Fall 2023

Leadership Update

Letter from Sol Bermann: Wrapping Up 2023 with Gratitude

Type setting block spelling the word THANKS, resting on a table with white twinkle lights behind it.

As always, I am grateful for those that engage in the shared responsibility of protecting U-M systems and data.

This year, I want to highlight the retirement of Cosign, 20 years after its inception at U-M, as an important milestone in U-M IT history. As part of the retirement,  in November, we celebrated with an open house to share memories, including with some who pioneered and maintained it.

Retiring Cosign involved many complex systems and required collaboration within ITS and across all U-M campuses. We should all be proud of this accomplishment, which was achieved without any disruptions to university business operations. I am thankful for the ITS and Michigan IT colleagues who came together to complete this project. You have proven yet again that we are stronger when working in collaboration. 

In a spirit of gratitude and in support of our shared responsibility to protect the university, ITS Information Assurance would like to offer a SANS Institute Cybersecurity & Certification Course voucher to the first three Michigan IT staff members who contact Kim Wheeler at [email protected]

Thank you to the entire U-M IT Security community for your incredibly valuable partnership and unwavering commitment to protecting the University of Michigan.

Sol Bermann

Executive Director of Information Assurance and Chief Information Security Officer

 

Inside IA

IA Welcomes New Staff

Colorful refrigerator magnets on a white background spelling the word "welcome"

In the last few months, IA has welcomed two new staff members, who bring experience and enthusiasm to the important work of securing the University of Michigan:  

Andrew Durand joined the Design and Engineering team in IA as a Technical Writer. Andrew has been a technical writer for 7 years and comes to us from Workforce Software where he collaborated with software engineers and product managers to develop user guides, release notes, and configuration documentation. Andrew has a Master’s degree in Technical Communication from Eastern Michigan and enjoys short walks through downtown Fenton, paddling in his kayaks, and hiking on the nearest trail. He is assisting IA and ARC efforts by writing technical documentation required for regulatory compliance.

Jeenali Kothari joined the IA family as a Data Security Analyst. She is pursuing a master's in Cybersecurity and Information Assurance at UM-Dearborn, looking to graduate in December. She is a certified Ethical Hacker and brings experience in Information Assurance, Penetration Testing, and Digital Forensics. She enjoys doodling, traveling, cooking, and kayaking.

 

Project & Capability Updates

Duo Two-Factor Authentication Changes Coming February 20, 2024

Duo Universal Prompt screens shot showing a white background with Check for a Duo Push to verify it's you, plus a link to other options for verifying.

U-M will transition to the new Duo Universal Prompt on Tuesday, February 20, 2024, in preparation for when Duo ends support for its current prompt experience on March 30, 2024. Duo is implementing this prompt change across their entire platform, not only for U-M.

The advantages of the Universal Prompt include:

  • Streamlined and more intuitive login experience for users
  • Automatically prompts users to approve via their last-used authentication method
  • Improved Web Accessibility
  • Supports more types of hardware security keys

Users will not need to change anything to log in with the new Universal Prompt. 

  • No change to the Duo Mobile app
  • Authentication methods currently in place will carry over into the new prompt

Over the coming months, ITS will provide transition support to unit application owners who have integrations with Duo applied to their system-specific logins. This includes detailed communications and support sessions to prepare for and implement the new prompt.

 

To see an example and learn more about Duo’s new Universal Prompt, visit the Upcoming Changes to Duo page on Safe Computing.

 

CrowdStrike Falcon Update

Crowdstrike Falcon icon, red falcon on dark gray background.

The University of Michigan adopted CrowdStrike Falcon as our enhanced endpoint protection for U-M devices in March 2020. The value and impact were immediately apparent and, since then, CrowdStrike has matured as a valued partner for protecting the university and its digital assets. In that time, CrowdStrike Falcon has been a critical tool in blocking, detecting, and remediating numerous threats to the university.

Endpoint Protection

As an endpoint protection product, Falcon replaces what many "antivirus" or "antimalware" tools have done in the past. Just a few of its endpoint protection functions include:

  • Preventing a wide variety of malware and potentially dangerous downloads and code executions.
  • Providing ITS Information Assurance (IA) staff and unit partners with alerts of possible danger or compromise.
  • Facilitating deployment of rules to protect data and devices, and providing for granular control of exceptions, making it adaptable to many use cases.

Evolving and Maturing

In October 2023, IA announced that U-M has expanded its use of Falcon to include the CrowdStrike Falcon Complete service. This service provides 24/7 managed detection and response support from CrowdStrike, with their analysts acting as an extension of the IA SOC team. This additional support allows the IA team to more rapidly deploy additional CrowdStrike functionality, including Identity Threat Protection and Exposure Management.

New and Upcoming Enhancements

As we near the end of 2023, we are beginning a CrowdStrike Cloud Pilot. This new capability protects cloud assets in the same way CrowdStrike Falcon protects our other systems. If your unit wants to be involved in the pilot, please submit a ticket through the ITS Service Center.

Reminder: All U-M computers, including laptops, desktops, and servers, capable of running the CrowdStrike sensor must have Falcon installed for endpoint protection. This applies to physical or virtual machines, and any virtual machines hosted on cloud services (e.g. Amazon), which are running a compatible version of Windows, Mac OS, or Linux.

If you or your unit need help getting CrowdStrike Falcon installed on your systems, please contact IA through the ITS Service Center.

 

Shared Responsibility & Unit Support

SUL Profile: Matt Bidlingmeyer, Creating Cybersecurity Connections

Headshot of Matt Bidlingmeyer, U-M IT Program Manager at LSA.

ITS Information Assurance relies on engaged and collaborative Security Unit Liaisons (SUL) to support the U-M community in IT security, privacy, identity access management, policy and compliance. The liaisons are vital partners in protecting the university’s digital assets.

We asked Matt Bidlingmeyer, IT Program Manager in the College of Literature, Science, & the Arts (LSA) and a Security Unit Liaison, to chat with us about his experience and priorities.

Stay tuned for future SUL interviews and, if interested in participating, reach out to Bridget Weise Knyal ([email protected]).

Expanding Awareness

Matt Bidlingmeyer, IT Program Manager in LSA, has a large audience to consider when sharing cybersecurity information across the LSA community. Because he knows people consume information in different ways, he makes a point to use digital signage, articles in the Innovate Newsletter, and blurbs in the Chief Financial Officer’s weekly administrative emails. His topics include what is top-of-mind in cybersecurity and the scam of the month.

While these methods have been successful, Bidlingmeyer notes, “We can send things out, and people can read them, but we also know people can ignore them.” His security team strives to enhance their connection with departments by meeting with them about their unique security concerns given their business or research needs.

During this type of meeting, Bidlingmeyer points out: “Here are the things that you might get specifically targeted for” and reinforces the message “Here's how to reach us. We are here to help.” Also, he emphasizes that these meetings are a valuable opportunity to put a face with a name.

New Security Fellowship Program

Bidlingmeyer is excited about taking engagement a step further with LSA Technology Services’ (TS) new Security Fellowship Program. Beginning as a pilot in January 2024, their cybersecurity team aims to build awareness and foster career development of interested TS staff. Bidlingmeyer elaborates, “Participants will spend five months working with the cybersecurity team to learn the ins and outs of cybersecurity operations in LSA. After the pilot, any of the 180 full-time employees in TS can express interest in being invited into the rotating fellowship program.”

One goal of the program is that a staff member who has been through it can bring awareness and knowledge gained during the experience back to their role in their department. Bidlingmeyer explains, “That person might be in Tier One or talking to a faculty member, and they can help reinforce the message because hopefully we've done a very good job teaching them what's important and why it matters.” 

(ITS has a similar program called the ITS Cross-Training Opportunity Program.)

Tips that Resonate

When talking with people who are not immersed in cybersecurity, Bidlingmeyer recommends trying to “engage with people to understand where they're coming from based on their experiences and meet them where they are, which is not necessarily where we think they are.” For example, he finds that some instructors may not think they work with sensitive data because they’re thinking of social security numbers and not the FERPA-protected student information they work with regularly. 

As another example, when a person does not see their device as having anything important on it, he uses smart light bulbs as an example: “You know, threat actors can leverage the internet of things – devices like smart light bulbs. If your computer is connected to the network, it can be a vector of attack.” Finding a message or example that resonates is key to Bidlingmeyer’s approach.

When it comes to phishing emails, Bidlingmeyer is intentional about encouraging reporting. He and his team make a point to say, “Thanks for reporting this. We love that you're paying attention.” If the email is legitimate, they add, “This one happens to be legitimate, but if there's ever any worry, please reach out. We would love to see all sorts of false positives rather than something that actually is an issue go unreported.” Bidlingmeyer’s staff uses this approach to combat what he calls a cultural tendency among staff and faculty to feel they are bothering IT.

Helpful Tools and Resources

Bidlingmeyer values Crowdstrike Falcon as an endpoint detection and response (EDR) tool because it has a low rate of interference. He elaborates, “We need to do very minimal allow-listing of applications or programs. We have so many researchers doing so many unique things that if it didn't have a low rate of interference, the exception list would either have to grow ridiculously, or our researchers would be frustrated with us.”

ITS Information Assurance was engaged by Bidlingmeyer to develop a new resource this past summer – the Online Harassment & Abuse Mitigation Checklist. He collaborated with a team led by Sol Bermann, Executive Director of Information Assurance and Chief Information Security Officer, and Asmat Noori, Information Assurance Assistant Director to create tools for Dr. Earl Lewis, Thomas C Holt Distinguished University Professor of History, Afroamerican and African Studies, and Public Policy; and Director/Founder of the Center for Social Solutions. Bidlingmeyer says the checklist will provide comfort and resources to people across the university as more and more people are affected: “Even if they're not getting harassed, they know their colleagues are, even if they're at other universities. We're giving them tools to both proactively and reactively approach those scenarios.”

As a go-to resource, Bidlingmeyer always appreciates the Safe Computing website, particularly the Sensitive Data Guide. He notes, “I love the examples because they really resonate with people. The information about where people can store their data is just as important.”

 

Education & Awareness

Call for Education & Engagement Working Group

University of Michigan photo of students studying around a table with laptops at the Ross Business School

One of the ways in which ITS Information Assurance (IA) works to protect the university and its community members is by developing and disseminating education and engagement materials. Over the years, we have released training courses, articles, posters, videos, and social media campaigns. We have hosted event series and developed innovative web resources, such as the Sensitive Data Guide and ViziBLUE

We always strive to partner with the U-M security community to gather feedback and promote these materials. In 2024, we will convene an IA Education and Engagement working group to discuss new ideas for reaching our broad and diverse audience, as well as review IA resources and campaigns that are in the works.

Are you passionate about education? Do you have an eye for design? Do you have ideas for compelling ways to improve security and privacy awareness for U-M students, faculty, and staff? Express your interest in joining the working group by writing to [email protected].

 

Reminders & Events

Cybersecurity + Privacy Challenge Revamped for January

Cybersecurity + Privacy Challenge. Share what you know and win a prize.

For over 20 years, ITS Information Assurance (IA) has invited U-M students to test their awareness of IT security and privacy issues and best practices. This year, the Challenge will run from Monday, January 15, through Friday, February 2, 2024 and include even more privacy topics in recognition of Data Privacy Day (celebrated annually on January 28).

  • The new Cybersecurity + Privacy Challenge will be offered to U-M students on all campuses (including medical students). Those who score 90% or higher on the 10-question quiz will be entered into a drawing for prizes. 
  • New this year! The prizes will be ITS Tech Shop gift cards instead of specific tech merchandise. Students on all campuses will be able to choose the items they want or use the gift cards toward larger technology purchases.

ITS IA promotes IT security and privacy best practices and provides educational resources to help protect U-M community members and the university. Here’s how you can join us on this important mission:

  • Spread the word to students in your unit about the upcoming Challenge by using this promotion toolkit. It contains digital signs, banner images, a QR code, and a poster
  • Look for information coming soon about Privacy@Michigan events; and access recordings of past speakers from security, privacy and Dissonance events at  ITS Information Assurance Events.
  • Visit the Safe Computing website for IT security and privacy tips.
 

Data Privacy Day is Coming!

Privacy@Michigan

Data Privacy Day is on January 28 and, every year, we celebrate it with a variety of university-wide Privacy@Michigan events in the months of January and February.

Celebrations of Data Privacy Day 2024 will feature:

More information about these events will be posted on our Privacy@Michigan event page in the coming weeks. In the meantime, visit the Privacy section of the Safe Computing website.

 

In the News

Fall 2023 Cybersecurity News Roundup

The definition of word "authentic" on a tablet with glasses in the foreground. Authentic by Nick Youngson CC BY-SA 3.0 Alpha Stock Images

AI Helps Determine Word of the Year

It's impossible to look at tech news without seeing stories of the perils and promises of artificial intelligence. A lot of the conversation revolves around whether or not humans can detect AI generated content. States like Michigan are grappling with the possibility of AI generated political ads, and concerns continue to rise about AI being used to generate dangerous and illegal content. All this fear of fakes has provided the backdrop for Merriam-Webster’s word of the year, “authentic.”
Merriam-Webster’s word of the year – authentic – reflects growing concerns over AI’s ability to deceive and dehumanize.

Hacks of Large Businesses Highlight Ransomware Dangers

High-profile hacks of large business interests have shown that even big and powerful institutions, such as casinos and utilities, are vulnerable to cyber attacks. One of the biggest recent attacks left Wall Street scrambling and the world's biggest bank trying to trade by USB stickRansomware attack on China’s biggest bank disrupts US Treasury market.

Image: Authentic by Nick Youngson CC BY-SA 3.0 Alpha Stock Images

 

Tips to Share

Recent Phishing Scams Utilize or Imitate Legitimate U-M Services

Maize fish hook on white string with navy blue background

U-M students and employees have reported incidents of phishing that leverage legitimate services, such as Duo and Docusign, to lure them into providing a Duo passcode or accessing documents that link to fake login pages.

How it Works

Threat actors are increasingly using legitimate services for malicious activities including to obtain login credentials, Duo passcodes, and other personal information.

Document Services: Threat actors send phishing emails from services used at U-M like DocuSign, Google, Office365, or Adobe Creative Cloud to lure you to a document with a link to a fake login page.

Duo: The Duo service is leveraged in two different ways to trick people into providing login information and/or Duo passcodes.

  • A threat actor uses a fake login page to capture a person’s login information. The fake login then leads to a fake Duo prompt, specifically asking for a passcode. If the person then enters a Duo passcode (or passcodes), they can be used, along with the stolen login information, to access accounts fraudulently.

  • An unexpected Duo push is sent to a person when they are not trying to log in. In this situation, a threat actor has used their stolen login information to log in to their account and is attempting to use Duo to complete the multi-factor authentication. If the person clicks “Approve,” the threat actor will be able to access their account. Pushes may occur repeatedly and persistently, trying to get the person to approve – capitalizing on multi-factor authorization fatigue.

How to Protect Yourself