosted by ITS and the School of Information.
• A revamped Cybersecurity + Privacy Challenge for all U-M students.
• A new web resource exploring the history of surveillance, much like our History of Privacy Timeline.
• Promotional activities for our leading privacy initiatives, Six Words about Privacy and ViziBLUE.

More information about these events will be posted on our Privacy@Michigan event page in the coming weeks. In the meantime, visit the Privacy section of the Safe Computing website.

AI Helps Determine Word of the Year

It's impossible to look at tech news without seeing stories of the perils and promises of artificial intelligence. A lot of the conversation revolves around whether or not humans can detect AI generated content. States like Michigan are grappling with the possibility of AI generated political ads, and concerns continue to rise about AI being used to generate dangerous and illegal content. All this fear of fakes has provided the backdrop for Merriam-Webster’s word of the year, “authentic.”
Merriam-Webster’s word of the year – authentic – reflects growing concerns over AI’s ability to deceive and dehumanize.

Hacks of Large Businesses Highlight Ransomware Dangers

High-profile hacks of large business interests have shown that even big and powerful institutions, such as casinos and utilities, are vulnerable to cyber attacks. One of the biggest recent attacks left Wall Street scrambling and the world's biggest bank trying to trade by USB stick. Ransomware attack on China’s biggest bank disrupts US Treasury market.

Image: Authentic by Nick Youngson CC BY-SA 3.0 Alpha Stock Images

U-M students and employees have reported incidents of phishing that leverage legitimate services, such as Duo and Docusign, to lure them into providing a Duo passcode or accessing documents that link to fake login pages.

How it Works

Threat actors are increasingly using legitimate services for malicious activities including to obtain login credentials, Duo passcodes, and other personal information.

Document Services: Threat actors send phishing emails from services used at U-M like DocuSign, Google, Office365, or Adobe Creative Cloud to lure you to a document with a link to a fake login page.

Duo: The Duo service is leveraged in two different ways to trick people into providing login information and/or Duo passcodes.

• A threat actor uses a fake login page to capture a person’s login information. The fake login then leads to a fake Duo prompt, specifically asking for a passcode. If the person then enters a Duo passcode (or passcodes), they can be used, along with the stolen login information, to access accounts fraudulently.

• An unexpected Duo push is sent to a person when they are not trying to log in. In this situation, a threat actor has used their stolen login information to log in to their account and is attempting to use Duo to complete the multi-factor authentication. If the person clicks “Approve,” the threat actor will be able to access their account. Pushes may occur repeatedly and persistently, trying to get the person to approve – capitalizing on multi-factor authorization fatigue.

How to Protect Yourself 

• If you receive a Duo prompt that only gives you the option to use a passcode, report it.

• If you receive a Duo push when you are not trying to log in, click “Deny” and report it as fraud in Duo.

• If you receive a suspicious message, such as an unexpected document through a document service, report it.

• Before entering your UMICH (Level-1) password on a web page, check the web address/URL. UMICH Single Sign On begins with https://weblogin.umich.edu/.

• See the Phishes & Scams page of Safe Computing for more details, how to report phish, and what to do if you get caught, e.g. change your UMICH (Level-1) password immediately:

  • Phishing Alert: Scams Utilizing “Secure” Document Services, e.g. DocuSign

  • Phishing Alert: Scams Utilizing Duo to Steal Pass Codes or Prompt Pushes