Fall 2021

ITS recently announced organizational changes that better align services and capabilities, and strengthen existing collaborations. For Information Assurance, these organizational changes mean several additional staff members joined IA, bringing expertise and augmenting IA capabilities.

On October 1, the IAM Systems and Middleware teams joined IA, in addition to several other staff members from ITS Infrastructure that are responsible for security logging, PCI compliance, and Disaster Recovery planning. By bringing these staff members to teams where collaboration was already taking place, there will be even more opportunities for improvements in both design and operations of IA products and capabilities.

IA welcomes the following team members: Brian Awood, Michael Bennett, Jeremy Fisher, Angel Fletcher, Stephanie Henyard, Swetha Nettem, Jalpa Patel, Vasilios Pliakis, Brian Rahn, Louis Serianni, and Bruce Timberlake.

ITS Information Assurance offers Web Application Security Scanning and Sensitive Data Discovery for free to all units. Web Application Security Scanning is provided to help U-M units identify and resolve vulnerabilities in their web applications with an automated web app scanner that tests for common vulnerabilities such as SQL injection and cross-site scripting. IA then provides the requester with a report detailing concerns discovered through the scan and guidance on resolving potential vulnerabilities.

Sensitive Data Discovery scans are intended to find files with unintentionally stored sensitive information such as HR benefits information, student loans, and credit card information across several technologies, including File Shares, Windows and Mac workstations, Databases, and OneDrive cloud storage. These scans have led to the discovery and removal of over 25 million unnecessarily stored records, significantly reducing exposure of sensitive data for U-M.

When units engage with IA for sensitive data scanning, the Security Unit Liaison (SUL) receives reports after the scan, which can be on-demand or semi-annual.

• Semi-annual scan reports are delivered via the sensitive data portal, and on-demand scan reports are emailed.
• The reports provide identifiable information for detected risks from sensitive data scans, which the SUL can then follow up to validate the need to store sensitive information.
• The Sensitive Data Discovery Portal provides these scan reports to view and classify each detection, track the progress of eliminating risks, and provide a dashboard containing important metrics and unit progress.

Web Application Security Scanning, Sensitive Data Discovery, and the Sensitive Data Discovery portal are free services available to all units. Request a web applications scan using the ITS Web Application Security Scanning Request Form and submit a Help Request ticket to sign your unit up for sensitive data scanning.

ITS-IA also performs IT Security Risk Analysis (RECON) and provides training to unit staff members to perform some RECON for unit systems that create, process, store, or transmit data classified as Moderate or Low free of charge. These capabilities, IA general consulting, our Awareness, Training, & Education, and more are also free to units.

MCommunity is being transformed! Released over ten years ago, the current applications lack some of the functionality that the university desires. We’ve heard your requests and we are adding improvements to better meet your needs and promote better security for MCommunity users.

The MCommunity Transformation project includes new group features with more granular privacy controls, better management for MCommunity profiles, and advanced search capabilities. New features will allow users to add pronouns to their profile, profile pictures, integration with NameCoach (which assists with phonetically pronouncing names), display a QR code for contact information, and manage their Also Known As (AKAs).

Be on the lookout for project updates and a release date sometime in spring 2022!

MCommunity groups are frequently used to control who gets access to U-M resources. However, MCommunity groups lack many features that could streamline access management in some situations. To address this, IAM is currently working to implement a new service for IT Administrators using a product called Grouper that was designed to simplify and streamline access management.

Grouper at U-M, a group management tool that will be offered by U-M in the coming months, enables automatic maintenance of groups based on institutional data and automatic syncing of groups to other systems like Active Directory. In addition, Grouper at U-M will provide users with a more straightforward process for gaining insight into the purpose of each of their user groups and the exact reason each person is a member of those groups. Grouper at U-M also increases overall security as membership access is not dependent on manual updates and users are granted the appropriate access at just the right time.

IAM is currently using Grouper at U-M to manage who gets access to the Adobe CreativeCampus products and the Virtual Sites tool and is working through plans of a pilot of Grouper for managing unit-specific groups within LSA. IAM will host a panel discussion at the Michigan IT Symposium, including pilot participants, for discussion around the management of groups in Grouper. Stay tuned for more information on this Michigan IT Symposium session and the wide release of Grouper at U-M.

International students face the possibility of being targeted by scammers in a way that American students may never need to consider. We’ve heard concern from some of our Security Unit Liaisons (SULs) wondering how they can best help prepare and assist the international community in their units. Education and awareness is vital in protecting any of the U-M community. Share the information below with those in your unit to ensure they have the knowledge to protect themselves.

Cyber attacks on international students often come in the form of phone calls or emails that appear to be from U.S. government agencies such as U.S Citizenship and Immigration Services (USCIS), U.S. law enforcement agencies such as the FBI, or from their home country consulate or embassy. These communications to international students may claim an urgent need to pay a fine to avoid some repercussions or ask students to provide immigration information to avoid deportation.

What to know:

• Students should beware of messages that express urgency. If the message is insisting that something be done immediately to avoid serious repercussions, it is likely a scam. Instead, they should use Google to find the number of the agency in question and call the official number to enquire about the issue and confirm its authenticity. Or, contact the International Center or U-M Police Department, which may also verify the credibility of a message.
• Ensure students understand that government agencies will never ask for credit/debit card information, wire transfers, or bank routing numbers over the phone or through email for any purpose. They will also never threaten to have the FBI arrest students if they do not comply immediately with their demands for payment.
• Everyone should be aware that no one in any official capacity will ask students to pay a fine with a gift card, including an iTunes gift card.
• Students should know that if an unknown call is threatening or is uncomfortable at all, the call should be ended immediately. Remind them that there is always time to confirm a genuine inquiry from any official representative or speak to someone else within the agency.

Other scams that have been explicitly aimed at international students include phone calls that indicate an internationally mailed package has been intercepted and a fine must be paid to receive the package and apartment rental scams that include someone taking payment for an apartment they do not own. If calls like this are received, the student should immediately contact the International Center or the U-M Police Department (734-763-1131). Students can also ask Student Legal Services for assistance or consult residence hall staff if they live in university housing.

Refer to the following for more detailed information and resources:

• Phishing & Suspicious Email
• Be Aware of Scams
• Protecting Yourself from Scams (video: 2:51)

A truth that ITS-IA champions consistently is that information assurance is a shared responsibility and every member of the U-M community has a part to play in supporting IT security, privacy, identity and access, and IT policy and compliance efforts for data security. Part of this responsibility is for each unit, school, and college to designate a member of their staff as a Security Unit Liaison (SUL). Together, ITS-IA and SULs work to support unit missions while promoting security awareness and education, monitoring and auditing information security policy implementations, establishing regular reviews for unit-level security procedures, and much more. Because this partnership with ITS-IA and SULs is fundamental to the ongoing success of information security here at U-M, we interviewed one of our SULs to better understand how data security and awareness are working in the unit from their perspective.

We asked Nikki Nabozny, Data Security Analyst for LSA, and a member of the Security Unit Liaison program, to answer three questions to help us better understand her experience in LSA.

What do you see in your units regarding measures staff take to protect themselves and their data?

I think our units do a great job in being aware of the shared responsibility model of security at the University. Our device patching compliance rate is high, and we frequently receive tickets from faculty and staff reporting phishing and other suspicious emails. LSA Technology Services desktop support groups have fostered great working relationships with their regional units, and are the first line of defense for members of the LSA community needing security consulting and education assistance, especially when it comes to advising on where sensitive data can and cannot be stored.

What are some of your security concerns at LSA or U-M?

Zero-days! It feels like a new increasingly dire zero-day vulnerability is in the news almost daily, and higher education institutions are increasingly the target of groups looking to exploit zero-day vulnerabilities, with 44% of organizations hit by ransomware in 2020. Keeping systems up to date is one of the best ways to protect ourselves, but we have known vulnerable systems in our environment, and likely have unknown vulnerable systems connected to the network, like IoT devices, that we have not (yet) discovered too. It takes time for us to determine how much of an impact any vulnerability has on us and the university, and that process can involve multiple groups, and cross-unit or cross-university collaboration. Even a published fix from a vendor has to be carefully considered before being deployed. The recent Print Nightmare vulnerability is a great example of this—the first “fix” issued from Microsoft broke the ability to print entirely. It is a complicated situation bringing together multiple security disciplines like education and awareness, vulnerability management, network security, and disaster recovery planning. We hope to remain in that 56% of unaffected institutions as long as possible!

What are you doing within your unit to spread awareness?

LSA Security tries to include topical security news, tips, and/or alerts into as many of the LSA communication channels as possible to keep staff and our units up to date. This includes quarterly technology service newsletters, weekly administrative update emails, all-staff meetings, digital signage, and Twitter. We like to share training and educational materials from Safe Computing, too!

We’re also in the process of refreshing LSA’s official security policy, which aligns to SPG 601.27, the primary U-M security policy. Releasing an updated core policy with sub-policies in coordination with key security activities, such as releasing information about how we manage vulnerability management through patching or replacing aging and outdated hardware when we launch an initiative to upgrade or replace outdated Mac devices, helps tie security education and awareness to tangible projects for our community versus just being policies on paper.

Several years ago, Ross Geerlings, an ITS IA Product Manager for Pen Testing, Vulnerability Management and Sensitive Data Discovery, created Seeker as a way to get around a budget problem. IA recognized the need for a tool that could scan machines, file shares, web servers and database servers for sensitive information records. However, the search for this tool quickly discovered that commercial products were much too expensive at scale for all of U-M, and free solutions were inadequate and unreliable. By 2016, Ross had developed the Seeker application, which scans for patterns like Social Security Numbers (SSNs) and credit card numbers, and found it to provide greater detection of sensitive data records and lower false positives rates than even the most expensive tools on the market.

Seeker scans Windows machines, file shares, web servers, and database servers, and connects to the Sensitive Data Discovery Portal where units can take action on their scan reports. U-M staff can also request that Seeker scan for additional patterns that may be helpful to their unit. For example, researchers can request a scan to check for numbers that could potentially be medical record numbers. Once requested by a unit, the unit gives IA a target and credentials for the resources, and IA provides either a one-time scan or semi-annual scans. Seeker licenses for ad-hoc scanning are also available for free when requested. Ross says that one of the ways Seeker is unique is because the software offers three ways to quickly scan a large number of targets. “Using this approach increases legitimate matches and decreases false positives. Welcome to a new era in sensitive data discovery!” Seeker has been incredibly successful here at U-M and has been used at other universities, hospitals, and private businesses since 2018.

One of the many events held to celebrate October as Cybersecurity month was the Cyber Threat Brief with Scott Hellman from the FBI. This live discussion, hosted by Stanford University, centered on the most common cyber threats the FBI sees, how people are targeted, and basic methods to protect yourself.

The amount of damage cyber attacks cost is astounding. The average cost to a university from a ransomware attack is one million dollars, with the average cost of fixing a breached network at two million dollars. Unfortunately, it only costs the average cyberattacker $35 a month to launch attack campaigns.

The most reported security event continues to be phishing attacks. Attacks that cause the most financial damage are Business Email Compromise (BEC) phishing attacks. The FBI estimates that almost two billion was lost through clicks in emails in 2020.

Criteria found in most phishing emails include:

• A change in business practice
• Last-minute timing on a change or action needed
• Urgency (must be done immediately)
• A need for confidentiality

This type of email fraud was already happening regularly, and the FBI is finding there is even a higher risk now due to the COVID-19 pandemic, such as emails suggesting COVID-19 pandemic as a reason for making a business change or using COVID-19 pandemic-related phishing links that offer artificial vaccines, or some other COVID-19 pandemic relief. Other common scams right now include false employment or unemployment claims and telework claims.

While these phishing attacks are on the rise, Hellman says the most efficient way for users to ensure their safety is with what he calls “Mindful Clicking.” Emails are the most likely way individuals will be targeted, and Scott believes attackers count on their intended victims being busy and rushing through their emails. So remember to read through every email carefully and check every link before clicking. Refer to How to Spot Phishing and Other Scams and Phishing & Suspicious Email for more information on phishing and how to protect yourself against these attacks.

Though the COVID-19 pandemic made for another virtual SUMIT, 2021 still offered informative opportunities for engagement as years past. Once again, ITS IA celebrated Cybersecurity month with several relevant and insightful sessions for the U-M Security Community. Presenters included experts from ITS Information Assurance and ITS Support Services, and attendees included U-M community members from the Ann Arbor, Flint, and Dearborn campuses and Michigan Medicine.

This year, we had presentations on Area 1 and Virtru, Zoom Security and Privacy advancements, the Shibboleth 4.1.1 Upgrade, Crowdstrike at U-M, and more.

• Attendees heard from Dennis Neil and brian cors on how to use Virtru to enhance security for Gmail.
• Ken Gray and Patrick Steffes presented on the security enhancements and feature updates coming in Shibboleth 4.1.1.
• Asmat Noori and Maggie Davidson provided attendees with security and privacy improvements in Zoom since implementation, along with great resources on what you can do to protect your Zoom meetings.
• Kevin Cheek and Kyle Cozad provided metrics from running CrowdStrike across the university and discussed improvements to the platform.
• The IAM team gave attendees a preview of changes coming to group management at U-M.

If you didn’t have the opportunity to attend one or more of these sessions, refer to the SUMIT 2021 Safe Computing page to review the presentation for our SUMIT 2021 online events and continue to check out the Safe Computing event calendar for additional cybersecurity and privacy sessions from around the world. Reach out to [email protected] for more information about a particular session or ideas for future sessions!

Every Tuesday from 3-4 p.m., ITS Information Assurance (IA) staff make themselves available for short one-on-one drop-in sessions to answer questions from U-M faculty, staff, and students. We want to help you find the resources you need. Sign up for your own Ask the ITS Information Assurance Experts session.

Check out the Safe Computing Events Calendar for IT security and privacy events at U-M and elsewhere, and reach out to [email protected] with suggestions on what you’d like to see added to our calendar. Also, keep an eye on our Twitter account, @UMichTECH, so you don’t miss our security and privacy tips.

In the spirit of creating transparency and providing agency, many academic institutions are looking to offer mechanisms for students to opt out of data collection and processing for learning analytics. But when U-M School of Information’s Warren Li, Kaiwen Sun, Florian Schaub, and Christopher Brooks started investigating students’ propensity to consent to learning analytics, they found evidence of a very real issue: consent bias. As explained by Christopher Brooks for Inside Higher Ed’s Privacy Opt-Out May Lead to Inequities, consent bias occurs when “those students who choose to opt out (or decide not to opt in) may differ systematically, such that the conclusions or actions taken based on the data will unfairly bias one of the groups of students.”

The research team emailed 4,000 U-M students to see if they would agree to data sharing to support learning analytics tools. Analysis of the responses confirmed consent bias, with women more likely to agree, and students who identified as Black - less likely to agree. According to Brooks, the research findings “should give institutions real concern that individual choice alone will have a disproportionate negative impact on groups of learners that may be historically disadvantaged.”

The University of Michigan is a pioneer among education institutions in adopting learning analytics guiding principles striving to keep the creation, collection, analysis, and reporting of learning analytics data transparent and secure. These principles are to instill trust that the university uses learning data responsibly, but the U-M researchers found that the level of trust varied by gender and race, reflecting the consent bias they observed.

So what does that mean for privacy opt-outs? The research team suggests that consent bias can be alleviated by the active role of institutional leaders and instructors in engaging with students. Brooks sees this as a teaching opportunity: “Instead of encouraging opting out, we should be educating on the positive impacts of the data through transparency, while listening to the concerns and ideas students bring to the discussion.”

U-M is committed to providing visibility to its data practices and creating awareness of privacy and data protection.

• ViziBLUE is a guide to personal data that provides information on what student data is collected at the University of Michigan and how it is used and shared.
• Each January, ITS Information Assurance, in partnership with the School of Information, hosts Privacy@Michigan events and activities in recognition of Data Privacy Day.
• Safe Computing: Privacy offers a wealth of privacy information and resources from history of privacy timeline and tips on privacy protection to daily privacy news.

Looking for more resources to encourage your unit to help protect yourself, your unit, and the U-M Community? Use the resources below, and others available on U-M Safe Computing, to share with your unit, post one of our posters, or add a poster to the digital sign rotation in your area to help educate others! Remember, IT security is a shared responsibility.

Protect yourself and make your online shopping experience safer. See the Shop Online Safely poster for more information.

Take steps to be aware, make informed choices, and respect others’ privacy. See the Privacy Matters poster for more information.

Did you know that universities, healthcare systems, and the government are the biggest targets for ransomware attacks? They hit individuals too. See our Beware of Ransomware! poster for more information on how to protect yourself and U-M from Ransomware attacks.