To The UMBC Community,

October is Cybersecurity Awareness Month, but in reality, we all need to be vigilant 24/7, 365 days a year. As such, I encourage you to watch this brief (under 2 min) video public service announcement.

Now, I want to challenge you: how careful are you about phishing emails? Do you know what phishing is? If in doubt, check out our FAQs about this and other IT security issues. Use the rest of this month to educate yourself.

If you have questions or want to learn more, visit the DoIT security website. You can even forward suspicious emails or IT security concerns to security@umbc.edu.

Sincerely,

Jack Suess

Vice President and Chief Information Officer

UMBC Division of Information Technology (DoIT)

Andrew Gribben (pictured at right), Specialist in Undergraduate Admissions and Orientation, recently helped assist his colleagues in switching to Duo two-factor authentication as part of DoIT’s upcoming two-factor authentication requirement for faculty and staff with Peoplesoft access above “self-service” functions such as timesheets, etravel requests, etc.

Andrew demoed Duo during a staff meeting including having someone sign up in real time. He helped ease the transition to Duo by making himself available to walk staff through the sign-up process, as well as, answer any of their questions. When asked about what helped his group the most, Andrew says he targeted those who were skeptical or concerned before the rollout to the entire group. "This helped ensure a smoother process overall."

To help make sure your office’s rollout goes smoothly, Andrew and DoIT recommend the including the following to help your department’s rollout go smoothly:

• Demo Duo live to show not only how it works but how to sign up.

• Leverage the Duo FAQ collection to help users

• Send out email reminders encouraging users to sign up.

• Be available to offer 1 on 1 support to staff if necessary.

Once again, DoIT strongly encourages all faculty and staff to enable Duo 2FA now, but all employees with PeopleSoft access will be required to do so (staff by 12/31/18, faculty by 9/1/19). After these dates, DoIT will automatically enroll required employees into Duo. DoIT will also provide a “count-down” weekly reminder 90 days before the relevant deadline.

Click here to learn how to activate Duo today.

Additional information about Duo two-factor authentication is available in the FAQs.

If you have further questions, please contact the Technology Support Center by either submitting a support request at my.umbc.edu/help or calling (410) 455-3838.

UPDATE: To get past the start of Fall 2019, faculty with PS access will be required to upgrade to Duo by 9/30/19.

As part of ongoing efforts to keep the campus safe online, the Division of Information Technology (DoIT) has partnered with Duo Security for 2-factor authentication (2FA), which DoIT staff have used for several years. Given UMBC employees’ obligation to protect sensitive, personally identifiable information, all UMBC staff members with access to Peoplesoft (PS) will be required to use Duo by the end of the year 2018. All faculty members with Peoplesoft access will be required to do so by Fall 2019. This will apply to any online UMBC service requiring a login, except for current, “self-service” functions such as timesheets, etravel requests, etc.

Duo 2-factor authentication (2FA) greatly increases the security of your account by adding an extra layer of protection to the login procedure. With Duo 2FA, your account will require you to have a second-factor device physically unique to you, such as a smartphone, your office phone, or even a tablet in your possession to log in. When you log in, your second-factor device will prompt you to approve your online login. Without approval from your second-factor device, any fraudulent attempts to log into your account are denied, thus preventing anyone who shouldn't have access to your account from getting to your data.

However, you don't need to have PS access or even wait until the various deadlines to get started! In fact, DoIT strongly encourages all faculty and staff to enable Duo 2FA now. Required employees who choose not to enable Duo 2FA by the deadlines above will be automatically enrolled on those dates. DoIT will also provide a “count-down” weekly reminder 90 days before the relevant deadline.

Note: DoIT presented this planned rollout at the March 27 IT Steering Committee, March 29 at TechFest, at the Faculty Senate Computer Policy Committee (CPC) on April 25, and will do so at Professional Staff Senate (PSS) meeting before the end of the term as well.

Click here to learn how to activate Duo today.

Additional information about Duo two-factor authentication is available in the FAQs.

If you have further questions, please contact the Technology Support Center by either submitting a support request at my.umbc.edu/help or calling (410) 455-3838.

Phishing attacks have been a problem for many years.  Typically, hackers have sent messages asking members of our community to click on a link or reply to an email message with a password.  Their goal has always been to trick our community members into giving them access to our accounts and information.  Sometimes, they have pretended to be DoIT and sent messages to ask for your password or to tell you that there is a problem with your UMBC account.  

Recently, the hackers have expanded their efforts and sent messages as people around our campus.  They have been looking up the names and titles of UMBC community members on the Internet and then using that person’s name and title to request information.  They try to choose a name or title that the community would trust.  As examples, during recent attempts, they have requested information about how to wire money out of the campus and get people to send checks to outside addresses.  They have also requested that people send them files containing the social security numbers of community members.  In some cases, they have also impersonated UMBC vendors. In each of these examples, they have tried to make their phishing messages appear to come from a person that the campus would trust.

The hackers are motivated by money and resources and will continue to try to get to our accounts, information, and resources.  The only thing that can stop them is the UMBC community working together to block their attempts.  Here are some questions that DoIT frequently receives and the answers.  

1. What information can’t I send in email?

No one should ever send passwords or confidential information in an email message.  

Confidential information includes social security numbers, driver’s license numbers, passport numbers, and financial account numbers.  This information is classified as confidential information under the policies of UMBC, the University System of Maryland, and the State of Maryland.  Passwords and confidential information can never be sent through email.  This includes the body of an email message and as an attachment to a message.  For in depth information about our data classifications and use, please see the following two links:

UMBC Policy on the Definition and Classification of Sensitive Information

UMBC Data Use Guidelines

2. Will DoIT ever ask for my password?

No.  In fact, DoIT doesn’t know (and has no reason to know) your password.  The only person who should ever know your password is you.  If DoIT needs to assist you with your password, we can help you to reset your password, but DoIT still won’t need to know your password.  To help us maintain the privacy of your password, please make sure you have your account security questions enabled -- and make sure you know the answers.  Please also ensure that you have an alternate email address registered with UMBC.  If DoIT needs to send you a link to reset your password, we will send it to the secondary email address that we have associated with your account.

3. What should I do if I receive a suspicious message?  

If you think that the message is asking you to do something that seems unusual, look up the phone number of the person the message is from in the UMBC directory, call the person, and ask them if they really sent the message.  Do not call a person back at a phone number that is listed in the suspicious email message.  The phishing message may include the phone number of the hacker.  For example, if you get a message saying that there is a problem with your computer account and you aren’t sure if it’s a real message, please call the DoIT Technology Support Center (410-455-3838) and ask if it’s a real message.  This also applies to any messages that might appear to come from Human Resources, Finance, Financial Aid, or any other department.  If the message seems strange, trust your instincts, look up the correct phone number for the person, and call to verify the message.

4.  What should I do with a message that I have determined is a phishing message?

Forward it to security@umbc.edu with “full headers” and as much information as you can.  DoIT will review the messages that you forward, verify that they are phishing messages, and take steps to try and protect the rest of the community.

Once you forward any phishing messages to security@umbc.edu, please delete the messages, and very importantly, never click on the links in a phishing message.  Just by clicking on the link in a phishing message, you may download a malicious program onto your computer.  

5. Who do I contact if I have additional questions?

As a starting point, the following links may provide assistance.

• UMBC “Phishing & Spam” FAQ Collection

• Anti-Phishing Work Group (non-UMBC consortium of institutions fighting phishing)

To The UMBC Campus Community,

Recently a DoIT student employee contacted members of the campus that they may have a number of files on their computers containing personally identifiable information (PII).  This information may include social security numbers (SSNs), credit card numbers, passport numbers or bank account numbers.  

While this was a legitimate email, it was sent out mistakenly by a grad student working in our cyber security group.

We apologize for the alarm this has caused and we have used this incident to review how we keep the campus informed of the important work we are doing. We will be sharing our plans with the campus community once we have had this process reviewed by our shared governance committees and the VPs and Deans.

If you have continued questions or concerns, or would like to discuss this further, please feel free to reach out to our Chief Information Security Officer, Mark Cather at mark.cather@umbc.edu.

Sincerely,

Jack Suess

VP of IT and Chief Information Officer