>> thank you all for joining. this is a really great crowd. i'm really excited to have you all here andtalk about the work of the safe it task force. and this is one of our vice president forinformation technology cabinet series talks. how these usually go is we usually have apanel discussion and then some questions. so, this one is going to bea little bit different. we know that not a lot of folks know aboutwhat the safe it task force is all about, so we're going to do first aninfoshare for about 30 minutes, then we'll have a short 10-minutebreak so you can, you know,
finish the cookies in the backthat have already been started. and then after that-- we'llpivot to the panel after that. so i'd ask if you do have any questions tohold them for when we do have the panel, you can chat your questions tomeet.cabinet@vc.iu.edu i believe. if you're logged in via link, you canall-- you're already in the right place, you can just chat your questionsthere on the-- in the window. so, as you see here, the safe it taskforce infoshare, we really couldn't think of a better name for the safe it task force. we're really pressed for time.
and we figured that doing some sort of pon withlike secure it had been done way too many times, so we've met with safe it in a bit of a pension. and this was before we brought the communicationsfolks onboard too, so they would have helped us. but yeah, this is a task force that vice president wheeler put together to help make sure that we are putting in the rightsecurity measures in place for safe computing, things like digital signatures,things like internal phishing, and as many of you are acutelyaware, our duo roll out. so, that's kind of the scopeof the safe it task force. i'm dan calarco, i'm the ovpit chief of staff andi was appointed as the chair of this task force.
but i could only say that i am onlya figurehead in this responsibility. the real work falls to the members on it and we'llbe talking a little bit with them in just a bit. so, what really inspired this was what we call adueling escalation of cyber risks and responses that the black hats, the cybercriminals, the spoofers, the bad actors, whatever you want to call themare getting more professionalized. they're-- we've seen that certain phishesthat they've even become departmentalized, that we would have certain bad actors who wouldbe in charge of, you know, getting the credentials from the users and then other bad actorswho would be in charge of exfiltrating them or doing other pieces that theywould hand them off literally
to a different division ordepartment of their operation. so, they are getting better at this gamethan perhaps our users are in their defenses. and so, we see, you know, this greater socialengineering, we also see things like ransomware, phishing, new kinds of exploits that weweren't really seeing as often as before. and in particular, you know, we're not seeingthese-- as much of these smash and run, we certainly are seeing those, but in particular,we're seeing in higher education is trying to get to, what's the word, intellectual property. they're trying to get to things likeengineering schools like we saw at penn state. they're trying to get to schoolsof science and things
where there are high value intellectualproperty, not just social security numbers. so, the playing field has changed a little bit. what we're doing, you know, we'reobviously doing the obvious things. we're doing more blocking of bad sites, we'retightening our controls, we're doing another round of it 28 reviews, we're going to be doingthings like multifactor log-ins, you know, the typical things that you would see anorganization do in response to these threats. but we're also trying to be a little bitmore proactive and not just reactive to this. so we are looking at ways we can collaborate withother schools in the big ten academic alliance, if one university is seeing something,how can we better share that information,
how can we do more automationacross schools so that we get out of this human-mediated pace of defenses. now, our defenses have these three various layers. we have of course the technical defenses thatmany of us here in uits and uiso and uipo work on, things like our firewalls and our automated,you know, defenses that keep folks out. we also, within that though, haveanother layer, our it policies. these are things that people have tofollow so that even if the bad actors were to get past those automated defenses, well, maybe there isn't any personally identifiableinformation on that server or on that disk.
so, by having these policies in place that govern,you know, what a user can and shouldn't do, we're able to, that even when thetechnical defenses are bypassed, still have a certain level of security. and then within all three layers, at the verycenter is personal behavior education, right, the user at the end of the day, if they turn overtheir keys to a particularly convincing bad actor, there really isn't much wecan do against-- about that. so, we need to have the wholeecosystem working together. and so that's why things like two factorauthentication are so important because even if a user doesn't inadvertently turn overtheir credentials to a particularly, you know,
deceptive bad actor, there'sstill some protections in place. so, this is not to sort of assign anyblame, this is not to assign any fault, there just are these tensions that ariseas a result of this, that this is a game that the bad actors are playing and they areexploiting our weaknesses in all of this. so, on the one end of the spectrum, we see thesebad actors are becoming more professionalized. and then on the other end of this-- of the spectrum, we have thisconsumerization-- personalization of it. everyone has become, in some ways,their own it department, right? i have-- you know, i've bought acomputer over at the surplus store and,
you know, i plugged it at my house. and if i ever want to use that computer toaccess university data, i need to make sure that i've been the one patchingit because this is not, you know, university-owned and managed machine. and so, everyone within iu somehow has, youknow, responsibilities like that if they do want to access university data from their devices. and so, there arises a motivation and skills gapbetween those very professionalized bad actors and on the other end, our consumerization of it. we also have this behavioral gapthat these safer computing practices
that we espouse are not alwaysconvenient doing duo, doing s/mime certificates and things like that. they are not as easy as whateverwe were doing before. they are going to add a certain level ofinconvenience, that that's undoubtedly. but, you know on the other end, we have thisopenness and convenience where our university, we allow people to, you know, plug and play theirown devices, we encourage bring your own devices. and so, there's this behavioral gap betweenthem, you know, people don't want to do this. but at the other end, there arethe safer computing practices. there's an authority gap here and i see we do havesome folks from internal audit here, they are,
you know, the closest thing that wehave to an authority here on things. and we in uits can't say, "well,you are going to stop doing that. we can't, you know, do that. we can't unplug people for-- you know, formaybe, you know, having an unencrypted laptop or we can't deny them access to the network." that's really a matter for internal auditand their department to take care of. and so, that we have these individualswho are undertaking institutional risk. but we have no authority withwhich to kind of enforce that. and then, there are sourcing choicesthat also create these cyber tensions.
so, a good example, is everyone here familiar withthe-- sorry not the box, the dropbox data breach? hands? oh, you're familiar already. i see a lot of smiling and nodding too. so, we might think, well, why does thisaffect iu, this isn't important, right? we don't provision dropbox into central service. well, that's actually quite the point. we know that there was about $70,000 inpurchases from p-cards, from research accounts, from departmental accounts of dropbox licenses. and we don't have visibilityinto what that data is.
and so when credentials get leakedand when data gets breached, we don't know what's going on there. these were people that made individual choices with an outside cloud providerand we don't know what's there. and so, you know, on the other end, we have theiu data centers which are, you know, more secure and we do have visibilityinto the data that's there. and so, once again, another tensionthat arises in this spectrum, i think this is probably alltied to a lot of you folks. but part of the avp cabinets here is to reallyget down to the why and what we're doing things
and so that's really why i kind ofwanted to illustrate these points here. so let me walk you really quick throughwhat's called the staff portal phish. does anyone remember receivingthe staff portal phish? does that ring some bells? yeah. iu had-- about 12,000 users hereat iu received the staff portal phish. and it was a pretty difficult one to beable to afford at the end but eventually, we were able to mitigate the effects of it. but it really took a lot ofour best efforts to do so. and so i'm going to walk you through this part.
and this part is in particular, like you see atthe bottom here, the iu confidentials, you know, i've shared the confidentialpart of this presentation. i'd ask that you do not, you know, livetweet this, just take pictures, et cetera. the herald-times and the ids have alreadyactually covered this presentation so, you know, the cat is out of the bag to some extent. but i would still ask that younot further give details on this because it could embolden certain bad actorsif they were to get their hands on it. so, we first received thestaff portal phish, i believe, it was april 30th was the firstday that we received one of these.
and it said, message from iu staff portal,the message was sent from what purported to be indiana university noreply@iu.edu. if you hovered over that, itwould say, noreply@iu.edu. it looked like it was a legitimate message. the bad actors were able to send thisdirectly through our mail relays and-- which is something that's actually surprisinglyeasy to do, i found out and figured out how to do so myself just to understand this process. and so this bypassed our usual phishing filters. and they then said you have a new importantmessage from the staff portal, click here to read,
and this link here pointed the usersto a fake cas authentication page. so this was pretty convincing. this was a little bit more sophisticated thansome of the simple phishes that we'd seen. this page obviously it's not an iu.edu domain, butif you were to look at the very end of the url, you might have thought so, you know,it says it's pointing at cas@iu.edu. and so this really was just a sophisticatedman in the middle of the attack. they were able to get between the users andtheir information by taking this fake cas portal, taking those credentials that the userswere using, actually entering them into the real cas portal and thenverifying that they actually work,
then returning the user backto valve log-in screen. but it didn't end there. so we were successful in blocking those links. we saw that message, we were-- somebodyreported it, and people weren't able to access that link anymore on the iu network. so the bad actors adapted. they changed the link. they changed, you know, alittle bit of the, you know, the content of the messagein some of the instances.
and so we saw dozens of variations of this messagesent to over 12,000 iu users, mostly faculty and staff, there were a few students but itwas mostly faculty and staff that got it. and then on day 14, after we have gotten severaldozen variations of this, we got a bunch of folks in the room, we said, "ok, we need tostop this, what are we going to do?" and we said, "well, we can'treally block noreply@iu.edu. this is a legitimate addressthat we need for things. we can't really-- you know,we've been blocking the links so that's not going to, you know, end this. but we can block the subjectmessage from iu staff portal."
and so that's actually what weused to successfully block this as you now can no longer send a messagethat says message from iu staff portal. unfortunately, bad actors were-- did notadapt to that change and they were not able to send any more messages after that. so, if the users accessedthis from the iu network, we were able to do some proactive measures. we were able to scramble their passphrasesif we saw that they clicked on the link and they entered some information. but if they did so from outside the iu network,
we have pretty limited visibilityinto what they were doing. so couple weeks go by, nothing seems tobe happening, the bad actors don't seem to be using this informationfor anything nefarious until the first payday afterthe last message was sent. and so, on the 1st of june, the badactors try and use this information. they tried to reroute some paychecks, theyaccessed-- i think it was about 400 users' w-2s or bank information so they were able to seetheir personal information and they were able to exfiltrate that information, whichwe don't know what they're going to do with it at the end of the day.
so, we received these reports thatthe fraud had occurred and then we-- once again, we sprung into reactiveaction, we were able to, you know, track down the ip addresses that they wereusing, we were able to scramble any accounts that were accessed from those ipaddresses, the bad actors kept adapting, they used things like vpns,they used file sharing services, they were able to get the local ipaddresses, a lot of cat and mouse that went on this 39-- days 33 to 39. what we could reasonably tie thisfraud just looking at, you know, w-2s and looking at direct depositinfo to the staff portal phish,
everyone whose information was viewedreceived the staff portal phish and no one who didn't receive the staff portalfish had their information viewed. so, you know, kind of by both of thosearms, we kind of met in the middle and said, "ok this is pretty reasonable to say. this-- these two events were related." so all the compromised accountshad essentially their information, we reported it to the state attorneygeneral, the fbi and all the relevant bodies that we need to in the event of this. so then we said, "ok well, we need to communicate.
we need to let folks know that if they did accessthis that they need to reset their passwords." we pretty much just can't support if 12,000 peoplewere to show up, you know, at the wells library and i'll need to, you know,reset their passwords at once. we couldn't do that. so we needed to rely on usersto do this themselves. so, our friend tom davis sent an emailout to all 12,000 users who were affected. and it was an s/mime signed message. it was, you know, very well-doneand very, you know, synced in how users could guard against this.
we then had our it communications officesend out a special edition of the monitor with all the steps that users needed to do ifthey though they might have fallen prey to this. and then brad, our cio, also sent amessage out to every iu faculty staff and students about this whole scenario. but despite all these communications, anadditional 75 users over the next, you know, next few weeks still had theiraccounts somehow compromised, whether it was that they were maybe readingtheir emails in reverse order or maybe they just, you know, didn't read-- you know, theydisregarded those or maybe they just still thought that this was a legitimate message.
you know, another 75 users turned overtheir information to these bad actors. so, at that point, we said, "ok,well, we need to do something else. education is not going to completelyresolve this, so what else can we do?" so brad ordered that access to theself-service staff portal had to be shut down. and so, users would no longer be able tosee their w-2s direct deposit information until we could reasonably ascertain that everyonewho was doing that was indeed themselves, that this wasn't being done by a bad actor. and so, about five days later, we wereable to bring that back up as the first of our applications that nowrequire two factor authentication.
and since that day, we have had noadditional incidents of unauthorized access to this information that has beenbehind duo two factor authentication. so we were pretty confident that thingshave been going well as a result of this. so, learning from this, what arethe other things we should be doing? what are these additional steps we shouldbe ruling out to ensure that there is more-- there is less of a likelihood of futurebreaches, future phishing incidents? so we're looking at all three layers of this. we're looking at the technicaldefenses, what sites we block. we're also looking at two-step log-ins with duo.
we're looking at how we canrefine the [inaudible] ports to further tighten those upto let fewer things through. there's also a new site, logins.iu thati'll tell you about in just a second. we're also looking at the policy side of things,so next round of it 28 will also help, you know, further understand what services are out there,which ones may or may not be locked down. and then really at the heartof this is the user behavior. so understanding what is and isn't a phishingmessage, educating our users on that, digital certificates for sign messages sothat folks can have a reasonable understanding that this message came from a trusted source,
making sure that their devicesare updated, et cetera. so, i think that most folks in the roomhere are already using duo, correct? show your hands. i bet most folks on the stream would say so too. i can't really see what their handslook like but i suspect they are. so i'm not going to get in too much of thenitty-gritty of, you know, what is duo. but as i said, since we implemented duo twofactor authentication in front of various systems, we haven't detected fraud onany of those particular systems. also, there was an incident of a studentwho used a key logger on a machine
that their faculty member then later logged into. the student was able to get that faculty member'scredentials and then change their grade in canvas. so this is another thing that could have beenprevented using two factor authentication. if canvas had two factor authentication, evenif the student was able to steal that username and password, the faculty member wouldn't-- they wouldn't have been able to usethe faculty member's credentials. and so, this is another vector for why we'renot just using duo in front of systems like w-2s and pay stubs because it reallyis anything of value. how much is an a at iu worth?
i don't know but i'm sure it's adecent amount of money, you know? students are willing to pay for thesecourses, you know, thousands of dollars. how much would they be willingto pay get an a in that course? i would bet it's probably aroundthe same order of magnitude. and pretty much any system at iu, justthink about what a value is behind this and how much would somebodybe willing to pay for it. if there's any value at all, we probably weneed two factor authentication in front of it. so two factor authentication willbe required for all cas log-ins for all iu employees starting january, 2017.
that's a bit of a simplified statement. there's a lot of caveats to that, so it'snot every log-in, it's every log-in session for about eight to 24 hoursdepending on the system. it includes employees, faculty, staff, studentemployees, retirees, affiliate, so be it. this is a bit of a simple vocationbut it's a pretty accurate one too. so these are some common misconceptions about duo. i know we've got a lot of it pros here andi want to help equip you with, you know, the responses to a lot of these questionsin case you come across them, you know. one is that well, you need a phone for this.
i don't have a phone. well, actually that's not true. you actually can use two factor authentication. you can use duo even if you don't have a phone. so google voice is a really good option. i have it on my laptop. you need access to a phone onceto be able to use google voice. once you've set up your google voice account, after that you never needto have that phone again.
so after that, you can then have duosend a code to your google voice account. you can log-in to it with a web browserand then use that as your second factor. rumor two is that well, youneed wifi or cell service. i don't have wifi service or i don't havecell service in the basement of this building where i teach classes and soi won't be able to use it. well that's not necessarily true. you can actually use, you know, you canduo on a plane, you can duo at the game, you can duo undersea, duowhere you'd be, i don't know. you can really do this anywhere and what'skind of neat is that if you have a token,
that's one way you can do this, obviously. the tokens do not require internet access. but if you have the duo app on your phone, iactually have it for a bunch of different accounts but for my iu account, there'sa key right next to it. so you just push the key nextto indiana university and you get a code and this will work anywhere. and so i was on a plane, you know, nottoo long ago and i didn't feel like paying for wifi on both my phone and my laptop. i mean, why would i want to pay an extra 10bucks so that i could duo in to my laptop?
you know, that seems silly, so i just usedthe duo app on my phone and it, you know, it saved me 10 bucks, so, you know, anotherbenefit for why you want to have the app. another rumor is that you'll needthe two-step log-in every time. it's not quite-- you know, it's a bit of a nuancemessage and so every time you log-in to cas for the day, usually it's for about 24hours on any particular device as long as you don't close your browser window,you'll be able to leave it logged in. and so that's-- there's also certainapplications that won't require duo. so, right now, link does not requireduo, exchange does not require duo and so you can still use those applicationswith just a single factor authentication.
and then rumor four, yourtoken won't work anymore. there's nothing really sophisticatedthere, it's just-- that's not right. it's not true. you can always your old token, it still works. so what else are we doing interms of these technical defenses? duo is probably the biggest one but log-ins that iuse, one that i think everyone can and should sign up for, it's so easy and it really will take--it's one of these defense mechanisms that, you know, in that-- on that spectrum of, youknow, inconvenience versus personal prerogative, this is pretty-- this is not very far onthe inconvenience end of the spectrum.
you do this once and you get an email everytime somebody tries to access your account from outside the united states with anip address outside the united states. it won't shut down your account, so ifyou're traveling internationally, that's ok. you will just get an email thatsays looks like somebody tried to access your account whileyou're outside the us. is this a legitimate activity? you might want to think about that. and if it's not, you shouldcontact itincident@iu.edu. so, you can go to logins.iu, choose optiontwo and just switch the toggle from no to yes
and you will get an email every time somebodyoutside the us tries to access your account. you can go a little bit more in depth. you can get a log everyday of everysingle log-in attempt and every ip address that tried to access your account. that's a little bit more information thani want and i think most of our users want but it is available if you do reallywant that level of granularity. another thing that we're rulingout is digital signatures. does anybody know how to send a messagedirectly through the mail relays here? it is surprisingly easy, sosurprisingly easy that i tried--
i just googled how to send a message throughmail relays and i figured out how to do it. there wasn't anything specific to iu about it. and i sent this e-mail to myself from brad andit said, "dan, can you send me the salaries, home addresses, and social securitynumbers of the members of the vp cabinet?" signed by brad, you know, at thebottom and if you hover over his name, it will look exactly likethis came from brad wheeler. it will say this came from bwheeler@iu.edubut it's not digitally signed. it doesn't have brad's digital signature on it. this message does.
this is a message that brad actually sent tostew cobine and he said he felt really good about this meeting that we had and you can clickhere on the digital signature and you can see that this message was sentby brad wheeler from a device that brad trusts and that's really important. i've gotten a lot of spearphishes since we've--you know, since we've started ruling out of these from people purporting to be, you know, highranking members of iu or people that i knew from either former lines of work or just oldfriends saying, you know, "hey dan, can you, you know, send me money to this account or canyou, you know, help process this wire transfer?" and they were convincing but, you know,i looked for the digital signature,
i contacted them out of band in another way. i tried like texting them and said, youknow, "hey, what's going on with this?" and i was able to ascertain thatthis was indeed a spearphish attempt. it wasn't the legitimate question. plus, i can't actually send wire transfers. so that also kind of gave it away. so that's why we need things like s/mimecertificates and all of the top 50 executives at iu, vice presidents, deans, vice provosts,et cetera, have this set up for them right now. so this is something thatwe're ruling out in phases.
we've actually gotten through very little publicrelations about 5000 users who have signed up for digital signatures throughthis, so we're pretty excited in how many people have signed up for these. all official workflow messagesare now digitally signed, thank you to mr. aaron nealfor helping us get that done. some-- as i mentioned, the seniorexecutives already signing theirs. and really, what we need to help work on inthis point is focusing on user education to look for those digital signatures, right? the digital signature is only good ifsomebody knows to looks for this ribbon,
if i knew to look for that ribbon. if not, you know, i might think thatthat email on the left was legitimate. so, we need to make sure that all ofour users not just the executives know about digital signatures andwhat they're good for. another really easy thing to look for in cas-- another easy security measureto look for is the cas redesign. when we redesigned cas, it wasn't just togive it a facelift and make it look cooler and better and more inline with iu brand. there actually is a littlebit of security baked in.
and that's because having this kind ofdynamic html here is more difficult to spoof, it's more difficult to fakethan just a static page. and so if you see that the username field, it'schanged in font size, it's changed font color as you enter it and the same with passphrasefield, that's another security feature that, you know, it's a little bit moredifficult for the bad actors to get to and hopefully this is somethingthat they would say, you know, "i don't feel like bothering spoofing the iu page, i'm just going to go spoof ohiostate," or something like that. >> the ohio state?
>> the ohio state. we're doing a lot with phishing education. i know i'm running short on time hereand i'm going to cut into cookie time in just a little bit, so bear with me. we have ruled out the servicefrom wombat security. they were just recently rated gartnerand sort of their magic quadrant and they were the furthest productto the right in terms of maturity. and i went through a lot of the demos of thevarious phishing vendors and i can attest that they do have the most matureproduct out there in terms of--
they have a lot more education thanjust about any of their competition. and with wombat, you can get these simulationsand you can go through these interactive quizzes and you can see, oh, it looks like this was indeeda phish, oh, that wasn't, you know, and this, you know i correctly clicked that this is, youknow, that this is an indication of a phish, it will be the first person to respond. and so you go through these quizzes, you can workwith the various folks in your unit and make sure that they understand the risks of phishing. but in addition to those kind ofeducation, we also have simulations that go along with the wombat suite.
and so, you can send out customized phishes orstock phishes that they have to all your users and you can see-- this is one that wepretty much took out of the workflow email. we have reasonable expectation thatthe bad actors out there, you know, they had accessed iu credentials in the past. they could get into somebody's emailaccount and so probably know what, you know, what one of our standard workflows looks like. and so if they were to just take this email andthen take all the links in it and redirect it to bad cas page, they might be ableto harvest a lot of iu credentials. and so we tested that to see, you know, isthis something that our folks are looking at?
and a lot of folks within uitsactually did fall victim to this phish. and so we prompted them with additionaleducation, hey make sure you look for this. and so we do try and keep it non-punitive and wedo try to encourage the education side of things to make sure that, you know, folks know, hey youmight have fallen for a phish, that's all right. this was just a test but these are things youcan do to make sure you stay safe in the future. but i think one of the best features ofthe wombat suite is the phish alarm button. this is a button that installs an outlook ifyou have outlook for windows, and it was able-- it allows you to report phishes inone click or it's actually two clicks, to the university information policy office.
you get a message that looks like asuspected phish, you click phish alarm on it. and then if it is a real phish, it actuallydoes forward the message and the full headers if it was a fake phish from wombat, you actuallyget a message saying, congratulations, you know, you detected a mock phish, you know,just be sure to keep on the lookout for additional phishes going forward. i think that's just aboutall the measures we have. one other thing that we are looking to work on with iu communications is somesort of trusted footer for messages. you know, when you get the messagesfrom iu, they don't really contain a lot
of information about you in the footer. you know, this email was sent tojsmith@iupui.edu by iu in the news. it's not very specific. anybody who is sending that emailwould know what your e-mail address was and so it doesn't encrypt-- it doesn't reallycreate any confidence in you, the user, but if you look at the companies like linkedinare doing, they take an additional piece of information about you and they put it in thefooter so that you can you have a little bit more of a reasonable indicationthat this is a trusted message. i know it's tough to read this but this onesays, "this email was intended for john smith,
principal explorer and governor ofhis majesty's colony of virginia." and so, you know, it's another-- you know, it'sthat bit of information about what your job is, you know, that is not available maybe to thespammers that are sending these mass messages, so another piece of informationthat the users can use. and we're hoping rule that out and alongwith icommunications and the salesforce. so that's all i've got forthe general infoshare about-- these of the various matters that the safe it taskforce is kind of deliberated has help rule out. after the break, we'll take about ten minutesnow, reconvene at 2:10 so eight minutes from now. help yourself to some cookies and drinksand we'll be joined by jacob, dennis, andy,
and daphne to discuss some of thechallenges and tasks behind safe it. thanks so much. well, welcome back, everyone. welcome back to everyone who's on the stream. i do have a little bit of a correction. if you are on the stream and you do want tochat questions, chat them to 231665@dc.iu.edu, so once again 231665@dc.iu.edu, if you dohave questions and you want to chat them in. we do have some wonderful gifts for folks whoin-person or via the stream have questions for us, we have some wombat tote bags and some duolaptop covers, so laptop, webcam covers so, yeah.
think of some good questionsnow before we get to the panel. and yeah, questions like, you know, can you getbetter cookies for the next one of these, don't, that's not going to the get you a tote bag, so. all right, well, i did mention that this is oneof the vpit cabinet series events and so in these, there's the sort of a requisite slidehere that talks about how this relates to the bicentennial plan, how what were doingrelates to the bigger goal of the university and so, there actually is a section of thebicentennials strategic plan that talks about cybersecurity underresponsible stewardship section 10. it says, "building on thegroundbreaking work in cybersecurity,
iu has taken strong anticipatory steps tostrengthen the policing and environmental health and safety functions on all campuses. in addition, we have created new androbust emergency management data security and enterprise risk management capabilities. well, unfortunately there can be no guaranteesthat careful preparations will avert all risks. our goal is to reduce their likelihoodand consequences for the health and safety of the entire iu community." i mean, i really think that'sa wonderful statement there. i think that, you know, if anyone, you know,is ever sort of challenged by why this sort
of work is necessary or that we're nevergoing to be able to avert all risks, i will-- i'd even just refer them straight backto that section of the bicentennial plan about how we're never goingto be able to avert all risks but just sort of mitigate and help lessen them. and so, at this point normally, well, i might,you know, turn to the work of the task force, i do kind of want to explore whatthe-- some of these risks are. and andy, can you help us tell-- you know, asthe university information security officer, tell us about what threats you do seeand what we face, tell us a little bit about the shifting threat landscape, that isreally tough to say, and why we need something
like duo or two factor authentication? >> sure. you know, it wasn't that long ago thata computer on the internet was just vulnerable to attack, either the software runningon vulnerabilities in that software. and due to the work of it pros and the softwarevendors that, you know, work that still needs to keep on going but due to those efforts,that's largely become pretty hard for an attacker to directly attack a computer on the network. and so the shift has been to the person using thatcomputer to try to use social engineering attacks like phishing to trick the user to giving upinformation, passphrases, personal information so that there's that bad kind of attack.
and then also, we're still seeingmalware, so malware being sent by email and i'm still today receiving emailattachments that contain malicious software, malware that you can get from-- clickedfrom just viewing a banner ad from one of your favorite websites like cnn.com. occasionally, a banner ad will come up that'smalicious and install malicious software on your computer that can then install a keystrokelogger and start stealing your passphrase or any other data that you might enter. >> so, keystroke logger sounded like, youknow, something particularly nefarious. how does that relate to two factor--can that help guard against that or--
>> well, yeah because the key thing isthat once the attacker has your passphrase, we don't want that to be the only waythey can gain access to your account. and so a with two-step log-in, two factorauthentication, the attacker would need that extra thing that you have, yourphone or your token, or what have you, to then log-in to your account, evenif they already have your passphrase. so, it's no longer game overonce they have your passphrase. >> interesting, so, is theresomething that's unique to iu? are we seeing across higher ed, you know,broadly, what are sort of the trends there? >> no, really, we're seeing it all over higher ed.
there's-- phishing attacks are-- have becomevery common and there's just a very wide range of sophistication as your remarks covered. all higher ed institutions all over have seenattackers, mimic log-in pages like the cas page, or even the lower ed of sophistication. we still see the very rudimentary attempts thatunfortunately people still sometimes fall for. >> yeah, i guess, if you fire enough rounds,you're going to hit something eventually. so, are these attacks, youknow, kind of at a nadir now? have we reached the, you know, atroff, you know, it seems like here, we haven't seen a lot of these lately.
>> well, i think that two factorhas helped in some regard there. it's always going to be an arms race where the attacker is alwaysgoing to shift and try new things. in fact, one of the things we've seen isthat since we implemented two factors, which does seem to have reduced thenumber of ways attackers have managed to breach personal information at iu, we've seenthe attackers shift our third party providers that may not have implemented two-step log-in. so, they have shifted to a couple of partnersthat we have, or tiaa cref and nyhart. and those are sites that you have a credentialon and so we've seen email purporting to come
from those two organizations and it's aphish and it takes you to a page that looks like the page you go to whenyou visit those sites. and so that's just another way they'vetried to get one step ahead of us. >> yeah, clearly, they know a littlebit about us if they know enough that we have these vendor providers, you know. are there things that they're tryingto learn about folks or including those in messages to be more convincing? >> yes, certainly, we-- youmentioned in your remarks about mimicking high rankingofficials at the university.
that's a common practice notjust here but all over. they'll send a message looking like it camefrom a vp or somebody with some authority. they'll even include their signature block. we've seen them use, somehow get a hold ofsignature blocks, email signature blocks from individuals and they'll mimic those intheir messages to make them more convincing. >> and is this, you know,prevalent throughout higher ed? is this just that iu that we'resaying these, once again, you know, for these particular types of things? >> really no, i mean, we'reseeing it all over higher ed.
i mean, one thing that we haven't reallyseen as much is passphrase guessing. and that is because we have the passphrase. passphrases are very strong, kind of thehigh bar for the attacker, that length, you don't see an attacker ableto guess passphrases as easily. and at other institutions where theydon't have that kind of requirement, they have had to deal a littlebit more with passphrase guessing. but the phishing and the malware,really everybody is dealing with. >> thanks. well, i appreciate the, youknow, the remarks here, andy.
now that you've scared us all a littlebit here, maybe jacob and your team, you're doing some steps to help mitigate this. you know, tell me, you know, whatyour folks in identity management-- essentially being able approve thatthe person matches their credentials. what are you guys doing with duo? how does it compare to others in the market andwhy do we choose duo as two factor provider? >> well, so for those of youwho are not familiar with it, duo is the service providerbehind two-step log-in at iu. if you've been around long enough, you know thatwe've have had some form of two-step log-in,
a two factor authentication in iu for a long time. it started out wit a product of calledsafeworld, we have the little cards that looked like small calculators and thenwe moved to vasco five years ago. about two years ago, it became fairly clear thatthe market for strong authentication was shifting. vasco and safeword before that representedtraditional on premise software that runs on servers, hardware tokens andthat market is in rapid decline. it is being replaced by services like duo thatprovide strong authentication as a service. and these are going to be typically focusedon mobility and focused on telephony and really deprecating thehardware tokens that we're used to.
so duo is by almost unanimously, thepreferred vendor in the higher education space and there are a variety of reasons for that. but it's deployed very broadly. there was a survey of direct institutionswhich is cios from large research institutions and the adoption is nearly 90% among that group. the satisfaction with the product isvery high and the pricing is compelling, which makes duo a good choice at least for iu. and it has-- provides a variety of options forusers who want to authenticate from the kind of premier smartphone-based method downto the legacy kind of authentication
of last resort which is the hardware token. >> yeah. and it seems like there really are alot of options for different kinds of users. and i think dennis is going to talk about what those different kindsof users are in just a second. but, how does duo work withour existing ecosystem? did that kind of play a role? >> so, the-- as you can imagine,authentication is-- they really care about two things that we cando authentication well and that we integrate with lot of different applications.
these are basically what authenticationvendors make their living on. and so, duo is very compellingfrom that perspective. it has out of the box integrations with thingslike windows log-on and linux log-in and the vpn. and relatively low cost integrationwith things like cas, which make it a very appealing in our space. >> and, you know, as you saw from thepresentation, we were able to turn around pretty quickly when we did put thetwo factor in front of the employee center and in the [inaudible] of five days. i know your filter working around the clock forthose five days and, probably did, you know,
two weeks of work over those five days. but that was pretty impressive, youknow, without an easy integration there. >> relatively easy from a technical perspective. and i think the thing that duo-- one ofthe values that duo brings to us in the way that iu has deployed it is before, twofactor was expensive from a user perspective and from an application perspective,so it was complicated to integrate it. and then you had to say, "all right, ami prepared to force every one of my users to buy a hardware token thatcosts n number of dollars?" because duo software is a service, you don't havescale concerns and it can be turned on because
of emerg-- exigent business need like this. because it's-- for most users,we download an app or we register with the service and it's low-cost to them. >> excellent. well, i mean, you mentioned that it was partof an ecosystem or maybe you might think of it as like our technology environmentas parts of a car. i think of the support organization asthe mechanic that kind of keeps, you know, our car running proactively on time doingthose tune ups, but then also when, you know, when something breaks down helps, youknow, helps get it back on the road.
dennis, what are some of thesupport considerations that we have considered with safe it? >> yeah. you know, i'll go back to somethingjacob said a little while ago, which was they-- one of the nice things about duo is that itsupports a wide variety of authentication sources because we have to support awide variety of users here. most of this room are probably usingtheir smartphones as the primary mechanism for authentication that runs the gambit topeople that work in the services organizations, maybe in the facilities groupor in food services for rps or, you know, as one of the custodial staff.
some of those folks don't even have a phone. and i know you pointed out that maybe afaculty or staff mem-- professional staff-- >> there are some faculty members who have beencomplaining to me that they don't have a phone. >> yeah. >> you said so, you know-- >> who had reported do not have the phone. >> but those tend to probably be moreoutliers as compared to staff and-- in some of the other areaswhere it really is a problem. so we get an opportunity with a variety ofmethods including the token and some other areas.
i think that's really important. i think that's also the issue with the supportside is that we have to deal with a variety. we've paid a lot of attention this summer inworking with primarily a physical plan here, cfs in indianapolis and rps toget out with them and talk to them in how do they get their users registered andwe're, you know, we're running special events just for those particular units to encouragethem to come onboard and get registered for duo and deal with the issues at hand. so i think-- i mean, that's certainly a big issue. you know, we have the other kind of edgecases that we worry about a lot to traveling
and particularly traveling internationallythat we discussed can become a real challenge. and so if i happen to be in europe and my onlydevice is my phone, it breaks, i get, you know, i drop it in, you know, one ofthe fountains that's in pairs and all of a sudden it doesn't work. how do i get access? how do i get access to may email so i can downloadmy, you know, boarding pass for the plane, which by the way is a truestory that we dealt with. >> not for dennis, but somebody who contacteddennis' organization, i think it was the weekend after we implemented duo for all uits employeesdecided to go to paris for the weekend and--
>> yes. so, it's an interesting,interesting anecdote. so we've been working a lot on how dowe deal with those folks and what-- and trying to balance thesecurity requirements with the-- with the customer services sideof the house, which is, you know, we want to try to and get them to access. from a security perspective, we don'twant just anybody calling up saying, "i'm dennis cromwell, i lost my phone. can you take away two factor today?" and so, you've got to balance those two out.
we empower the front end support center to be ableto have some information to ask enough questions to where we truly can validate if that personis appropriate and the person they say they are. and then at some point, have the processesthat will allow them to get through. you know, we're still discussing someof those processes associated with it. so that's a big part of that. the other big concern we haveour faculty, and in some cases, students because we have student employwho are in a classroom situation. and they can't-- that for some reason, thephone was left at home, it did, you know, run out of power, et cetera, and they need to getinto canvas or box or something for a classroom
and need that extra device to authenticate. and these are all the reasons why wereally, really push multiple devices, multiple devices to authenticate if you, you know,you don't have them, that's where the tokens come in to play in some of those areas. >> and, you know, going back tothe point you mentioned earlier, you mentioned that we have a variety ofdifferent audiences here from, you know, our professors to our service employees, you know. with that, we also have a varyinglevel of skills in using computers. you know, some folks are using computersevery single day and every part of their work.
some folks may not touch acomputer very often, right? and so, as a support, you know,organization thought about, you know, how you're going to support somebody that, youknow, maybe is just touching this once a year or-- >> well, you know, i think the supportorganization excels at doing just that, which is being able to support a widevariety of folks, you know, involved. and i will add, and daphne will talka little bit about what they've done from our communications perspective in terms ofmaking it easy for people to understand how to go about registered devices for that. >> well, i think that provides a nicesegue than actually to daphne's group.
so, daphne, it sounds like yours and dennis'groups here, your fates are somewhat intertwined in this that, you know, the betterjob you do with communicating, the easier it is for them to support the users. you know, what are some of the challengesthat you've faced in communicating about our-- the work of safe it, including the duo rule out? >> well, first, i'll say that duo was-- rulingthis out was very different than communicating about a lot of other servicesthat we've ruled out. just from the standpoint of the time periodthat we had was so much shorter and the audience that we had to reach was so much broader.
we were really making decisions about the communication plan while theservice was being ruled out, while the-- a lot of decisions about the service and howthings would be-- how tokens would be distributed, things like that were still being made. and so, although it was a bitdifficult for that reason, we also found that it wasa really great opportunity. and we worked in a very differentway to do communications this time. we actually developed a subcommitteededicated just to communications and it involved not only members of jacob'sdevelopment team, but also members from the kb,
from the support center, fromit community partnerships. it was really-- >> and training too. >> -- and it training, yes. it was a group of all of us that cametogether and we really kind of discussed all at once how the decisions we weremaking were affecting one another. and we all agreed actually at the end of this thatwe decided that this is a great way for us to work for ruling out new services kindof no matter how much time we have. it was a really great experience for all of us.
some of the biggest challengesthat we faced was really the-- just the size of the audience and in somecases, the diversity of the audience. we started the communicationsby doing a quick message-- email message to the it pros just to sort of like give them an advancedwarning that this was coming. and then last week-- was it last week now-- >> it was last tuesday i thinkit was-- or last monday. i think it was weekday, monday. >> we had the main email message come outfrom brad to all of faculty and staff,
including student employees,letting them know that duo was going to become a requirement by the end of the year. we followed that pretty quickly by a-- with a special edition of the monitorthat addressed a lot of the myths and the faqs that dan was talking about. and you guys will actually all be receivingvery soon now, if you haven't already, copies of a print piece, a postcardthat is going to also hit mailboxes. so we're trying to hit people in different ways. one of the bigger challenges that wehave that we are still working on is
that this change affects retirees. there are many retirees who arestill using our services and log-on, and we don't have as easy of ways to reach them. so, right now, we're actually preparinga physical mailing that is something that we wouldn't normally do wherethat's more like a letter in an envelope. so-- >> which you have to open. >> that we have to open. >> it's not a postcard.
it's not anything that lookslike marketing material. it's a letter that explains to themwhy we're doing two-step log-in and what that means for them. >> interesting. and i was-- i think a bunch of us were just overat educause this week and they talked about-- i think there was a session onduo by-- was it virginia tech. and they talked about their rule out which wasgoing to be, i believe it was over the course of the year or nine months can tell like a littlebit about our timeline and how that might have-- or didn't throw-- pose a challenge for us.
>> we had a few weeks. so, we had to come up with a plan pretty quickly. that forced us to sort offocus on being very targeted and that's why we are doing a lot of direct email. and we're happy to report thatinitial adoption after brad's email and the monitor went out,actually went out quite a bit. so, people are paying attention. the open rate on that message was quite high. but it's not everyone and westill have a lot of work to do.
so, the communications sort of blitz ishappening over the next couple of weeks. and then we will continue that, repeatingthe message over and over and over again through the end of the semesterjust to get people prepared. we have in the bloomington market,we are readying some underwriting on wfiu that you guys will be hearing. we found that that's really aneffective way to reach faculty and staff. they have the high listenership there. we are-- they're-- we're also helpingto promote some events that dennis'-- the support folks are doing, someface-to-face events and getting out there.
we're exploring some other less conventionalevents that may be coming up including things like flashmob and things like that. we have a professor who's interested inteaching people to do the actual two-step which she contacted us and volunteered. so, we may take her up on that. it sounds like an interesting opportunity. so, we've been working closelyalso with the regional campuses and to the communications folks there. they actually are doing great, gettingthe word out and using digital signage
and some prep materials that we're sending them. and they-- i think their adoptionrates are actually higher than the core campuses at this point. >> yeah. i think it was--southeast actually passed 50% for their total users registered for duo. so that was-- yeah, they were the firstcampus i believe to that and it's exciting, especially because they might notbe getting things like, you know, the wfiu messages that might betargeted here in bloomington. so, i think i also want to draw a littlebit of attention to some of the, you know,
some of the design work that your teamhas done because i think the interface that you guys have built withduo is really outstanding. can you talk a little bit aboutthat and what goes into that? >> so, yeah. actually, i should back up and saythat before we ever even got started with the communication plan itself, one of the things that the communication committeedid first was discuss some of the limitations that the out of the box version of duo had. and one of those challenges that we were findingit was creating for us communications-wise was
that people had to first enroll in duo andthen enable duo for cas as a separate step. and that was a bit confusing andexplaining those things was a bit confusing. so, my peer, brian hawkins who is my peer onthe website of communications, he worked very-- he and his team worked very closely withjacob's team to develop a new landing page that really helps walk users throughthe duo enrollment process in a way that makes more sense and iseasier for them to follow. so, that was really the first thing that weall agreed on from a communications standpoint. and one of the reasons why coming togetheras a team early on was really great, because we all sort of-- we were able to chimein and say, you know, this is really something
that would help us do a betterjob of communicating later. so, if you guys haven't checked thatout, i think-- and if you enrolled early, it might be interesting for youto go back and check that out because i think it really is a real improvement. >> what's the url for that? or you just-- you can searchone.iu for two-step, right? >> right, yeah. >> jacob, were you going to chime in with the? >> i was going to say one, so.
>> ok. >> one is two. [ laughter ] >> i like it one, two-step, yeah. and finally, this wasn't just sort ofa, you know, a one-day blitz, right? this is-- >> oh no, this will be an ongoing efforteven after it becomes a requirement for all the faculty staff and we are working withhuman resources offices across the university and in all the campuses to make sure thatwhen they onboard new faculty that this--
new faculty and staff that this becomes sortof part of our protocol to get them signed up for this and to explain why we doit and to offer these other types of-- this other type of informationon how to avoid phishing scams, encouraging things like digital signatures,and so, related kinds of information. >> well, i think that's anice segue back to mr. dennis. i know we kind of pivoted away from youto talk about the duo communications. but tell me about some of the other things thatyour group is doing that build off a safe it? >> first of all, tim, nicering tone, by the way, thanks. let me point that out.
you know, i think-- it was you who presentedthis, you had the three areas which was duo for two factor and then digitalsignatures coming up. and clearly, we've had to do a lot of supportand especially out of exec it now that all 50 of the identified executives of the institutionhave are digitally signing their emails as an important piece for that kind ofcoming on right after the big push for duo. we need to get, as really, you've identifiedthe university community understanding how to read digitally signed emails to understand whatthey look like and to validate that and to know that if something is being sent to them that isn'tdigitally signed and it's not coming from somebody that they know and it's asking them to clickon something, maybe they ought to think more
than twice about clicking on and hit thatparticular site from a different location. and along with that is making sure that everybodyin the institution that is then asking somebody out there to here's a link, go click onit, do they really need to embed that link? number 1, if they do, then make surethat that's a digitally signed message so that the customers will-- or peoplewill understand that that's the case. but right now, we are supportingthat through all the mass mailings and do salesforce that it is a supported piece. there are a couple of places likefootprints where that's not an option. so, that will be a reallyinteresting item to go through.
and then of course also justthe whole support of phishing, we had mentioned that we licensed wombat services. and all of you in the room are well familiarwith that because [inaudible] is out in front of sending those phishing messages that areour tests as well as adding education to that. we have several other units that have decidedto also license wombat and there's a license fee for them, and when they do that-- andthey take sometimes a different approach. some of them are all focused on education. some of them are focused on education andthen tell everybody, we're going to test you, we're test you, we're going to testyou today and then send a test out just
so that they can reinforce theeducation that had come out. and some of them are doing like us, kind ofjust sending a message out that that is a test and we don't know that it's coming. >> i think there was one unit that evenshocked their stares with the wombat to kind of help remember, you know, build awareness andbuild, you know, build some suspicion, i guess, a healthy level of suspicion about,you know, the messages they received. >> yeah. i will say it coming back from educauseand attending a couple of sessions out here. the whole awareness on phishingis clearly on everyone's minds. and it's not just higher ed, i mean,it's across the spectrum of industries.
>> and i think, you know, an interesting thingthat your team also does on the services side is, you know, you're able to push phishalarm to certain users, right? >> well, it pops up in theoutlook, the outlook item. i think that's a very, very cool thing andso and in working with iu and the work team, we've been able to do that withoutlook in those launches also. so, if any of us our licensed forthe wombat service to report a phish, you just click on that little buttonand it automatically sends off a phish. i know i was really bad at-- when i had i wasgiving phishing messages to say, you know, "i don't have time to send an emailto the policy office on this one.
i'm sure, i'm sure somebody else is doing that." but now i'm-- it's-- even i can clickon that button and send a phish. >> yeah, i can't wait till the-- that wouldbe great if they had something for android too because i don't know if there's away to view email headers on android to even be able to report it that way. so, if duo-- or sorry, if wombat could come upwith a solution for that, that would be fantastic. but at this point, i think we would like to turnthings over to questions from the audience here. we do appreciate, you know, you all coming out,we want to make sure that nobody leaves here with unanswered questions in their minds.
>> can i start? >> yeah. i guess we can go straight to--let's go straight to the inner webs here. >> ok. so, we have a question from renee jackson. it says with digital signatures, some of ourstaff who correspond with constituents outside of the university have encountered an issue inwhich their message is hidden within an attachment and sometimes missed by therecipient or the recipient refuses to open the attachment dueto the suspicious appearance. is there a known solution for that? >> i think that's, you know, that's reallygoing to come down to a client side thing
that you might just need to try andaccess your email in another way, whether it's maybe through a browser, if you'reusing a client or through a different client if that one is proposing solutions. andy, do you have a-- >> very clearly know issueswith digital signatures. there's problems in dealing with it andwell, you're just going to have to deal with the constituencies that you send messages to. i -- it's my understanding that some androidphones just won't even read a signed message from the phone perspective.
so, i know there's a kb article outthere on known problems and i think that would just reference folks to that bit. >> so, sometimes, attachments cause problems too. if you're sending a message with an attachmentand signing it, sometimes either one won't work, either the signature won't work or theattachment won't come through or the body of the message won't come through. so you can-- if you can remember justnot to sign messages with attachments or don't send it-- use boxinstead of an attachment. >> that sounds like a bettermethod than not sending.
>> well, sometimes, you know,you need a workaround. >> elizabeth might want to add something to add. >> yeah. the kb document with known issuesfor digital signatures, i would just suspect that users who are encountering problems thataren't listed there should maybe report those because that can only be as accurateas the reports that people are getting. >> that's a great point, yeah. >> there's a-- and again, i'll emphasize it. no doubt that the support issues around digitalsigning email are much greater than the other ones that we are talking about andclearly duo and there's a lot
of things that come into play with that. >> and you do need to renew your certificate. it's not just a one-and-done sort of thing, it's--with the current or with the previous iteration of certificates, it was onceevery year, right, andy? and now, it's going to be once every three yearsif you get an sha-2, that's my certificate, which will be the one that's offered. yeah. >> all right. i've got a question aboutthe iu systems and security.
i've noticed when making purchases, i wassurprised to see that i had to downgrade my-- some security and privacy settings in myweb browser in order to make a purchase through the shops catalog in purchasing. and i'm wondering is that a concern, you know,for security because i know if i set to unblock, you know, pop-up windows and, youknow, accept cookies from everybody that that could be a source of malware? and is that something you're concern about? >> it would be. i'm not familiar with that.
but i'd like to hear more about it andtalk with the service owner on that. >> it's not that bad, you know. >> good afternoon. thanks for the information. i've been going to a few of thesemeetings in the past and i kind of had the same question over and over again. where else are you guys having these conversationsin this particular task force reporting? are we in the research areas? are we in the schools, the executives?
and so, that's just one question i have. >> yeah, that was a great one as well. >> it's a great point. i think you did hit it right on the headwith the end is that, you know, executives, this first started with the president'scabinet and the board of trustees. they were the first ones to hear this to weigh inon it and thoroughly endorsed it across the board. so, they are 100% onboard andare very much in favor of this. and so if you, you know, need tocontact your dean's department chairs, they should have heard this already frombrad wheeler at the presidents retreat
and opposition was not raised there and quite theopposite, the president has endorsed these means. so, it is something that you can, you know, reportback to users if they do ask questions about that. we have also been taking this to faculty council,so we've gone to the bloomington faculty council, we're at large, the bloomington facultycouncil technology priorities committee as well, the indianapolis faculty council. and we will be going to the indianapolisfaculty council tech committee i think in-- later this month. we've been to the america[inaudible] house for retired faculty. we're going to be doing an event, dennis, with--
>> it's the retirees association-- >> retiree association. so, we're pretty much takingthis to anyone who will listen. brad did send the note to every deansaying if you're having a meeting and you wouldn't mind us getting on youragenda for five or ten minutes, you know, we're happy to present about these new securitymeans and why we need to be doing them. so, we will take this to anyone whois willing to have us at this point. so, yeah. >> and this goes more to the how versus the why,
which is where i think your question wasprobably led, but we are supporting, you know, the jacobs school of music said, "wewant to have our own tabling event." and so, we have provided support and documentationall for them to go so that we could assist them and their faculty and staff to register for duo. so, certainly we'll be doing that too. jacobs has been a big supporter of this. >> so, i was glad to hear you mention the renewalbecause that was one of the issues that my team, you know, the biggest question thatcame up is what happens in a year? does this silently-- do, you know, doesmy client silently discard this and,
you know, i need to remember to do it. will there be a notification from somebody? and i know you're doing a big communicationspush now but what happens in a year when all of those certificates start expiring? are we just going to do this all over again? >> yeah, you have to get a newcertificate once that expiry period ends. you should -- the user should a geta notification before that happens. >> from iu or from-- >> from iu, yeah.
>> hi. so, basically the casintegration with duo is fabulous. for those who want to do duo integration kindof the unix-linux side of things with duo unix and the duo pam, what's the approachfor getting support for that? or a bit, you know, where does one start? >> sure, that's a great question. there's a kb article aboutcreating duo integrations and those are handled by thesupports under tier 2. there's a list of integrations that getapproved automatically and there's-- which covers i think everythingwe've been asked for.
there's a longer list of stuffduo can do that where-- that we'll review first becausewe don't know much about them. but that's the right way to do that. and i would encourage you if you have systems, it's licensed at university scaleso we've already paid for it. so, if you're listening and one yougot it, i would encourage you to do it. >> thank you. >> jacob, i think i have-- might have a troubleto take it open with you on this one too. what about service accounts,group accounts and duo?
>> so, group accounts areable to register for duo. they will not be, at this point,included in the forced duo-- in the first round of compellingusers to do duo through cas. there's kind of an open questionabout what the story is beyond that but we're really focused at this. so-- and you can't and youweren't able to restore it. there's a reasonable business reason why so that's probably technology problemand i'd be happy to talk about. >> and you have a supportto take it open already--
>> yeah. ok. >> we have [inaudible] morequestions from the web. i know you're pulling double duty here. ok. >> so, i know duo is the hot topic now. in the past, we've had passphrases. we've talked about phishingeducation and all that. what's the next thing that we're looking at? i mean, i know it's hard since we're inthe middle of duo right now but, you know,
what are those next things that we areproactively going after, whether it be technology, continuing education, things like that? >> well, there's a lot of different fronts here. i think, you know, one of the things ismaking sure that all of our services use cas, because those that don't currently don'tuse duo either because it's all through cas. so that's one thing. >> i would also say, duo, i mean, the way that we're doing two factor todayis a transitional technology. and we were seeing the end ofdedicated hardware tokens, i mean,
that's very low at the end of its life cycle. this mobile application stuffis probably in the norm step. i mean, there-- there is a--we are able to do this at relatively large web scale using text messages,voice calls, and nobody was happy with that and so we know that there are active initiativesby a lot of this web scale companies, i mean, they're all the folks you think of, to figureout what that next solution to that is. and i-- this mark is moving a lot sothere's going to be something there too. >> i think you know, ransomware in termsof threats is something that we're looking at to the future to right now, eaffecting hospital systems in particular.
but there is a lot of value to the informationthat our faculty create and if there's value to them, then they might be willing to pay forit, and if they might be willing to pay for it, then there's an incentive for thebad actors to try and exploit that. we haven't seen that very often, you know, fromcyber criminals but i think it's only a matter of time until somebody, you know, findssomebody's data set that they've been working on and aggregating for 10 years and triesto [inaudible] and extort them, you know, to pay money for it so, i think that's anotherthing we need to be raising awareness about. >> i think awareness too, one of the nextpushes is awareness amongst students. i mean, we've talked a lot aboutemployees and employees here.
we're not forcing students today except if youare a student employee to register for duo except for a set of financial applicationsthat they have to have. but i think communications there and i thinkleveraging this to communicate on the value of putting, you know, two-step log-inprocess on all of their facilities, including their personal emails, ithink a very important educational step. >> all right, you alluded early in thepresentation to more information sharing with other institutes of higher ed. i'm wondering to what degree is that through theren-isac and what isn't and to what degree will that sharing be further sharedwith schools and departments?
>> so i think the ren-isac certainly a greatavenue, and when you want to distribute something to 500 members, that's the place to go. i think there's some threat intelligencethat we might not feel as comfortable sharing with such a large audience and we might feelbetter with a more closely guarded, trusted group and so that's where i think we'relooking with the big 10 academic alliance to maybe doing a little bit morework with them in particular. i know brad and mark are in discussions with theother csos and the cios of the other universities about what we might be able todo more proactively with them. also, what we can do to take some degree of humanmediation out of it, so if we can trust, you know,
somebody from wisconsin to do somethingat the cic level, at the omnipop level, should we be letting them do that? maybe we should, and be able to block things thatwould eventually have downstream effects to us. does that answer the question? >> the schools and department question. >> oh, the schools and department question. yeah, go ahead. >> and i know that-- i hope i'm not letting thecat out of the bag here, but i know that tim goth and nathan bayer and some othersare setting up their community
of practice for-- and you are involved too, ok. so, at that-- although that won't be an officialavenue for intelligence out of the us or uipo, i think that would be a good place tohave some information sharing happen. >> yes. >> my questions in regards to-- it's a moregeneralized question, because the cyber security and attack landscape is constantly changing. what resources or methods are out therein order for us to at least stay even, i don't know if we'll ever be ahead justbecause they're always of new things, for us to try to get ahead of what happenedearlier this year in regards to those kinds
of phishing experiences or other things thatmay be in our future from that standpoint? >> yeah, i think there's a lot of avenues here. one is doing something that we might beable to do at the big 10 omnipop level. if our-- if other schools experience an attacksimilar to what we saw and they can block that and head that off before it even gets tosomebody like iu, i think that's one way where we can put this technical defenses in place. but i think more what we're lookingare those user education experiences, you know, things like the wombat trainings. we're going to continually evaluate that contractand see if there's anyone with better education
out there, a more recent up-to-date educationas every time this comes up for renewal to see if there's better content that we could be doing. dennis, did you want to chime in here? i thought you were-- >> no, i'm just-- >> i was going to though. interestingly enough, howmany of you out here know that last month was nationalcybersecurity awareness month? not too many hands came up, somethingwe have to think about going forward.
>> oh boy, yes. >> i think we might be put of swag at the moment. i'm sorry. >> i've answered a lot of questions. >> and answered a lot of questions, i see. >> so i have one other thing that i think i can-- >> of course, yeah. >> -- go for and wrap up. but if any of you are working indepartments or in areas where you feel
that having educational materials or printedmaterials or things to give to users, if you need that and you haven't received thosethrough any of our channels, please send an email to itco@iu.edu, i-t-c-o@iu.edu and let us knowand our project manager, john robertson will work on getting new quantities ofwhatever is helpful to you. we want to be liberal in distributingthose materials. we want you to have what you need. >> and i do want to say, you know, one final thankyou to you all for coming here, for learning. we are, in so many ways, we're reliant oneveryone here to be in a sort of an ambassador for our services when people say, "ihate doing, you know, this duo thing."
you know, you now the rationale for whywe're doing it and why it makes sense. if you can help share that with anyonethat you see, i mean, there's what, about 30,000 users who havenot yet signed up for duo. we need to reach all 30,000 ofthem so we are heavily reliant on every means of communication we have. so we thank you and appreciate your service. and also please help me in thanking ourpanel here for their job and for joining us. [ applause ]