When institutional data is shared with a third party (for example, an information technology cloud provider), the university Committee of Data Stewards (CDS) requires the following information to be submitted for review and, in the case of Critical data, assessment by the University Information Security Office (UISO). Please download the attached workbook and provide it to the vendor to fill out and return. When the vendor has returned the completed workbook your departmental conta
You get an email that appears to come from IU. They sound like they really need your passphrase, and right away. They’d sent the email so quickly that it’s riddled with spelling errors. You reply with your passphrase without delay.
It all looked so legitimate. Except it was not. What was wrong with it? There are several “tells” that should raise suspicions. First and foremost, they’re asking for your passphrase. IU will never ask for your passphrase or login credentials via email or phone. Second, they need it now, now, now! And third, the misspellings are a dead giveaway.
The Apple iPhone is, arguably, the most popular and recognizable icon of the smartphone industry. If you’ve never owned one, chances are you have seen one or dreamt of the care-free life depicted in every iPhone commercial. While smartphones have brought to our fingertips the vast knowledge contained in the Universe and video of your buddy’s newest kittens in costumes, these devices are also a repository for some of our most valuable information.
Updated: August 12, 2013
IU policy was approved (on May 17, 2013) and now has a new name: Cyber Risk Mitigation Responsibilities (IT-28).
The approved policy language represents significant evolution based on feedback from the university community. We invite you to review the final version.
Original post: March 13, 2013:
Policy Draft IT-28 Provisioning of IT Services
The University Information Policy Office recently posted and distributed a new policy draft for review, Policy IT-28 Provisioning of Information Technology Services.
Policy IT-28 was drafted and developed with input from key stakeholders, paying particular attention to the Board of Trustees' concerns related to information and information technology risk — which have been continually highlighted by internal audits and repeated security incidents.
IT-28 seeks to reduce the university’s exposure to threats and create economic efficiencies by leveraging common IT infrastructure and services to the greatest extent practicable (thereby freeing up resources for unit-specific needs).
VP for IT and Chief Information Officer Brad Wheeler spoke at a town hall meeting on March 8th on the subject of: “Mitigating Cyber Risks”, which covered the current risk environment, and the development of IT-28.
IT security and compliance professionals are often asked about products and compliance to industry standards such as HIPAA or PCI-DSS. The vendor of product which someone wants to purchase may state that the product is compliant with a specific industry security standard. As a result, a system administrator or end user may then assume that they no longer need to worry about compliance, presuming that the product has bestowed upon them automatic compliance by virtue of simply using the product. How oh so convenient that would be if only it were true, which it is not.
Welcome to Flight CVE-2013-2094
This week, a vulnerability in the Linux kernel appeared publicly on the radar with an active exploit close on its tail. A local, unprivileged user can leverage a Linux kernel flaw to gain escalated privileges, without authentication, on a system running a Linux kernel version 3.8.8. And just when you think your old frequent flyer miles are safe, the vulnerable code affects any kernel version between 2.6.37 and 3.8.8 (and even to centos 6 2.6.32 kernels).
Details about the vulnerability can be found here:
The University Information Security Office (UISO) is pleased to announce that Client Certificates (a.k.a S/MIME certificates) are now available to all IU personnel at no cost. These certificates can be used to encrypt and digitally sign email.
Information on obtaining and using the certificates is available in the Knowledge Base.
The Paradigm Shift
One might think that as an IT security professional I would wish to tactfully discourage the use of Cloud computing; however, that is not entirely the case. Cloud computing opens avenues for collaboration on a scale never before realized by those wishing to integrate in thought and data sharing. Cloud computing virtually dissolves limitations defined by enterprise level networks and even geographical spans. As technology connects individuals, potentially on a global scale, our abilities to develop peer relations and interactions are greatly enhanced.
Whole-disk encryption (WDE) provides an added layer of security for the data on your computer. Tools exist which can circumvent this technology under certain conditions. Lately, you may have heard about a tool from Elcomsoft which combines many popular WDE cracking methods in one.
Some attacks you are probably aware of. If an attacker can guess the encryption password through brute force, he can decrypt the disk without any tools. That's why a good passphrase is a critical part of the encryption process.