From the desk: How we are making IU an unattractive target for cybercriminals
October 25, 2016
June 23 is an astronomically important day. Literally.
Depending on the year, it is the first or second day when the days start getting shorter. This year, June 23 marked a watershed moment in IU’s unending struggle against the cybercriminals who made the 54 days leading up to June 23 feel longer for the staff working to secure IU’s data and systems.
On April 30, IU employees received the first of several phishing messages titled “Message from IU Staff Portal.” (“Phishing” refers to typically fraudulent email messages appearing to come from legitimate enterprises, such as your university, your internet service provider or your bank.)
For 54 days, our staff threw everything we had at this phish: technical defenses, education, communications. Every time we blocked the message, the website it linked to or the IP address of its senders, the cybercriminals would adapt. Hundreds of IU employees continued to unknowingly give their IU Passphrases to the cybercriminals behind the phish, and the cybercriminals continued to try to use that information for their personal gain.
We had reached a point where IU had to trade off some long-enjoyed convenience for essential risk mitigation.
On June 23, we halted self-service access to the employee center on One.IU until we could put two-step logins in front of any application that could show a user’s Social Security number or their bank account number. We have not detected a single instance of unauthorized access to IU systems behind two-step logins since implementing Duo.
Two-step logins marked a turning point: The cybercriminals could no longer rely on compromising our users’ credentials alone in order to access personal data from IU systems. Since then, we’ve seen the cybercriminals adapt. We’ve seen them try to target UITS employees specifically. They have also looked for lower-hanging fruit, including some of our vendor systems not behind two-factor authentication such as our contracted benefits, our HSA accounts and our retirement accounts.
Our SafeIT Taskforce continues to proactively tilt the field in our favor as the cybercriminals continue to adapt and look for the weakest link in our layered defenses. The task force has rolled out a suite of offerings with the IT professionals on all campuses, all designed to further make IU an unattractive target for cybercriminals.
Two-step logins are at the heart of this strategy. Starting next year, all systems behind CAS (Box, Canvas, Kuali applications, etc.) will require two-step logins from faculty, staff and student-employees. This is not just to help everyone protect their own data, but rather to help each person do his or her share to protect university data. As was the case with the staff portal phish, cybercriminals will use any account to try to get to others with more privileged access to IU data. Student accounts may be used to try to get to professors; professors may be used to try to get to deans. For this reason, we need everyone’s help in stepping up our collective games. Wise behavior is our best defense.
IU chose Duo for our two-step login product because it is a clear leader and has features that distinguish it from its peers. Duo works best with smartphones, and we recommend that you download and install the Duo Mobile Security app from your app store for the best experience. The Duo app works even if you don’t have cell or data service. Even if your phone is offline, you can always open the Duo app, touch the key image next to IU and get a code to log in to Duo.
Duo also works for people without smartphones. You can receive an SMS message on a regular cell phone, or a phone call on a landline, from Duo. If you don’t have a phone of any kind, you can register a Google Voice account that will send a code to your personal Gmail account. Also, users who have a Duo token can continue to use them, and the UITS Support Centers have devices for users who can’t connect to Duo with any of the other methods described. We also recommend you register more than one device with Duo in case you ever lose, damage or forget to charge your phone.
The playing field will continue to tilt. The cybercriminals will adapt. The days will get shorter, and then longer again. There is no silver bullet that will finally make us cybersecure. It will take all of us stepping up our collective game: We will have to strengthen our technical defenses, review our policies and our adherence to them, and work together to change behavior. While we have traded off some measures of convenience for security, we are seeing these efforts make a tangible difference.
Thank you for your continued vigilance to protect your personal information and all of IU.