University Times

New security initiatives protect your account

What’s the biggest threat to the security of the University’s information technology infrastructure?
Compromised accounts. And the University has more than 65,000 computer accounts to protect from compromise. Those are tough odds.

Because Pitt computing accounts are part of a large research university infrastructure, your account is a valuable target for cybercriminals. Password changes are a basic precaution, but do not offer enough protection in today’s security landscape. This summer, the University is rolling out several new security initiatives.

Pitt Passport:
Trust your login page
As a faculty or staff member, you are asked to log in to numerous University systems: My Pitt, PRISM, PittSource, etc. This multiplicity of login pages not only is visually confusing but also an opportunity for hackers to more easily mock up malicious sites designed to collect your account information.

In response, we are rolling out a centralized single sign-on page, Pitt Passport, to make it easier for you to know that you are on a site offering secure access to online resources at Pitt.

People who use My Pitt Email (Exchange 2013) already may have seen the new login page. In June, everyone will see the Pitt Passport page when logging in to My Pitt.

Eventually the new Pitt Passport login page will replace all of the different login pages you currently see when accessing key services. You can verify the authenticity of the login page by noting the URL that appears in the address bar of your browser: The Pitt Passport login page will begin with https://passport.pitt.edu.

Shibboleth, the technology enabling the Pitt Passport single-sign-on, also allows us to make multifactor authentication available to you.

Multifactor authentication
This summer, we will offer University faculty, staff and students the ability to authenticate their access to accounts with both a password and a second “factor.” Options will include a choice of apps — one to send the authentication directly to your mobile device and one to generate a one-time password on your mobile device — or a text to your mobile phone or a voice message to any phone.

You will be able to select the University enterprise services (such as email) for which you want to set up multifactor authentication. Eventually, departments will have the ability to leverage multifactor authentication for their IT applications. People with special access privileges to enterprise systems may be required to use multifactor authentication.

Combating APT with ATP
In the world of security acronyms, an APT (advanced persistent threat) attack is marked by a person — rather than an automated program — actively trying to compromise a specific account, often via email. After successfully compromising that particular account, the cybercriminal then uses the account to try to break into University systems and data. APT attacks can be difficult to detect and defend against because they are designed to happen below the radar of traditional security controls.

In order for the University to be successful at defending against these types of attacks, we need to implement more advanced security controls, such as Microsoft’s Advanced Threat Protection (ATP).

The ATP service, which will be implemented this summer, includes two key features:

• Safe Links replaces links in emails received from the internet, giving ATP time to evaluate the threat
associated with that link. If the link is determined to be malicious, you’ll be blocked from accessing it
when you click on it. If not, you’re simply directed to the URL embedded in the link.
• Safe Attachments helps to protect against malware delivered in email attachments. Through
“behavioral analysis,” ATP determines if the attachment is safe or not. This process may cause some
minimal (measured in minutes) delay in delivery to you of email messages with attachments.

Put your suspicions
to the test: PhishMe
The University will never ask you to reveal your password. No reputable entity will, but it’s a favorite phishing tactic, along with encouraging you to open an attachment or a link.

Of all data breaches, 91 percent start with a successful phishing attack. Phishing efforts are designed to encourage you to respond, and many now are constructed to appear as though they’re from someone or some company you’re already familiar with. They incorporate elements that indicate some familiarity with you (e.g., “Hi Sean! How about the game last night!” vs “Dear Sir, It has come to my attention that….”).

Phishing messages and spam are both annoying, but they differ in one critical way: While spam contains information you don’t care about, phishing messages ask you to respond in some way, such as clicking on a link. That response triggers a potential opening that can be the initial point of an attack against your online resources as well as the University’s information technology infrastructure.

Your ability to recognize and report phishing emails is an integral part of our security team’s defense.

PhishMe is an immersive awareness campaign for Pitt faculty and staff. As part of this program, you may receive simulated phishing email messages designed to imitate a real scam. If you mistakenly click on a simulated phishing message, you’ll be directed to a site that provides helpful tips to spot phishing scams in the future.

Any time you receive an email that you suspect is phishing, please forward it as an attachment to phish@pitt.edu. Your identification of phishing emails will become part of a crowd-sourced early detection effort to forestall attacks on University accounts.

A changing security landscape
Your University computing account is valuable and vulnerable. As various kinds of attacks grow more specialized, we all need to work together to identify them and protect our resources.

While we are doing everything possible to protect your account, even the most experienced person eventually will get phished or compromised. When that happens, let us know: Contact the Technology Help Desk (helpdesk@pitt.edu or 412-624-HELP (4357). We operate in a judgment-free zone and consider you part of our security team. Reporting incidents to us is incredibly important to the success of our security work.

The cybersecurity landscape is changing. Pitt’s defense against potential security threats needs to change, too.

Sean Sweeney is Pitt’s information security officer. He can be reached at 412-624-5595 or sweeney2@pitt.edu.