ITS implements new data security measures
On the evening of Oct. 14, Information Technology Services began remotely deleting personally identifiable information in temporary and hidden folders from University-owned Windows computers. These now-weekly deletions are one of four security initiatives that ITS is in the process of implementing — or will roll out soon — that are aimed at protecting the University’s technology and data.
Under Massachusetts General Law 93H, PII is any data record that contains a person’s first name or first initial, their last name and personal information such as “social security, driver’s license or account numbers,” according to the ITS website. “Many [University] departments deal with PII on an ongoing basis,” David Albrecht, the ITS director for networks, systems and security, explained in an interview with the Justice. For example, Human Resources gets new hires’ information and the International Students and Scholars Office works with passport numbers and visas, he said.
These departments’ employees will have forms containing PII saved to their University-owned computers because of the nature of their work. But, Albrecht explained, an employee might also open a form that contains PII without actively saving it to their machine. “Many times, the computer still keeps a copy of that in a temporary folder,” Albrecht said.
These “temporary or hidden directories,” he explained, are “meant for temporary storage that people don’t normally go in [and] don’t know how to get to” — resulting in a “significant volume” of PII building up in these folders. Beginning Oct. 14, ITS started a weekly routine of remotely deleting files containing PII from these folders.
Spirion, the data security software used by the University, searches University-owned computers for PII, specifically credit card and Social Security numbers. Spirion then reports the amount of PII on these computers, and ITS encourages staff and faculty to remove “as much possible” without interfering with their work. Albrecht said that the new policy goes “one step further: In areas where they can’t remove it, we’re removing it for them.”
Limiting the amount of PII on these computers is important, Albrecht explained, because it ensures that less PII is at risk in the event that a computer is compromised, lost or stolen. “Because we encrypt all of our laptops, the likelihood of data being exfiltrated from them is minimal,” he added. According to the Microsoft Trust Center, “Encrypting your information renders it unreadable to unauthorized persons, even if they break through your firewalls, infiltrate your network, get physical access to your devices, or bypass the permissions on your local machine.”
Each month, ITS learns that “dozens of accounts” are compromised, Albrecht said, explaining that most of these are student accounts. The University is currently in the process of implementing Duo Security’s two-factor authentication system for Brandeis login services, such as LATTE and Gmail, to help counter this problem. Under this system, users will first log in with their passwords and then verify their identity by responding to a prompt sent to their mobile device. This second verification can be a text, a phone call or a notification from the Duo Security app, per the ITS website.
ITS is first rolling out this program to staff and faculty, especially administrative staff whose work deals with PII frequently. Currently, about 80 percent of staff, 23 percent of faculty and two percent of students are using two-factor authentication, according to Albrecht. Members of the University can enroll themselves in Duo Security at the Brandeis account tools page, under “Manage Account.”
Two-factor authentication will be a required part of Workday, the new human resources, finance and payroll service that will be implemented next semester. All faculty, staff and student employees will be required to use Duo by April 1, 2019, when Workday is implemented, Albrecht explained. The rest of the student body will switch over to Duo at a later date.
ITS also plans to enroll all Brandeis email accounts in an application called Proofpoint Cyber Security, which will provide “enhanced email security” by blocking phishing attempts, malware and viruses in emails. Proofpoint will also “quarantine” spam and bulk messages and provide users with a daily report of any emails that have been blocked, so that users can mark emails they do not want blocked in the future.
In an interview with the Justice, University Chief Information Officer Jim La Creta shared that he recently began using Proofpoint as part of ITS’ testing the program, describing the application as a “game-changer” that makes users “feel more secure.” ITS will further test the program before rolling it out to the community, according to Albrecht.
Brandeis is also in the process of changing its anti-virus platform, which is currently a combination of Symantec and Malwarebytes. The new anti-virus program, enSilo, is “more sophisticated” than the University’s current anti-virus providers, Albrecht said, and can handle the “complex malware that comes in.”
Albrecht stressed that security threats are “always changing.” “You go two steps ahead, and then take one step back, because the complexity of everything changes,” he said, adding that ITS is “trying to stay one step ahead of everybody else.”
How can members of the Brandeis community protect their personal computers and their PII? Albrecht urged members of the Brandeis community to “be aware of the information that you have and … [that] you’re sharing” and to “know where your information is being stored.”
He explained that people should avoid having copies of forms that contain PII on their laptops when those forms are already saved on servers, such as servers for tax filing software. “Don’t keep it around if you don’t need it,” he said.
When filling out forms that ask for PII such as Social Security numbers, people should not be afraid to ask whether that information is actually required, and how that information will be stored to ensure its security. They should also encrypt their computers, an option that can now be enabled on most machines.
Both La Creta and Albrecht highlighted the upcoming information security workshop on Nov. 14 as an opportunity for the Brandeis community to learn more about securing their personal computers and data. La Creta said he hopes the workshop will give people the necessary information, so that “when they go back to their respective homes and dorms, they can go and protect their machines as well.”