To further protect university data and accounts against ongoing threats of phishing attacks and data breaches, NC State is requiring all employees (including retirees and no-pay accounts) to enroll by Oct. 31, 2017 in its two-factor authentication (2FA) solutions — Google 2-Step and Duo — to access most web-based university systems and accounts.
OIT has allowed G Suite (formerly Google Apps) account holders to use Google 2-Step Verification for more than three years and began requiring individuals with access to Purple (ultra-sensitive) data to enroll in the service in the last year. Duo Security was also introduced last summer for university web applications that use Shibboleth authentication, such as MyPack Portal, Moodle and PeopleAdmin. Individuals with access to Purple data were required to enroll in Duo in November.
Google 2-Step and Duo “double check” your identity when you sign in to an account by requiring you to log in with a password and an additional security measure, such as a security code that is delivered to a mobile device via text or mobile app, a USB security key or backup codes. This simple two-step login process makes it extremely difficult for a hacker to breach your account and thwarts up to 98 percent of all phishing attacks.
OIT began the 2FA concentrated rollout to campus in December, and to ensure employees meet the Oct. 31 deadline, it is:
- encouraging self-enrollment now. Enrollment instructions and support documentation are available on the Two-Factor Authentication at NC State website.
- working in a phased approach with IT staff in colleges, divisions and units to develop timelines to enroll their employees.
- offering custom 2FA classes to campus units as well as general training classes for campus via REPORTER.
OIT is also encouraging the university community to use 2FA for personally owned accounts, including personal email, banking and social media accounts. Those interested can find out more about other sites and services that offer two-factor authentication at Two Factor Auth (2FA).
Countdown to 2FA Timeline
- October 2015
Required OIT staff to use Google 2-Step Verification (G2SV).
- July 2016
Required G2SV for Google Apps account users with access to Purple (ultra-sensitive) data.
- August 2016
Conducted a proof of concept and pilot of Duo for Shibboleth-enabled services.
- October 2016
Combined Duo and G2SV into a single 2FA program.
- November 2016
- Began enforcing Duo for users with access to purple (ultra-sensitive) data.
- Developed 2FA training, communications, rollout, and support plan for university employees.
- December 2016
- Rolled out Duo to all IT employees.
- Announced mandatory two-factor authentication for Google Apps and Shibboleth logins for all employees.
- March 2017
- Required Duo for OIT staff and its student employees.
- Started 2FA campus rollout.
- May 2017
Completed 25 percent of employee enrollment.
NC State, like many other institutions of higher education, is at risk from threats to its digital assets and daily operations. In an effort to strengthen NC State’s security infrastructure against security challenges, NC State leadership charged the OIT Security and Compliance unit (OIT S&C), along with campus IT partners, to implement and manage a Cyber Security Liaison Program.
The program is a network of designated college and department/unit representatives who collaborate with OIT S&C to defend against cyber threats. The program’s mission is to keep the university’s digital assets secure by continuously identifying and addressing weaknesses in its cyber defenses. The team addresses security incidents and compliance requirements at the college, division or department/unit level in coordination with OIT S&C and engages in the following activities:
- Report security issues to local constituents.
- Serve as ambassadors for security standards and best practices.
- Recommend best practices to secure data within their unit.
- Assist in classifying home unit data/systems.
- Report any suspected breach/exposure of sensitive data to OIT S&C.
- Provide home unit concerns/feedback on security matters to OIT S&C.
- Serve as point of contact for S&C identified incidents.
- Participate in periodic security training, briefings and other events.
During National Cyber Security Awareness Month (CSAM) in October, OIT, along with the NC State Department of Computer Science, ePartners Program, and NC State Engineering Foundation, co-sponsored “Protect the Pack: Don’t Get Phished!,” a month-long series of events to help campus users learn how to identity and stop the spread of phishing attacks on campus.
Activities included a Phishing Fair with many fun games related to cyber security awareness. The month also featured seven presentations with various topics and a very well-attended FBI presentation on the security landscape and threats facing universities. Flyers and cards with instructions to set up 2FA and mobile security were distributed to hundreds of students, faculty and staff.
October 2016 marked the 13th annual event sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance “to increase the awareness and prevention of online security problems.”
In celebration of Data Privacy Month, Jan. 28 to Feb 28, OIT sponsored “Protect the Pack! Protect Your Data!” to empower users with tools and the knowledge necessary to protect their privacy and control their digital footprint.
During Data Privacy Month, OIT presented on several cyber security awareness topics, staffed a security booth at the Wolfpack Way of Life Wellness Fair, and encouraged campus IT users to watch SANS Securing the Human videos to learn how to protect their data.
Sponsored by the National Cyber Security Alliance, Data Privacy Month also stresses the protection of privacy and data as everyone’s priority.
- New Data Sensitivity Framework (DSF) training – Developed to increase campus awareness on data classification, threats to digital assets, and common-sense methods to defend against these threats. More than 330 employees have taken the training.
- University Cyber Security Strategic Plan and Roadmap – Further developed detailed projects and needed resources to secure university information systems and data to achieve university-level compliance with rules, regulations, laws and standards, including but not limited to: the International Organization for Standardization (ISO)-27002, Payment Card Industry (PCI) – Data Security Standard (DSS), Defense Federal Acquisition Regulation Supplement (DFARS), and the National Institute of Standards and Technology (NIST) 800 series.
- Secure IT Service – Being developed by OIT and the Office of Research, Innovation and Economic Development to support sensitive research contracts or grants to meet NIST 800-171 compliance and other requirements by December 2017.
- PowerAmerica Security Assessment – Partnered with Internal Audit to complete.
- Security Tools – Implemented to improve overall protection of university information systems and data (PCI focus): vulnerability scanning (Nexpose), file integrity monitoring (Tripwire), sensitive information discovery (Identity Finder), logging/monitoring (Splunk), security information and event management (Splunk Enterprise Security), network intrusion detection/protection system (Palo Alto), PCI change management application for merchants (ServiceNow) and connected systems (Quickbase), and two-factor authentication (Duo and Google 2-Step Verification).
- Antivirus Software Regulation – Published an update. Currently finalizing development of endpoint protection and incident response standards.
- Mandatory Basic Security Awareness Training – Began development of training program to roll out campus.
- Cyber Security Website – Began development of a customer-focused site to make security resources more readily available to students, faculty and staff.
- CloudLock – Implemented to simplify Google Apps administration and to add additional protection to stored sensitive information.
- PCI-DSS – Compliance efforts continued to generate a significant workload. Attestation is now against version 3.2 with the annual date moved from July/August to March. Together with the Controller’s Office, the university attested compliant for three of the four merchant types in March 2017. The remaining merchant type, SAQ D, is nearly compliant and demonstrates significant progress. Full compliance for all merchant types is scheduled to be completed in March 2018.
- Conducted annual mandatory PCI-DSS training classes and online learning modules for merchants and IT system administrators.
- Identified the remaining items for full compliance and began implementation with developed project plans.
- Internship Model – Partnered with the Department of Computer Science to assist graduate students with real-world data and business use-case scenarios that provided a new and unique way to analyze security data and to handle events.
- Quickbase Portfolio Tool – Developed and implemented to track and manage OIT Portfolio projects and Cybersecurity Roadmap projects.
- InCommon Certificates – Reviewed 281 new applications. Maintained public website keys that require secure transfer and programs and applications that require secure communications to operate correctly for a total of 2,250 active certificates.
- Detection and Response Systems – As the threat of cyber security incidents and phishing attacks have become more prevalent, OIT staff continued to improve detection and response systems by assisting more than 1,720 people from further compromise, an increase of 600 since last year.
- Data Exposure – Investigated and handled a major security incident of data exposure for more than 40,000 students due to a phishing attack on a university account. The cyber risk insurance was utilized to handle notifications, man a call center and provide credit monitoring service for one year.
- ServiceNow – Processed in excess of 1,080 ServiceNow tickets in support of security services, including scanning, Tripwire and Splunk.
- Public Record, Litigation Hold and eDiscovery Requests – Increased from four to 12. Litigation hold releases increased from seven to 14.