Information Technology Task Force security recommendations approved
Implementation of two-factor authentication to begin mid-month
The Nov. 7 cyberattack on the campus network failed in one respect — no data exfiltration (withdrawal) was detected. The disruption to the campus, however, was a different matter as Information Technology Services staff worked around the clock for weeks to restore systems from backups. (See a timeline of actions online.)
Now, the University’s Information Technology Task Force and Senior Officers Group have approved measures to strengthen information security for the campus that will affect individual users. Taking a cue from financial institutions as well as other universities, and using a process already put in place for campus VPN (Pulse Secure) users, Binghamton University will begin implementing two-factor authentication (2FA) for all campus systems that utilize single sign-on protocol — the Central Authentication Service (CAS) that users log onto with their PODS credentials.
“The members of the task force represent a broad spectrum of the campus,” said task force co-chair JoAnn Navarro, vice president for operations “They are not only key IT people from across the divisions, but also academics with expertise in various areas of IT security and other leaders in the academic community. We have also included a CIO from another SUNY University Center with expertise in security implementation at the campus level and have brought in external consultants when needed. These individuals have all played a tremendous role in helping shape the recommendations for the future of cyber security on campus.”
Bahgat Sammakia, vice president for research and co-chair of the task force with Navarro, noted that IT security is everyone’s responsibility and to improve IT security, additional security barriers will help.
“Overall, the task force quickly focused on a few important items that were needed to be added to our system, and we agreed that an educated community, from an IT perspective, is a more secure one,” he said. “We also agreed that total transparency regarding how the breach happened, and what we needed to do in the future, the more the campus community would buy into enhanced security measures we are proposing.
“We also agreed that forming a standing IT security committee that meets regularly and shares ideas, concerns regarding threats that arise and measures to prevent them will allow us to have continuous improvement in this area,” Sammakia added. “As task force chairs, JoAnn and I feel that the task force is working really well as a team, and quickly arrived at pragmatic, reasonable security measures to add to our system, which will significantly enhance our security and resiliency.“
Cyberattacks have been growing significantly around the globe in recent years, said Niyazi Bodur, Binghamton’s associate vice president and chief information officer. “By some measures, from 2019 to 2020 cyberattacks grew 50%. Ten years ago they were unique incidents that happened to someone else — and small handful and mostly to big companies, not universities,” he said.
That’s changed now and 2021 is expected to be even worse, with everyone becoming a target. “Obscurity isn’t a defense anymore,” Bodur said. “Simply because we are not a big target is not sufficient reason to not improve security, but we also have a different mission where we need to be open.
“We are not a bank network where you can close everything down and you’re safe,” he added. “Some of our students are overseas, our faculty collaborate with faculty at other institutions in and outside of the United States. This makes our job to secure institutional data and our network difficult because we have to be open, but one solution in this whole scenario is 2FA.”
Cyber attackers and hackers can compromise a user’s ID and password, but if 2FA is fully implemented, Bodur said, these bad actors cannot access the University’s network. “This the most important reason for using 2FA, which is called an offline tool that keeps hackers from accessing our network and systems to get our information. Today, this is the state-of-the-art technology within commercial and institutional space.”
The 2FA process Binghamton is implementing is more secure, Bodur said, than the text message process many banks use. “Sometimes banks may send text messages but hackers can take over your phone number — it’s called sim hijacking — and you don’t even realize it. They take over your phone and put your number into their sim card so when your bank sends a text message it goes to them and they have your 2FA as well.
“What we are implementing eliminates that risk,” Bodur said. “We’re not using text messages. We are using Time-Based One-Time Password (TOTP) protocol that is a lot more resilient and robust. It will give us a good front-door solution that’s more secure. 2FA is the industry standard and it’s used by other universities, including SUNY University Centers. This will enhance security at our front door.”
Google Authenticator is the TOTP protocol that Bodur recommends, but any other authenticator will work. “We are also going to use an application called Authy that has both a desktop and a phone client to give users flexibility, and also for some people, we will get a hardware token,” he said. “ITS will support these three tools.”
Moving to 2FA will begin in mid-February, with users opting into the system themselves as they are able. At some point later in the semester, using 2FA will be required of all users when they sign onto CAS. Frequently asked questions about 2FA and instructions for how to set it up can be found on the ITS website.
Moving to 2FA is one of several measures the campus is taking to improve security, Bodur said, though it’s impossible to completely eliminate all risk. “We’re working to mitigate our risk,” he said. “2FA is already implemented on the VPN and there are no exceptions to that. We also have a temporary Endpoint Detection and Response (EDR) solution (Carbon Black) in place that gives us a significant level of comfort. If anything malicious happens on our network, the EDR sends about 20 of us an email and I’m happy to report that in the recent four weeks or so, the only emails I get are daily summaries with nothing malicious reported. That’s an after-the-fact solution, but within minutes we can take action so hopefully any potential damage would be limited.”
The campus is currently investigating which EDR protocol to implement when the temporary contract it has with Carbon Black ends.
Bodur said additional actions being taken are to move Remote Desktop Software (RDP) and Secure Shell (SSH) activities behind the VPN.
“These are all immediate steps we are taking to improve our security posture,” he said. “We’re in much better shape than we were in Nov. 7.”