Winter 2020

Welcome to new ITS Information Assurance (IA) staff members Svetla Sytch and Adam Flickema!

Sytch is IA's assistant director of privacy and IT policy. Building on foundational work, she will help develop strategies and lead operational efforts that will weave privacy, policy, and data governance into the fabric and framework of the way the university engages in data-informed teaching, research, and administrative efforts.

Sytch comes to IA from the ITS Project Management Office, where she coordinated all facets of the design and rollout of the university’s General Data Protection Regulation (GDPR) program. Before joining U-M, she held leadership roles at several international corporations, including Kellogg Company, W.W. Grainger, and Alberto-Culver (now Unilever).

Flickema is an incident responder and threat analyst working with the IA Incident Response Team and Security Operations Center. He is a former ITS intern and IA student staff member. After graduating from Eastern Michigan University, he held IT security positions at Domino's Pizza and Plante Moran before returning to IA.

Safe Computing took the top spot as winner of the Multi-State Information Sharing and Analysis Center (MS-ISAC) Best of the Web Contest for 2019 in the "Education" category.

According to MS-ISAC, "The goal of this contest is to recognize commendable sites and highlight them as best practices for others to consider when developing or redesigning their own sites."

Thanks to Matt Ranville, Matt Martin, and Janet Eaton of ITS Information Assurance (IA) for their ongoing work on the site, to the ITS Digital User Experience team for their site architecture and design support, and to all the subject matter experts in ITS Information Assurance for their many contributions.

Check out the new MS-ISAC winner icon now at the bottom of every Safe Computing page!

The university began requiring Duo two-factor authentication at Weblogin of all U-M students on January 29. The widespread adoption of Duo across all U-M campuses greatly improves the security of university information and reduces risks to university systems.

Thanks to thoughtful planning and enthusiastic outreach activities, only 3.8% of students across all campuses hadn't yet enrolled in Duo by January 28. Sol Bermann, chief information security officer, said, “This shows extraordinary collaboration across the university—especially by our Michigan IT colleagues.”

The ITS project team engaged student organizations and collaborated with university groups that work closely with students. This helped identify the best approaches to engage students and encourage them to use Duo before the deadline.

A self-phishing working group began meeting in January to explore purchase of a simulated phishing product for unit use. After seeing a demonstration of the product currently in use at Michigan Medicine, the group is now working to gather requirements before considering developing a Request for Proposals (RFP).

The group is made up of volunteers from the IT Security Community, including representatives from UM-Flint; UM-Dearborn; the Office of University Development (OUD); the School of Music, Theatre, and Dance; the School of Public Health; the School of Dentistry; the Inter-University Consortium for Political and Social Research (ICPSR); the College of Literature, Science, and the Arts (LSA); and Information and Technology Services (ITS).

ITS Information Assurance (IA) will have an important role to play in supporting the Oct.15 presidential debate to be held at U-M. ITS has been tasked with providing the technology infrastructure that will be required to pull off a successful event, and IA will provide IT security support.

According to Dennis Neil, IT security design and engineering manager, IA is planning a number of steps in the months ahead to prepare for the debate and better secure the U-M IT environment.

In addition, Sol Bermann, executive director of IA and chief information security officer, will coordinate with members of the Department of Homeland Security, the FBI, the United States Secret Service, and other local, state, and federal agencies as needed on IT security matters related to hosting the debate.

Many of you have asked for a university-focused basic data protection course that you can use in your unit to help meet the requirements in Information Assurance Awareness, Training, and Education (DS-16).

You now have one: DCE101 U-M Data Protection and Responsible Use (in My LINC). The completely new course provides practical guidance and best practices. It replaces what used to be called "DCE101: Access and Compliance: Handling Sensitive Institutional Data at U-M."

The course covers phishing and other scams, device security, privacy, and compliance with sensitive data policies, laws, and regulations. You can invite those in your unit to take the course or arrange to have it assigned to them.

• Invite participation. Send email to people in your unit encouraging them to take the course and providing them with the link (DCE101 U-M Data Protection and Responsible Use).
• Have it assigned. You can request that My LINC assign the course to individuals in your unit based on Human Resources values such as Department Org Group and Jobcode. Email [email protected] for more information and to get started with this option.

As in prior years, the official Internal Control certification request will be distributed to the key administrators of the 46 certifying units across U‑M at the end of August, with signed copies due by the end of September. ITS Information Assurance works with the Office of Internal Controls to help ensure that units are ready to respond affirmatively to the information assurance question.

Fiscal Year (FY) 2020 Question: Does your unit engage in information assurance awareness, training, and education activities?

Responses to FY20 Question:

• Yes. My unit engages in multiple information assurance awareness, training, and education activities throughout the year.
• Partial. My unit occasionally engages in information assurance awareness, training, and education activities.
• No. My unit does not engage in information assurance awareness, training, and education activities.

All units should be able to reply yes or partial to the FY20 question. Security Unit Liaisons (SULs) and unit IT staff can use the guidance on Safe Computing to support their unit’s response.

Based on feedback from a number of units at the Standards Working Sessions held last year and in follow up conversations, ITS Information Assurance formed a working group to review Third Party Vendor Security and Compliance (DS-20). The group had representatives from the College of Literature, Science, and the Arts; the College of Engineering; Procurement; the School of Information; the School of Education; and the School of Social Work.

The group recommended ways to allow greater flexibility when contracting with third party vendors that would store or process sensitive university data classified as Moderate and Low. The recommendations are currently in the queue for approval by the chief information security officer and the vice president for information technology. Stay tuned!

U-M faculty and staff are strongly encouraged to use computers and devices that are managed by a central U-M IT service provider. In some circumstances, however, they may need to self-manage a UM-owned device. For example, researchers may need to self-manage devices purchased with research grant funds to meet very specific research needs.

Those who self-manage UM-owned devices have the responsibility to work with their unit IT staff, and other IT staff and service providers as needed, in order to:

• Limit unauthorized access to the device.
• Limit unauthorized access to any U-M data on that device.
• Make sure the device stays in compliance with all U-M IT security policies and standards.

The Safe Computing website now has guidance to help you understand your responsibilities when managing a U-M device: Self-Managing a U-M Computer or Device.

You can request that ITS Information Assurance (IA) check your unit's computers and storage twice a year (or more often if needed)—in May and November—to help ensure that sensitive and regulated data is not being stored unnecessarily. The Sensitive Data Discovery service, provided automatically to MiWorkspace units, is available to all U-M units on request.

IA uses a software tool to check for two types of sensitive data: Social Security numbers (SSNs) and credit card numbers. The tool looks for numeric patterns formatted like Social Security and credit card numbers and produces a report listing potentially sensitive files and their locations. The tool can check for additional patterns if desired. For example, if researchers in your unit want to check for numbers that could potentially be medical record numbers or some other type of number, you can request that.

The tool is designed to respect privacy. It does not review or examine content; it simply looks for numeric pattern matches.

Contact the ITS Service Center to request Sensitive Data Discovery for your non-MiWorkspace unit.

Faculty, staff, and students gathered for a half-day of privacy related speakers and panels at Privacy@Michigan January 28 at the Rackham Building on the UM-Ann Arbor campus. Privacy@Michigan is an annual event hosted by ITS Information Assurance and the U-M School of Information in recognition of Data Privacy Day. If you missed it, you can watch the recordings at Privacy@Michigan 2020 and see the Privacy@Michigan Twitter Moment.

The keynote was provided by Kathleen Kingsbury, editor of The New York Times Privacy Project, who spoke on a wide range of privacy issues. "The U.N. recognizes privacy as a human right," said Kingsbury, but noted, "There is no explicit right to privacy in the constitution."

She contrasted the "robust legacy methods around privacy," such as laws that make it illegal to open U.S. Mail addressed to someone else, with the lack of regulation around digital information. "Laws being introduced today are at least five years behind the technology," said Kingsbury.

She also called for new rules and regulations around data use and collection. "Congress needs to make opting out of data collection a meaningful choice," Kingsbury said. "Americans deserve the right to choose a life without surveillance."

U-M faculty who participated in two multidisciplinary panel discussions echoed that call.

"Traditional norms are outdated," said H.V. Jagadish, a professor in the College of Engineering and director of the Michigan Institute for Data Science. He said that traditional data de-identification no longer works. While you cannot be identified from a single record, you can be identified from multiple de-identified records if there is enough correlating data.

"We need to get away from the practice of 'as long as consent is clear, anything goes with the use of the data,'” said Florian Schaub, an assistant professor in the School of Information and the College of Engineering. "We need strong enforcement to ensure consumer protections in this country."

Jenny Radesky, MD, assistant professor of pediatrics at the U-M Medical School, called for more regulation around data collected from children. "In our research into apps targeted at kids, we noticed that many of them required permissions that weren’t needed for the app to run," she noted. "A lot of data transmissions were sharing persistent identifiers with third-party domains."

Attendees got answers to their privacy questions from students at a privacy clinic and viewed posters showcasing privacy research at U-M. They were invited to share their thoughts about privacy in six words as part of the U-M Privacy Card Project. Take a look at what they said and add your own thoughts.

Wallace House presents Recode's Kara Swisher interviewing Alex Stamos live on stage at U-M's Hill Auditorium in Ann Arbor, March 18, at 6:30 p.m. What Does Big Tech Owe Us? is free and open to the public. It is co-sponsored by ITS, the Dissonance Event Series, and others.

• Kara Swisher is co-founder and executive editor of Recode and host of the weekly interview podcast, “Recode Decode.” She is a regular contributor to The New York Times opinion pages and a Livingston Awards national judge.
• Alex Stamos is the former chief security officer at Facebook. He is now director of the Stanford Cyber Policy Center’s Internet Observatory at Stanford University.

Huge tech companies have changed the way we live. Google, Amazon, Facebook, and Apple have built unprecedented reach into our pocketbooks, privacy, individual liberties, and beyond, changing the very fabric of our democracy. Join us for an examination of what we are giving away in exchange for speed and convenience.

Wallace House presents Online Harassment and the Threat to Democracy March 24 at 4:30 p.m. in the Rackham Amphitheatre on the fourth floor of the Rackham Building on the UM-Ann Arbor campus.

The event will be a conversation between Rana Ayyub, a prominent and multi-awarded investigative journalist based in Mumbai, India; Elodie Vialle, a Knight-Wallace Fellow working on countering online harassment of journalists; and Jason Reich, vice president of corporate security for The New York Times Company. The discussion will be moderated by Roya Ensafi, founder of Censored Planet and U-M assistant professor of Computer Science and Engineering.

Online trolls are targeting journalists with such frequency and intensity that 90% of reporters say online harassment has become their biggest safety concern, according to a study by the Committee to Protect Journalists. The threats toward female journalists are particularly vicious and dangerous. What can be done to track and counter the hate?

Shoshana Zuboff, a professor emerita at the Harvard Business School, will present "The Age of Surveillance Capitalism" on March 31, 7:00–9:00 p.m. in Rackham Auditorium on the UM-Ann Arbor campus. Zuboff is the author of The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power.

The event is sponsored by the U-M Digital Studies Institute, Information and Technology Services, and the Dissonance Event Series. For event details, see Digital Studies Institute presents: Shoshana Zuboff, "The Age of Surveillance Capitalism."

New and recently updated pages on Safe Computing include:

• Internal Control Annual Certification Process. The Fiscal Year 2020 Internal Control question for information assurance is available. This year's question focuses on IT security awareness, training, and education.
• Self-Managing a U-M Computer or Device. Guidance to help those who manage IT equipment protect that equipment and the data it stores and shares from threats.
• Logging Configuration for U-M Systems. Best practices for configuring logging to help you meet the requirements outlined in Security Log Collection, Analysis, and Retention (DS-19).
• Checking Systems for Signs of Compromise. Guidelines to help you look for and identify suspicious activity on your servers and workstations.
• MitiGate for Units. Information about MitiGate, an online gateway to unit IT security risk data for Security Unit Liaisons (SULs), unit IT leaders, and unit leadership. Instructions for using MitiGate are also available.

Voters Fail Mock Election, Exposing Vulnerability to Hackers
Bloomberg, 1/8/20

Election security remains a concern in the run-up to the 2020 election, but even if safeguards are put in place, Alex Halderman, a professor of computer science and engineering at the U-M College of Engineering, warns that voters will need to be vigilant.

Learn more about election security and other issues at the intersection of technology and society by following the Dissonance Event Series and Dissonance News and Papers on Safe Computing.

This man says he's stockpiling billions of our photos
CNN Business, 2/10/20

YouTube: Face recognition firm must stop harvesting videos
AP News, 2/5/20

The Clearview AI company, "claims to have scraped more than 3 billion photos from the internet, including from popular social media platforms like Facebook, Instagram, Twitter and YouTube. Not only that, but Clearview retains those photos in its database even after users delete them from the platforms or make their accounts private."

According to CNN, "Downloading and storing pictures this way is against most of the major social media platforms' policies."

According to AP News, Facebook YouTube, Twitter, and Venmo have all demanded that Clearview AI stop harvesting user images from their services to identify the people in them. Clearview AI says it is only using public information.

These revelations are a vivid reminder to be aware of what you post—and what is posted about you—on social media and other public sites. Check out these Safe Computing resources for privacy tips:

• Basics: Protect Your Privacy
• Social Media Privacy

Beware! It's that time of the year again! As you read this, criminals, fraudsters, and identity thieves could be working to file fraudulent tax returns in your name and steal your tax refund. ITS Information Assurance offers the following tips to help you protect yourself from identity theft and tax fraud:

• File your taxes as soon as possible to reduce the likelihood of criminals filing under your name.
• Beware of phishing emails and phone scams. The IRS does not initiate contact with taxpayers by email, text messages, or social media channels, nor do they call to demand immediate payment. And they never demand payment via gift card.
• Be suspicious of ads for tax filing services that promise you large or expedited tax refunds. These are often scams to steal your personal information.

Check out Beware of Tax Fraud—where there is more detail and links to helpful information from the IRS—and share the info with your colleagues, family, and friends.

When you get a new smartphone, you need to reactivate the Duo Mobile app before you can get push notifications or generate passcodes. To do that, you'll need a computer.

Follow these steps to reactivate the Duo app:

1. From your computer:
   
   1. Log in to any U-M service on the web through U-M Weblogin.
   2. When you get to the Duo prompt, click the My Settings & Devices link on the left-side of the Duo pop-up window.
   3. Choose the Call Me option. Duo will then phone you to complete the authentication.
2. From your smartphone: Answer the phone call. You will be prompted to press 1 to approve the login.
3. From your computer:
   
   1. Click Device Options.
   2. Click Reactivate Duo Mobile for your new phone, and follow the Duo prompts. You will then see a QR code on your computer screen.
4. From your smartphone: Open the Duo Mobile app on your phone and use it to scan the QR code on your computer screen.

For the detailed steps including screenshots, see Change Your Duo Options and Settings.