Information Security
Secure UD “Take a BITE out of phish!” campaign
In April, the University launched the Secure UD “Take a BITE out of phish!” campaign. This enhancement to Secure UD Training helps improve our community’s awareness of phishing attacks and the danger they pose to personal information, devices, and accounts.
Each month, as part of the “Take a BITE out of phish!” campaign, a randomly-selected sample of employees will receive a harmless test phish that mimics real phishing attacks. The campaign is intended to raise awareness—not to deceive or trick. Employees will not be punished for falling for test phish. If an employee falls for a test phish, he or she will see a message about the “Take a BITE out of phish!” campaign and resources to help become more successful at recognizing future phishing attacks.
Employees are encouraged to be aware of the threat posed by phishing attacks and report suspicious messages immediately by forwarding them to reportaphish@udel.edu. Phishing emails sent to reportaphish@udel.edu, including test phish and real ones, are annotated and posted to the Secure UD Threat Alerts blog.
In April, the University ran the first “Take a BITE out of phish!” test. In this baseline assessment, test emails were sent to all 7,119 employees enrolled in the campaign. Only 273 employees (approximately 3.83%) clicked on the suspicious link, and 161 employees reported the phish by forwarding it to reportaphish@udel.edu.
These results are a tremendous improvement over the University’s two previous phishing tests. In June 2015, 25% of test phish recipients clicked on the suspicious link, and in February 2016, 18% of recipients did so.
April’s phishing test shows that our community has made great progress in security awareness. Most organizations expect to see single-digit click rates only after a year of testing. Continued testing, training, and awareness can help eliminate much of the risk to the University and its community. A well-informed and vigilant community is UD’s greatest defense against ever-evolving cyberattacks. Future test results will be published in Secure UD News.
Why “Take a BITE out of phish!” matters
The importance of increased and ongoing phishing awareness was recently highlighted by the massive and very real Google Drive phishing attack and the recent ransomware epidemic crippling the United Kingdom’s National Health Service.
During the first week of May, thousands of organizations and millions of accounts received phishing emails that imitated Google Docs invitations. Clicking the link and giving permission to the fake Google Drive app would compromise a victim’s account and files. Clicking would also allow the attacker to send the same phishing email to addresses in that account’s contact list.
On May 12, the news exploded as 40+ National Health Service trusts, the backbone of the UK’s healthcare system, were shut down by ransomware. Dubbed “WannaCry,” this strain of malware encrypts files on computers and network drives and demands payment for their return. WannaCry is also designed to spread across networks to attack as many vulnerable devices as possible. As the ransomware raced across the UK and into 150 other countries, patients were denied medical care and businesses crashed.
Incidents like these are highly visible and are good examples of what can happen when cyberattacks are successful; however, they are far from rare occurrences. Hackers are always searching for and trying new ways to exploit people, organizations, and networks.
Even as our community becomes more aware and phishing test scores continue to improve, regular training and continued watchfulness are important to protecting ourselves, each other, and our University from cyberattacks.
How you can help
You can help protect our community against phishing and other cyberattacks simply by being aware of them. If you identify a suspicious email, report it by forwarding it to reportaphish@udel.edu. You can also report other kinds of cyberattacks and security risks by emailing secadmin@udel.edu.
Employees can learn more about the dangers of phishing and how to keep themselves, the community, and the University safe by completing the “Social Engineering” and “Email, Phishing, and Messaging” modules of Secure UD Training.
Phase I of Secure UD Training, which includes these and other modules, will be available until September. Approximately 1,000 employees have started or completed Phase I so far. Join your colleagues in helping Secure UD: complete your training today!
Unit heads who would like to arrange a phishing test for their unit, or who would like a report of Secure UD Training completion across their unit, may request one by contacting secadmin@udel.edu.
Over 30,000 UD people protecting themselves with 2FA
In May 2015, the University began offering two-factor authentication (2FA) as an additional protection for University accounts. By May 2016, about 3,000 people were using UD’s 2FA service. As of this month, over 30,000 people are now taking advantage of UD’s 2FA protection.
Over the past 12 months, 2FA protection has become mandatory for students and employees.
- Graduate students and all new students (graduate and undergraduate) have been protecting their accounts with 2FA since November 2016.
- Beginning in January, all new full-time employees enroll in 2FA as part of their on-boarding process.
- Since February 13, all full-time employees, including faculty, have been required to use 2FA to protect their accounts.
- English Language Institute students have been using 2FA protection since February 14.
- Current members of the classes of 2017 – 2020 are now
protecting their accounts with 2FA. The University phased in
enforcement class by class:
- Seniors – March 6
- Juniors – April 5
- Freshmen and Sophomores – May 11.
- Miscellaneous wage employees are currently being invited to use 2FA protection and will be required to do so beginning on June 26.
- UD IT, Payroll, HR, the Registrar’s Office, and other University departments are developing plans to offer 2FA protection to alumni, retirees, and other parts of the University community.
In addition, 2FA protection has been added to many University applications in which confidential information could be at risk.
- During 2016, virtual private network (VPN) connections from off campus or unsecured Wi-Fi networks began requiring 2FA.
- On February 6, certain student financial aid forms began using 2FA protection.
- Also on February 6, UDataGlance began requiring VPN (and, therefore, 2FA) for off-campus or unsecured Wi-Fi access.
- On February 20, payroll and HR forms that require an employee or faculty member to transmit confidential information received the added protection of 2FA.
UD IT thanks the University community for embracing the extra protection of UD 2FA, and urges everyone to enroll in 2FA (or other multi-factor authentication systems) offered at financial institutions, email services, shopping sites, government sites (e.g., Social Security), and social media sites.
A strong password is no longer sufficient protection for your accounts. For safety’s sake, use the combination of a strong password and 2FA protection wherever it is offered.
Cylance releases case study on use at UD
Cylance published a case study describing the University’s experience with the advanced anti-malware protection of CylancePROTECT. By participating in the case study, the University demonstrated its commitment to secure practices.
CylancePROTECT uses artificial intelligence and machine learning to prevent zero-day attacks and malware from compromising users’ computers. IT has reported that none of the UD systems running CylancePROTECT have been breached.
As a result of UD’s participation in the case study, Cylance offered the University a discount on software licenses. Therefore, UD IT has increased the number of CylancePROTECT licenses available for University-owned computers from 1,000 to 2,500. Contact your departmental or college IT professional to learn more about Cylance licenses.
MacOS desktop security training
Beginning in December and continuing through the spring semester, CS&S offered six training sessions on securing macOS systems. The first overview session set the stage for the remaining events, which focused on topics including whole-disk encryption, security profiles, integration with Active Directory, and software distribution and updating. Each session was offered twice, allowing several dozen departmental IT staff to attend each session relevant to their needs.
Jamf trial
UD IT and more than a dozen IT professionals from across campus are now evaluating Jamf management software. The month-long trial will feature intensive testing of Jamf Pro, the industry-leading software suite for managing and securing iOS and macOS devices. If testing is favorable, we hope to make Jamf Pro available to interested University units by mid-summer.