‘Take caution,’ advises cybersecurity team
Faculty and staff are working with outdated and insecure network infrastructures, the University’s cybersecurity team asserted in an informational session on Monday morning. The session served to give best practice advice to faculty and staff while the team addresses many vulnerabilities left by years of money-saving initiatives and neglect in system updates.
“Senior leadership now realizes security is a priority,” said David Albrecht, the University’s director of Networks, Systems and Security.
Federal and state law require institutions of higher education to encrypt and protect personal identifiable information in all aspects of administration. PII pertains to any information maintained by an agency that can be used to distinguish the identify of an individual or other information that can be traced back to an individual, such as medical, educational, financial or employment information. This includes Social Security numbers, driver’s licenses and financial account numbers, as well as passport identification.
Whether scanning or printing sensitive information or sending financial information by email, “Just assume by default it’s not secure,” advised Senior Security Engineer Chi-Jan Yang. “There’s no way to ensure the other end is secure.”
Regarding the state of University utilities on campus, the team discussed a of security myths. The University’s multifunctional printer services on campus, such as scan-to-email and scan-to-share, do not have data encryption for either “in-transit” or at-rest storage. Yang highly recommended against their use for printing, sending or storing sensitive information, as it could result in a data breach.
Additionally, the “email relay environment is not secure,” said Albrecht. “This has to do with the age of the infrastructure we have.” While Gmail, the University’s email provider, automatically encrypts emails, the University’s email has an intermediate relay system that intercepts them, yielding unencrypted and unsecure emails.
To address this, the team is rolling out a platform switch to email security company Proofpoint, which is expected to come to all faculty and staff within a couple months, and later to students.
Proofpoint not only has a reliable encryption system but also is better at filtering out harmful content, including inbound threats, viruses and malicious URLS. Proofpoint wil also prevent the exfiltration of protected data and provide immediate reports of phishing attempts to the cybersecurity team.
In terms of cloud storage, Yang said the University’s integrated Box.com service is certified for storing sensitive administration and research data information. It is the only cloud service currently endorsed by the Institutional Review Board for PII.
Google Drive, while certified for encryption, is neither certified for Family Educational Rights and Privacy Act data nor permitted by University policy to store sensitive data. The network’s shared server is also not encrypted and permitted by University policy to store sensitive data.
Other upcoming security enhancements include the implementation of Two-Factor Authentication (DUO), which Albrecht said the University is one of the last of higher level institutions in the Boston-area to do. DUO is a follow-up login step that confirms identity through a smartphone app, SMS/text messaging, phone call or hardware token. The roll out of DUO for the University’s Google Apps, Box, LATTE, Sage, BUSS, Marketplace and WhoCash platforms will be seen in the next few months
The team also reviewed general security practices, including awareness of phishing attacks and password security. As is the case with many institutions, the University is the target of phishing emails designed to trick a recipient into opening a malicious attachment or clicking on phony links that request account logins. In the past, the University website has been cloned, asking for users to log into their Brandeis UNet accounts.
“Always check and see where you’re going,” said Security Engineer John Godfrey, who said “wormhole.brandeis.edu” should always be in the URL when logging in to University servers. Wormhole is Brandeis’ Virtual Private Network, which allows secure access to resources on the Brandeis network, and all communication using Wormhole is securely encrypted.
Godfrey also recommended the use of “unique passwords for anything you use,” adding that passphrases of words and spaces longer than 15 characters, like “Cheeseburger in paradise” are more secure than traditional passwords.
Additionally, the team noted that computers distributed from Library Technology Services should have the desktop software application Spirion (formerly known as Identity Finder) installed, which can search for PII insecure files and allow users to shred unnecessary files out of existence. The latest versions of Adobe Creative Suite and Microsoft Office products also recommended for certified encrypted filing.
When asked how to upload physical documents without using scanning devices, Albrecht responded that it’s a “catch 22” given the state of infrastructure and added that there’s only so much that can be done until the infrastructure is updated.
Yang said the takeaway for now is to start becoming aware and conscious of where sensitive data is and how it is transmitted.
To promote better cybersecurity practices across campus, LTS will be providing more educational services to faculty and staff, in addition to resources posted on their website.