Spring 2018

You now have updated guidance and clearly defined responsibilities for your unit's vulnerability management and vendor security and compliance. Andrew Rosenberg, interim U-M vice president for information technology and Michigan Medicine chief information officer, recently approved these two new standards:

• Third Party Vendor Security and Compliance (DS-20). When a vendor service is used with university data, that data is at risk unless the vendor meets security and compliance requirements set by the university. Many serious data breaches reported in the news of late have resulted from issues with third party vendor services.
• Vulnerability Management (DS-21). Updating and patching your systems on a routine basis and in response to security alerts helps protect university systems and data from zero-day attacks like Heartbleed. Timely vulnerability remediation is also an important component of regulatory compliance.

New guidance on Safe Computing outlines your unit's responsibilities and describes how you can meet them to provide appropriate data protection:

• Vulnerability Management. Information about regular and on-demand scans, vulnerability alerts from Information Assurance, and unit responsibilities for vulnerability remediation.
• Third Party Vendor Security & Compliance. Information to help you select a vendor that meets compliance requirements, include IT security and privacy in your vendor contract, and manage ongoing vendor compliance. This is required if your unit uses a non-university product or service with university data.

See the IT Policies Under Review page for a list of the new standards in the final stage of the review process that will support the revised Information Security Policy (SPG 601.27).

The General Data Protection Regulation (GDPR), which takes effect May 25, 2018, will affect organizations worldwide, including universities. It will take some time for organizations around the world to sort through, understand, and determine the implications of the GDPR requirements, as well as figure out how best to meet them.

The University Privacy Officer and the Office of General Counsel have convened a working group made up of representatives from across the university to begin developing a risk-based GDPR compliance program for U-M, including providing guidance and tools that can be used consistently across the university.

"We appreciate that many in the U-M community are aware of GDPR, and as the working group begins its efforts, we may be reaching out to various members of the community for input and support," said Sol Bermann, university privacy officer and interim chief information security officer.

Learn more at General Data Protection Regulation (GDPR) Compliance on the Safe Computing website.

Before you get rid of any device you have used to work with, store, or access sensitive university data, you must make sure it is securely erased, or sanitized, in compliance with Electronic Data Disposal and Media Sanitization (DS-11). This keeps university data—and your personal information—from falling into the wrong hands.

• University owned devices.
  • MiWorkspace. Sanitization and disposal of MiWorkspace devices is handled by MiWorkspace staff.
  • Michigan Medicine devices are managed by Health Information Technology & Services (HITS). For questions about sanitization and disposal of devices, stop by any one of the Help Me Now locations or contact the HITS Service Desk at 734-936-8000.
  • Other university devices. Check with your department or unit. Unit IT staff members who do this work as part of their job can learn about use of the university's licensed software for media sanitization (KillDisk), as well as the for-fee device-erasing service provided by Property Disposition, at Erasing U-M-Owned Devices.
• Personally owned devices. If you use your personally owned device to access or work with sensitive U-M data, you are expected to sanitize it before disposal in compliance with Security of Personally Owned Devices That Access or Maintain Sensitive Institutional Data (SPG 601.33). Free versions of KillDisk are available for your use on personal computers, and the Tech Shop offers a for-fee, device-erasing service. Most smartphones include a feature for wiping or erasing the device. Learn more at Erase Personal Devices Before Disposal.

Later this spring, a new option for account recovery will be added to UMICH Account Management. Currently, if you forget your UMICH (Level-1) password, you can receive a password reset code by email (as long as you have provided a non-UMICH email address for that purpose).

Information and Technology Services (ITS) is working to give you the option to provide a phone number to use as an account recovery contact in case you forget your password. You could then receive a password reset code via text message. Watch for an announcement in the Michigan IT News when the new option is available.

Note that those at Michigan Medicine have an alternative self-serve option for resetting a forgotten UMICH (Level-1) password. They can log in to their Michigan Medicine Profile Page and select Security Settings (Michigan Medicine login required).

If you forget your UMICH (Level-1) password and want to reset it yourself, you can do so only if you previously saved account recovery information at UMICH Account Management. That's because the university needs to know where to send you a password-reset code.

Most new students and employees now provide account recovery information as part of self-serve uniqname setup, but many of us never had that option.

In May, the College of Pharmacy and Information and Technology Services will pilot a new way for people to review and update account recovery information. When people in those two units log in via Weblogin, they will be prompted to provide an email address and/or mobile phone number to use in account recovery. They also will have an option to decline or be reminded later.

The Account Lifecycle Optimization project team within the Enterprise Identity & Access Management Program is considering prompting Weblogin users to provide or check their account recovery information once a year. The pilots will help them determine the feasibility of this and how to do it in a way that is not disruptive.

Setting up single sign-on for a new service? The university's preferred solution, Shibboleth, has a new option that makes it work with additional services. Shibboleth at U-M can now be set up to use either of these two industry standard protocols:

• Security Assertion Markup Language (SAML). For most services, SAML will be your best choice. Most services that use Shibboleth at U-M use Shibboleth with SAML.
• OpenID Connect (OIDC). This new option for Shibboleth at U-M is being made available because there are some vendor services that require it specifically and that do not work with SAML.

For details about the differences between SAML and OIDC, as well as links to documentation, see Shibboleth Protocol Options.

You can deploy Passwordstate in your unit under a U-M license that covers use by U-M faculty, staff, and students on all U-M campuses. Passwordstate allows teams of people to access and share sensitive password resources and is typically used for managing elevated and administrative passwords, as well as passwords for smaller proprietary systems, such as research databases.

Implementation requires, at a minimum, a Microsoft SQL server, a server running Internet Information Services (IIS), and ongoing administration of those servers. Use of U-M's Passwordstate license is therefore intended for unit implementations; it is not available to individuals other than through their units.

U-M Passwordstate licensing details are in a U-M Box folder. For links to the Box folder and to support materials provided by the vendor, see Passwordstate Use at U-M.

Attention Michigan Medicine Units! Health Information Technology & Services (HITS) asks that Michigan Medicine units not implement Passwordstate. Please contact the HITS Service Desk at 734-936-8000 for information about appropriate password management for Michigan Medicine units.

It's a challenge to keep up with changes and advancements in IT security, information assurance, and privacy, but Safe Computing tries. We continually update and add content to keep you informed. Check out these recent improvements, and check back often. There's always something new for you.

• Safely Use Sensitive Data in the Cloud. Recently updated, this page connects you to U-M resources for choosing and using cloud services.
• Comply With Laws, Policies & Regulations. This new section pulls together information about regulatory and legal compliance with an improved table of federal and state laws related to data protection and privacy and links to U-M guidance on compliance.
• IT Security & Privacy Professional Associations. There is a link to this new page on Training, Education & Awareness.
• Main Section Pages. Improved landing pages for the four main sections of the site were redesigned to help you find what you are looking for: Be Aware, Protect Yourself, Protect the U, and For IT Security Professionals.
• Secure Your Home Wireless Network. Updated with specific steps users can take to secure their home wireless network, this page is part of improved content on working from home or away from campus.
• Sensitive Data Guide Recent Updates. This page lists changes made to entries in the guide. There is a link to it from the Sensitive Data Guide home page (in the gray box).
• Third Party Vendor Security & Compliance. This section has been expanded to include guidance for complying with the new data standard, Third Party Vendor Security and Compliance (DS-20).
• Using ITS PCI-Compliant Services: What U-M Merchants Need to Know. Recently condensed and updated to include a link to information about PCI-compliant services offered by Information and Technology Services (ITS).
• Vulnerability Management. This expanded section outlines your responsibilities for remediating vulnerabilities and provides guidance for the new data standard, Vulnerability Management (DS-21).

It is time, once again, for Security Unit Liaisons (SULs) to contribute to the Internal Control Annual Certification Process by certifying that their unit is compliant, partially compliant, or non-compliant with a particular information assurance practice or process. This year's certification question is about compliance with Electronic Data Disposal and Media Sanitization (DS-11). The certification form will be sent to deans, directors, and vice presidents in early September. SULs should work with their unit’s key administrative officer to ensure that their unit is prepared to answer the information assurance question.

FY18 Question: My unit has:

• Developed a unit-specific protocol for university-owned devices that complies with Electronic Data Disposal and Media Sanitization (DS-11), and
• Communicated to our faculty and staff the protocol and Safe Computing best practices for sanitizing personal devices that have maintained university data.

Responses to FY18 Question: All units should be able to reply "yes" or "partial" to the FY18 question. See Guidance for the FY18 Internal Control Annual Certification Process to submit or review questions about responding to the FY18 Internal Control certification question.

• Yes. My unit has developed a unit-specific protocol for university-owned devices that complies with Electronic Data Disposal and Media Sanitization (DS-11) and communicated to our faculty and staff the protocol and Safe Computing best practices for sanitizing personal devices that have maintained university data.
• Partial. My unit has developed a unit-specific protocol for complying with Electronic Data Disposal and Media Sanitization (DS-11) or communicated to faculty and staff about best practices for sanitizing personal devices, but not both.
• No. My unit has not developed a unit-specific protocol for complying with Electronic Data Disposal and Media Sanitization (DS-11) or communicated to faculty and staff about best practices for sanitizing personal devices.

Looking for an opportunity to learn about IT security and privacy at U-M? Check Safe Computing: Events for upcoming Dissonance Series events and more. There's also a link to an events calendar that lists events at U-M, elsewhere, and online. Recordings of previous Dissonance and SUMIT presentations are available.

The Ransomware That Hobbled Atlanta Will Strike Again
Wired, 3/30/18

The kind of ransomware attack that disrupted government departments in Atlanta remains a serious threat. Unlike ransomware attacks that rely on phishing or malware to infiltrate systems, attacks using the SamSam strain of ransomware often begin by exploiting vulnerabilities or guessing weak passwords.

They tend to target hospitals, local governments, and universities—organizations that cannot have extended system downtime. Adhering to security best practices, particularly good vulnerability and password management, offers real protection against ransomware like SamSam.

Facebook Introduces Central Page for Privacy and Security Settings
The New York Times, 3/28/18

In response to heightened privacy concerns after reports of the Cambridge Analytica scandal, Facebook has announced it will consolidate security and privacy user settings in one place from the roughly 20 sections across which they are now spread. It will also clarify which apps are in use and what permissions those apps have.

It is important to choose appropriate settings for social media. See Safe Computing: Social Media Privacy for tips you can share with others. Also see this U-M Social blog post: What Is a World Without Facebook?

I Hacked an Election. So Can the Russians (video, 4:23)
The New York Times, 4/5/18

Watch J. Alex Halderman, a U-M professor of computer science and engineering, hack an election at U-M so that a group of U-M students appear to choose Ohio State when asked to vote for their preferred university. The hack relies on emailing a virus to those who program electronic election machines—a reminder of how important it is to learn to recognize phishing and suspicious email.

For more about Halderman's work, see the live tweets (Twitter Moment) from the April 4, 2018, Dissonance event: Elections in the Digital Age—Security, Policy, and the Law.

What to Know About the Latest Data Breach Hitting Sears and Delta Customers
Fortune, 4/5/18

The credit card information of some Sears and Delta Air Lines customers may have been exposed through a data breach at a contractor used by both companies. The breach happened last fall. Information Assurance urges you to become familiar with the materials at Third Party Vendor Security & Compliance. If your unit contracts with third party vendors, it is important to take steps to protect any university data that could be placed at risk.

Macros are small bits of programming used in Microsoft Office docs to automate tasks. Unfortunately, they can also spread viruses and malware, and anti-virus programs cannot always catch them. Infected Office docs are typically spread through email attachments or download links, or even through cloud services like Office 365.

What You Can Do

• Check with the sender or document owner before opening any unexpected email attachments or shared docs.
• Look at the URL/address. Hover over links in emails with your mouse to reveal the actual URL or web address. If it is not a familiar address or a service U-M uses for document sharing, don't click.
• Preview the doc in U-M Google Drive. Google will not run Microsoft macros, making it a reasonably safe way to save and preview Office docs if you are not sure what it is in them.

What Not to Do

• Do not enable macros or content. Check with the document owner/sender and ask them if macros need to be enabled and why.
• Do not open or download a document from an unfamiliar sender. Look at the "from" and "reply to" lines, and do not open or download if you do not recognize the sender and expect a document from them.
• Do not open or download a document shared or stored on an unfamiliar system or service.

See Phishing & Suspicious Email for more about avoiding online dangers.

Account compromises and data breaches often start with phishing email scams that try to trick you into giving up your personal information and/or passwords. Information Assurance encourages you to share this information with your colleagues to help them learn how to identify phishing.

1. Spot It. Take a few minutes to learn how to recognize phishing:
   • Look Before You Click. Beware of Phishing! (eLearning in My LINC; requires U-M login).
   • Don't Fall for Phish! (online quiz)
   • Phishing and Suspicious Email (articles and examples)
   • Protect Yourself & the University from Spear Phishing (video; 4:14)
2. Report It. If a phish contains a U-M email address, U-M logos, or branding elements; is addressed to students, faculty, and/or staff; or targets our U-M community, please report it. Forward the entire message to [email protected].