Summer 2022

In the last few months, IA has welcomed four new staff members, who are already contributing to the important work of securing the University of Michigan:

• Dale Fay, joined IA as Security DevOps Engineer on the IA Design and Engineering team. Dale comes to us from Michigan Medicine Information Assurance, where he has worked in vulnerability management and pen testing since 2017. Dale started his career at the Environmental Research Institute of Michigan (ERIM) as a research programmer, has worked at Merit Network, and was with the Radiology IT team at Michigan Medicine before joining Michigan Medicine: IA.
• Ramona Coreanu also joined the Design and Engineering team as a Security Systems Administrator. Ramona is originally from Sibiu, Romania, and has worked for the last 20 years at the University of Windsor, where she supported their university-wide anti-spam and antivirus systems and their enterprise Splunk implementation.
• Dan Johnson joined IA as a Data Security Analyst Intermediate with the RISC team. Dan has been in IT for 15 years, working in roles such as system administrator, network engineer, and most recently, as a cyber security engineer. Over the last five years, he has worked in vulnerability management, pen testing, as well as policy and compliance.
• Klare Savka joined us as IT Policy, Privacy, and Governance Analyst. She supports the privacy and IT policy programs, and is engaged in data governance work as well. Klare is joining us from Eastern Michigan University, where she was a Security Information Analyst.

On a related note, IA said farewell to some staff members over the last couple of months. Both Brian Rahn and Brian Awood transitioned to other positions in ITS. Paul Nelson from the RISC team has accepted a position outside the University. Mike Bennett, the PCI Service Manager has accepted a position outside the university. We are working to determine how to fill those IA positions.

The ITS Summer Internship program welcomed a new cohort of interns this May. Nine of the interns work with Information Assurance. They come from diverse educational backgrounds and work in technical and non-technical fields. We’ve asked our interns a few questions about their experiences. Take a look at a cross-section of their feedback.

How do you feel about the program?

Evan: “The internship program so far has been great! My peers and supervisors have all been super helpful in getting me onboarded and contributing to the teams that I’m in.”

Frank: “The internship program is great! Having been here last year, I know that all the people on my team are eager to help the interns learn and succeed [...] Compared to last year when everything was remote, this year has been better because I’m able to connect with fellow interns in person.”

We are pleased to report that our interns are as enthusiastic as ever, especially in light of our much-anticipated shift to a hybrid format. Most interns have two designated days of in-person collaboration every week.

What team are you with, and what projects are you working on?

Evan:

“I'm with Disaster Recovery, and the ITS promotional video production team. Currently, for the DR Team, I'm finding a new solution to visualize and track the progress of DR plans through Google Data Studio.” For more information on our Disaster Recovery team, please refer to the Disaster Recovery homepage.

Kieran: “I’m with the Education and Engagement team. Lately, I’ve been working on documentation for the upcoming MCommunity transformation with my team. I’ve been developing a strategic recommendation for ITS Service Charters with fellow interns. I’ve also been writing for our newsletter.” To learn more about Education and Engagement’s work within Information Assurance, please refer to Safe Computing.

Through working on real-world projects with established ITS teams, our interns not only gain valuable experience, but also enjoy the opportunity to network with a diverse group of ITS staff and partners.

What have you learned from your internship thus far?

Dana: “So far through ITS, I have learned how to create project charges and timelines, how to create and run meetings, create mock-ups using Adobe XD, complete data analysis using TDX and Excel, as well as how to work with a very unique group of people all with very different strengths and abilities.”

Frank: “In terms of technical skills, I’ve learned Django, the Django REST framework, and Angular. I’ve also learned a lot from the retreats about various topics, such as project management. I’d say the thing that has stuck with me the most is how important scoping out projects is, especially before starting any work.”

Altogether, our interns have developed a wide range of skills, both technical and otherwise. We also pride ourselves on integrating our interns into a real-world IT environment and providing a hands-on understanding of different professions within the field.

Meet the Interns - Written by Education Engagement Intern, Kirean Haas

Remote access protocols allow a computer to talk to remote systems. They allow system administrators to remotely configure, maintain, and manage systems, and provide individuals access to essential applications and data. Since the start of the COVID-19 pandemic, these protocols have provided needed convenience to users and system administrators who depend on off-site connectivity to campus resources.

However, when remote access protocols are not properly secured, they open the university, and the U-M community, to cyberthreats by, among other things, allowing critical software vulnerabilities to be discovered and end-user credentials to be compromised. These attacks are difficult to detect and challenging to manage should an incident occur.

Insecure Remote Access Protocols (IRAP) have one or more of the following traits or contain unacceptable risk:

• Do not require Duo, use local accounts or no authentication
• Expose U-M or third parties to attack
• Do not appropriately use centralized logging
• Do not implement appropriate brute-force attack mitigation
• Are not updated quickly for security vulnerabilities
• Not intended or designed for use on the open internet

These issues can be further compounded by the use of default passwords, password reuse, and the wide availability of publicly-exposed third party credentials.

ITS Information Assurance (IA) has begun work on remediation of specific protocols to enhance U-M’s overall security posture. The goal of IRAP remediation is to ensure individuals maintain appropriate remote access to systems, while protecting critical U-M systems and sensitive data from threat actors.

Incremental IRAP Remediation: Phase One

IA is working with IT leadership and the U-M security community on an approach for incremental IRAP remediation. The first phase of this project, which involves blocking certain outdated protocols such as Telnet and Quote of the Day, will be completed by late September, 2022.

Users can continue to use blocked protocols by implementing simple process changes that significantly reduce the risks introduced by IRAP:

• Use of VPN: Blocked protocols can be accessed using the U-M-provided VPN service. This requires users to manually start the VPN connection before accessing blocked services. Refer to Getting Started with the VPN for more information.
• Use of DirectAccess: Currently, most users of Windows systems managed via ITS MiWorkspace and ITS Platform as a Service can automatically use DirectAccess, which provides VPN-like network access to campus networks. Refer to DirectAccess as a Service for more information.

Go to Insecure Remote Access Protocol Remediation Project for more information and to stay up-to-date on the project.

ITS Information Assurance has implemented Passwordstate as an IAM capability for elevated account management. Passwordstate is an on-prem, web-based solution for password management for elevated and service accounts.

Passwordstate automates elevated account and credential discovery, onboarding, access control, centralized storage and rotation of passwords, and supports role-based access control features. Providing Passwordstate for elevated accounts allows those in the U-M Community a solution that streamlines and automates elevated credential processes and makes securing these critical accounts easier.

IAM now offers the Enterprise version of Passwordstate as a capability and continues to provide Licensed Passwordstate for management within units. Units that previously received a Passwordstate license from ITS are not impacted. Any unit wishing to migrate their instance to the ITS instance of Passwordstate can do so through coordination with the ITS IAM team. Refer to Unit Password Management for Elevated Accounts for more information on Passwordstate.

I first encountered MCommunity in the summer before my first year at Michigan. I had joined one of many group chats for incoming students and it mentioned a Facebook-like service at U-M called MCommunity. I had no recollection of it being mentioned in orientation and glanced over my profile and those of a few professors before closing the tab unimpressed.

Fast-forward a year, during the ITS summer internship that is my first foray into the world of Information Technology, I was offered the opportunity to work on the MCommunity Transformation project. The project is the first major update to the MCommunity platform in several years; it is an all-encompassing modernization, spanning everything from a mobile-friendly interface redesign to a new system for sending and receiving group email.

As a member of the ITS Information Assurance Education and Engagement team, I was tasked with streamlining, rewriting, and altogether updating the extensive MCommunity user documentation. The documentation, like the system it supports, needed quite a lot of help meeting the needs of the modern-day U-M community. From outdated screenshots to beige speech bubbles containing more text than the pages that housed them, my work was cut out for me.

With careful guidance from colleagues in Information Assurance, I’ve now written and edited several crucial articles, such as About Your MCommunity Profile, just in time for user testing. Thus far, the reception seems both positive and understated; as far as documentation is concerned, that’s the best possible outcome.

In being part of the team working to improve a system I had found so puzzling, I not only developed valuable skills, but helped make MCommunity more accessible to the university at large. For any future interns in a situation like mine, here is what I have learned:

• Don’t be afraid to jump in: everyone starts somewhere.
• Ask those questions: for every question I’ve had (even the frivolous ones), my colleagues have had an eager answer.
• There is no I in team: as much as I’ve described these documents as “mine”, it really is a collaborative process. Their authorship is shared among myself, many helpful editors, and the brave writers who set out to create the initial documentation over a decade ago.
• Rely on your colleagues: Your coworkers are the most valuable part of an internship, and for as much as I’ve learned in the classroom, it simply doesn’t compare to the wealth of practical answers experienced colleagues can provide.

As we near the end of the internship program, it’s deeply satisfying to know that my contributions to the MCommunity Transformation project will have a real-world impact, if a humble one. I hope that my words clear a path for a future student as clueless as I was a year ago, and I hope the future intern tasked with modernizing my inevitably outdated documents in another ten years learns as much from the process as I have this summer.

My First IT Project: MCommunity Transformation - written by Education and Engagement Intern, Kieran Haas

IA is working to create a smoother and faster workflow for RECON, External 3rd party risk assessment, and possibly other assessment processes. "We have procured a best-in-class tool from OneTrust that allows IA to manage third-party and on premise risk assessments. It provides improved workflow for compliance partners and U-M procurement and makes it easier for units to view the risks associated with RECONs in their area," explained Dennis Neil, IT Security Design and Engineering Manager.

Current assessment processes are still overly manual, and involve exchanging email, documents, and questionnaires between IA staff and our unit partners, and making tracking of many pieces of information, in many places a challenge. With OneTrust, IA staff and unit partners can send and receive information, respond to questions, mark tasks complete, all while keeping the information about an assessment in a single place. The system is also capable of automatically notifying those involved in an assessment of status changes, new steps to be taken, or responses to questions, eliminating a lot of manual messaging.

"We’re evolving away from home-grown tools and technology," said Sol Bermann, Executive Director of Information Assurance and Chief Information Security Officer. "OneTrust promises to let IA and its partners spend less time managing the process of assessments in a more efficient and speedy manner," he added.

Information assurance is a shared responsibility, and every member of the U-M community has a part to play in supporting IT security, privacy, identity and access management, IT policy, and compliance efforts. Part of this responsibility is for each unit, school, and college to designate a member of their staff as a Security Unit Liaison (SUL). Together, ITS Information Assurance (IA) staff and SULs work to enable unit missions while promoting security awareness, education, monitoring, and compliance. This partnership is fundamental in supporting the university’s security posture, and IA is committed to maintaining strong and productive relationships with SULs, listening to their feedback, and supporting their needs.

We asked Matt Toaz, Information Security Officer for the Institute for Social Research (ISR), to answer the following questions to help us understand his experience and priorities.

1) What do you see in your units regarding measures staff take to protect themselves and their data?

We have been encouraging the use of password managers for years, and uptake at ISR has been really encouraging. We've also encouraged using browser extensions to keep our users safe and protect their privacy. As a result, many ISR users employ these tools on personal computers and ISR-managed ones.

We’ve also been testing the IA Anti-phishing extension with tech folks at ISR and considering pushing it out more broadly in the near future.

2) What do you see as IT security challenges at ISR?

At ISR, we deal with many Sensitive Identifiable Human Subjects Research Data. Data providers and funders often set the rules for our data. So rules can vary significantly from project to project. Our projects often require security measures above and beyond what ITS or IA recommend/require. We can't allow the use of some tools that IA has approved, because they violate a researcher's agreement. It is a big job to keep up with all of this and ensure our users understand their requirements. I worry we've missed something or have not adequately explained requirements to our users.

3) What are you doing within your unit to spread IT security awareness?

Aside from leveraging all of the available IA resources, our security team tries to talk to our project staff and faculty. We make a real effort to help our users understand the risks we're trying to address and the requirements of their projects. Helping our users understand the "why" of what we do helps them make better informed decisions and improve the security posture of the Institute. It takes time, but the returns are worth the effort.

Note: IA offers Passwordstate for Unit Password Management for Elevated Accounts. Stay tuned for future SUL interviews, and if interested in participating, reach out to Jen Wilkerson ([email protected]).

U-M employees and community members all share in the responsibility to help protect U-M IT systems and data. To help U-M community members understand their obligations, IA has published a new course in My LINC, Data Protection 101: Your Shared Responsibility. This course is now available to all faculty, staff, and students. It provides a brief overview of:

• Why it is important to protect U-M data and resources.
• What risks exist and how to avoid them.
• How to fulfill the shared responsibility for protecting the university.

Data Protection 101: Your Shared Responsibility does not replace other training resources. Instead, it introduces key concepts that are further explored in other courses, such as DCE101 U-M Data Protection and Responsible Use, and in the Safe Computing Training Curriculum. ITS Information Assurance (IA) recommends the new course for staff who join the university or current staff who may need a refresher.

Quantum Computing has the potential to contribute tremendously to the scientific and technology fields, but could also pose a very high risk to cybersecurity. “Quantum-based threats” refer to attacks from future quantum computers, which have the capability of deciphering security encryption that relies on public-key cryptography. Public-key cryptography is widely used in web browsers and everyday applications, such as banking and email apps.

Though quantum computing is still a few years away, the National Institute of Standards and Technology (NIST) announced a new cryptographic standard designed to combat attacks generated from future quantum computers. The standard is the product of the Call for Proposals for Post-Quantum Cryptography Standardization in 2016, which included submissions from experts from multiple countries and institutions, and.will replace public-key cryptography by 2024.

A roadmap to help organizations protect their data and reduce the risks of quantum-based threats has been released by NIST and the Department of Homeland Security (DHS). IA will continue to prepare for the new standard and work with U-M teams and third-party vendors to ensure compliance with post-quantum cryptographic requirements. We will continue to update our U-M Security Community.

The MCommunity Directory is getting a significant upgrade. Beginning July 31, new features and improved functionality are being released to better support university services. Improvements include:

• Support for all modern browsers, devices, and screen sizes, including mobile
• A more intuitive user interface for managing your profile and groups
• The ability to edit Away Messages, including a Start/End date, the ability to set personal pronouns, and better manage the use of one’s own name with NameCoach

There are also changes such as editing your MCommunity profile in UMICH Account Management and the retirement of both the proxy function and the beta.mcommunity.umich.edu. Refer to the MCommunity Transformation website for more detailed information.

The fall 2022 term begins on Monday, August 29, so start to prepare for back to school now. As students and faculty return for the fall semester at U-M, it’s essential for the security community to be reminding others of basic ways to protect themselves and their data.

• ITS IA provides several pages on how to Be Safe Online. Send your units reminders that they should:
  • Be a Good Digital Citizen.
  • Review tips for Remote Work & Study.
  • Find information on keeping software updated and reviewing settings at Secure Your Web Browser.
  • Set up Two-factor authentication.
• Remind your faculty and students how important cybersecurity is and share our Securing the University of Michigan video, which explores the cyberthreats we face and the actions the university takes to protect its resources, data, and the U-M community.
• Secure devices and strong passwords are the strongest defense against someone else gaining access to your data. Use strong, unique passwords for each site or service used at U-M. Share Manage Your Passwords and Secure Your Devices to assist with these efforts.
• Protecting sensitive data is a responsibility every member of the U-M community shares. Share Protect Sensitive Data with your faculty, staff, and students to ensure they understand the guidelines for authorized access, responsible use and management of data, and the appropriate places for storing U-M data.

Over the years, IA has created and accumulated a wealth of videos, posters, and social media campaign materials. We have also been curating daily news articles and publishing quarterly newsletters. This material is now available in one easy-to-locate Library page on the Safe Computing website. You can find the link on the top-right of every page in the website header.

Browse the Media Archive by topic and type of content, check out back issues of the Safe Computing newsletter, stay up-to-date on the latest IT security and privacy news, and more. Let us know what you think!

Everyone, including our LGBTQ+ community members, should be supported to browse the internet safely. Though there has been much progress towards LGBTQ equality and inclusion in the last 50 years, inherent vulnerabilities of marginalized groups continue to exist, especially online. According to a 2013 study by the Gay, Lesbian, & Straight Education Network (GLSEN), “LGBT youth experience nearly three times as much bullying and harassment online as non-LGBT youth.” Refer to Queer Youth Exploring Their Identity, One Webpage at a Time, and Online Communities and LGBTQ+ Youth for more information on the importance of online safety for LGBTQ youth.

While the internet can be a hostile place for the LGBTQ community, it is also a lifeline in many ways. The GLSEN provides the following statistics:

• 81% of LGBTQ youth have searched for health information online, as compared to 46% of non-LGBTQ youth.
• 62% of LGBTQ youth have used the internet to connect with other members of the community in the last year.
• More than 1 in 10 said they had first disclosed their LGBTQ identity to someone online.
• 1 in 4 youth said they are more out online than in person.
• 42% of youth in this community have been bullied online versus 15% of the general public, and overall, 27% of LGBTQ members report not feeling safe online.

As experts in Cybersecurity, and LGBTQ allies, ITS Information Assurance wants to assist you with spreading the word on LGTBQ online safety across the U-M community. Share the following advice with your unit to help maintain online safety:

• Be cautious and do your due diligence before engaging with individuals online.
• Appropriately guard your personal information, even on dating apps.
• Understand the privacy settings on your devices, and within the applications you use and adjust them accordingly.
• Manage your passwords and turn on Two-factor for weblogin.

Refer to What LGBTQ Communities Should Know About Online Safety from The National Cybersecurity Alliance in collaboration with LGBT Tech for more tips and resources for protecting LGTBQ+ on the internet. Cybersecurity is everyone’s responsibility. Support your unit with guidance on how to be safe online.

You know you should choose a secure U-M WiFi option or secure home wireless network whenever possible, but what if you find yourself stuck needing an internet connection and free public WiFi is all that's available? Here are steps you can take to protect yourself and U-M.

Start by using a VPN.
Secure Your Internet Connection includes best practices for securing your connection, and can help you find the appropriate VPN for your campus.

• MiWorkspace Windows Users: Direct Access protects many of your connections to U-M resources for remote work. You may still need to use the U-M VPN to connect to some resources and should still use a VPN to secure connections on personal devices.
• MiWorkspace Mac Users: Your MiWorkspace Mac is configured to use the U-M VPN.

Be aware of what you share.
Pay attention to any information that free WiFi setup asks for. Don't over-share personal information, and don't save a free network for automatic connection later. Avoid doing important personal business like banking or shopping on free networks.

See Security Tips for Using Public WiFi on Safe Computing for more tips and links to helpful resources.