IT@IC Update - It's About Security

02/16/18

Contributed by David Weil

FEBRUARY 2018 CONTENTS – It’s About Security

Improving our information security:  Two basic approaches that can make a huge difference 

For the 3rd year in a row, security tops the annual EDUCAUSE Top 10 IT Issues List of IT issues facing higher education. Headlines about IT security breaches or vulnerabilities regularly appear in the news.  On the internet, no one is “centrally isolated” – the threats are real, and attacks regularly occur against Ithaca College, just like at other higher education institutions. 

The two most important things you can do to stay safe online are: 

  1. Apply security patches and reboot when necessary: Ensure that your computers and mobile devices (both operating systems and applications) are set to automatically install critical security updates and are running supported versions of software
  2. Protect your user accounts: Use multi-factor authentication wherever it’s available, choose good passwords and security questions, and learn to recognize phishing attacks that would steal your passwords

Keeping your devices and applications up-to-date 

Today’s technology is complex, and consists of millions of lines of code written by different people and companies, all of which must work together – and none of it is perfect.  Flaws and vulnerabilities are always present, and new ones are discovered every day.  Some vulnerabilities, such as the recent “Spectre” and “Meltdown” processor flaws, make national headlines, but others are less widely reported. Criminals take advantage of these vulnerabilities to gain access to systems or information, in order to spy, steal, blackmail, hold data for ransom, or defraud individuals and institutions.

Fortunately, technology vendors issue security updates (patches) that address most of these vulnerabilities before attackers figure out how to use them. So, regularly applying available security updates (patching) your software, apps, and operating system, and restarting if necessary greatly reduces the likelihood of falling victim.

 What we’re doing about this at Ithaca College: 

  1. Enhancing our server patching to reduce the delay between patch release and installation
  2. Using Enterprise management tools to apply security updates to Windows and macOS
  3. Investigating improved enterprise patch management for third-party software
  4. Testing mobile device management solutions for configuring and patching College-owned iOS and Android devices
  5. Investigating solutions to protect college data stored on personally-owned devices and enhance privacy
  6. Getting the word out to individuals to patch their personally-owned computers and devices

 What you can do to be more secure: 

  1. Ensure your operating system and other software are set to automatically check for and install updates
  2. Restart your computers and mobile devices when updates require it
  3. Make sure that your operating system and other software are recent enough that security updates are still being published for them. We recommend Windows 10, macOS 10.12+, iOS 11, and Android 6+.

 Protecting your user accounts 

As our computers, mobile devices, servers, and applications become inherently more secure and better able to protect themselves, we humans become the easiest targets. We are all, by now, familiar with phishing attacks (email-based fraud or scams). We have all received email messages purporting to come from our banks, the FBI, or tech support asking us to login to verify our account or something right away (often stating that if we don’t do it right now, before taking time to think about it, something terrible will happen). By logging into a fraudulent site, we give the attackers our username and password. By replying to the email, opening an attached file, or clicking a malicious link, we may give them other information or allow them to install malicious software on our computers.

The thing to keep in mind is that phishing and other forms of online crime are an industry. There are thousands of people in countries all over the world who get up in the morning and go to work at jobs attacking us and others. Just like any other job there are specialists, departments, and service providers with various duties: researching vulnerabilities, developing malicious software, researching targets, writing phishing emails, using stolen credentials to access email and other systems, mining stolen data to find anything that can be sold or that may be useful for subsequent attacks, etc.

Just like any industry, this one is maturing. Phishing (email-based fraud), is being complemented by vishing (voice-based) and smishing (SMS-based) fraud. Criminal organizations have built or hired professional call centers (posing as Microsoft, Apple, or other tech companies) to ensure that victims successfully install malicious software on their computers, or to assist with ransomware remediation, often paying over the phone for the privilege.

What we’re doing about this at Ithaca College: 

  1. IT has integrated multi-factor authentication (MFA) with our Office 365 email system and virtual private network (VPN), and we’re working to enroll more users and to expand the number of applications protected by MFA.
  2. In November IC purchased a major bundle of new security tools from Microsoft as part of our campus agreement. Included in this are the Safe Links and Safe Attachments protections for Office 365 email, as well as a number of other enhancements and tools that we’re rolling out now and over the next few months.
  3. We’ve contracted with KnowBe4 to provide online information security training for faculty and staff, and phishing simulation and just-in-time training for faculty, staff, and students.

 What you can do to be more secure: 

  1. Use multi-factor authentication (also called two-factor authentication or two-step verification) wherever it’s offered. Most banks, email providers, social media, online game platforms, and many other online services now provide this as an option. Take advantage of it, and reduce the value your passwords have to the criminal industries that are trying to steal them.  We will be making it available by the end of the semester to anyone who wants to use it with Office 365.
  2. Choose good passwords, and use a password management solution so you can have different passwords for different sites and services.
  3. Choose “security questions” for password reset services that are not easily guessable by people who already know a bit about you or have access to social media.
  4. Recognize that your email account is the backdoor to reset many of your other seemingly more critical passwords, and protect it appropriately. Use MFA, set a PIN on your phone, have a unique password for email that’s not used elsewhere, choose truly secret security questions, etc.

EDUCATIONAL TECHNOLOGY DAY – THURSDAY, MARCH 22

The college’s 28th annual Educational Technology Day will be held Thursday, March 22nd from 9 AM to 3 PM in the campus center.  Ed Tech Day features over 60 national and regional technology vendors (including Apple, Dell, Microsoft, and many others), seminars, and faculty, staff and students showing how they are using technology in and out of the classroom.  Featured sessions this year include:

Ed Tech Day is free and open to all.  No registration is required.  Visit www.ithaca.edu/edtechday for details.  Complete schedule to be posted in early March.

THE LAST BIT

Last month EDUCAUSE published their annual list of Top 10 IT Issues for 2018.  The 2018 Top 10 IT Issues show how digital technology is remaking higher education through four key themes: institutional adaptiveness, improved student outcomes, improved decision-making, and IT adaptiveness – all topics that we’re actively exploring here at IC.  I encourage you to read through the article and related resources on the EDUCAUSE site, and take advantage of various opportunities to engage with us and around these topics, whether it is at Ed Tech Day, liaison meetings, one-on-one conversations, or email.  The complete list is below. 

As always, if you have any suggestions or comments, please send them to cio@ithaca.edu.  Thanks! -Dave Weil, Chief Information Officer, Information Technology, Ithaca College.

EDUCAUSE Top 10 IT Issues for 2018:

  1. Information Security: Developing a risk-based security strategy that keeps pace with security threats and challenges
  2. Student Success: Managing the system implementations and integrations that support multiple student success initiatives
  3. Institution-wide IT Strategy: Repositioning or reinforcing the role of IT leadership as an integral strategic partner of institutional leadership in achieving institutional missions
  4. Data-enabled Institutional Culture: Using BI and analytics to inform the broad conversation and answer big questions
  5. Student-centered Institution: Understanding and advancing technology's role in defining the student experience on campus (from applicants to alumni)
  6. Higher Education Affordability: Balancing and rightsizing IT priorities and budget to support IT-enabled institutional efficiencies and innovations in the context of institutional funding realities
  7. IT Staffing and Organizational Models: Ensuring adequate staffing capacity and staff retention in the face of retirements, new sourcing models, growing external competition, rising salaries, and the demands of technology initiatives on both IT and non-IT staff
  8. (tie) Data Management and Governance: Implementing effective institutional data governance practice.
  9. (tie) Digital Integrations: Ensuring system interoperability, scalability, and extensibility, as well as data integrity, standards, and governance, across multiple applications and platforms
  10. Change Leadership: Helping institutional constituents (including the IT staff) adapt to the increasing pace of technology change

 

0 Comments


https://www.ithaca.edu/intercom/article.php/20180216122228363