Overview
Over the past several years, SUNY New Paltz has implemented a number of additional security protections. This has been necessary as cyber attacks, particularly ransomware and account compromises, have become huge risks to any organization or business. As time goes on, attackers are getting more aggressive, more skilled, and better funded (due in no small part to ransomware payments). SUNY New Paltz has an obligation to protect the confidentiality of data we are entrusted with, and to ensure the integrity and availability of our systems and services.
Most of the security protections we implement are in the background and not noticed by our campus community - but some are. We wanted to explain a bit more about what these protections are, and why we are using them.
For each - we will also mention why you should be using these protections even on personal devices that you have that are not managed or owned by the college. Criminals aren't just looking to compromise organizations - ransomware attacks and account compromises affect regular people in their personal lives.
Multifactor Authentication (MFA)
What is MFA?
Multifactor Authentication (MFA), also sometimes known as Two-Factor Authentication, or Two-Step Authentication is an additional layer of security beyond the traditional username and password that we all know and love/loathe. What MFA in general is, is a requirement that a person logging in has two or more 'factors'. Those factors can include:
- Something you know: a username and password
- Something you have: a cell phone with an authenticator app like the Microsoft Authenticator, a cell phone that can receive text messages, a one time passcode (OTP) token, or a device like a smart card or a USB security key
- Something you are: these are biometric based protections. You may have this in place on your smart phone if you have a fingerprint reader, or even phones that use the camera to identify the authorized user of the phone.
At New Paltz, we use the first two options. We don't use biometrics.
How does MFA help?
Account compromises are a huge problem, and they are usually accomplished by cyber criminals via one of the methods below:
- Phishing: This is sending fraudulent emails, texts, or even phone calls to trick people into giving out sensitive information such as their passwords
- Password reuse: Many people use the same password on a number of systems. When cyber criminals compromise a site and are able to get passwords, they will frequently pivot and try to use those passwords for other accounts. We saw this in the past at New Paltz, particularly when a popular text book rental site was compromised. The criminals then tried to use the same passwords students used on that site for their New Paltz accounts.
- Brute force: Repeated attempts to try common passwords to get into accounts, for example by trying the top 1,000 or 10,000 most common passwords in an automated fashion.
- Malware: Many viruses or other malware will capture sensitive information such as usernames, passwords, or banking information for use by the cyber criminals.
What MFA does is make these attacks more difficult. If you use, for example, the Microsoft Authenticator app, someone trying to compromise your account via phishing would not only have to trick you into giving out your password, but also into approving their fraudulent login in the app.
MFA is not a panacea that fixes all problems, but is one of many layers of defense.
Personal Impact - Why should you use MFA personally?
You should definitely look into enabling MFA on personal accounts that you use, especially those most at risk for compromise. Those include email accounts, financial accounts (bank, investment, credit card, etc.), and social media sites.
Automatic updates & reboots
What do we mean by automatic updates and reboots?
What we mean here is that we set college owned computers to automatically apply updates. This includes both updates from the operating system (Windows and Mac OS updates) as well as those of common applications (web browsers, Microsoft Office, Adobe Creative Cloud, and many more).
Updates are typically classified:
- Security: to fix a vulnerability in software
- Bug fix: to fix a non-security related problem
- Enhancement/Functionality: to add new features
These security updates especially are important. We need to ensure that these updates are applied in a timely manner. Without doing so - we leave our users at risk., In fact the time between when a vulnerability is patched, and when it is widely exploited keeps getting shorter. One vulnerability in a Microsoft application saw the time between when Microsoft announced a patch and reconnaissance by cyber criminals was five minutes!
The reboots are related to this. Operating system updates typically only take effect after a reboot. Unfortunately, we have some faculty/staff who never reboot their computer on their own (they either leave it on all the time, or put it in sleep mode instead of shutting it down). We've implemented a policy that will ensure at least one reboot a month. On weekends, it will check if the computer has been up for more than 30 days without a reboot and will reboot it. If you want to ensure that reboot happens when you want instead of then, please try to periodically reboot your computer.
The same is true of your web browser. Updates may be applied, but they don't take until you restart your browser. This is why in Chrome for example, the "Update" button may show up at the top right and show as green, yellow, orange, then red (depending on how long between the update, and when the browser was restarted).
Personal Impact: Why it is important to update software on your computers and devices?
If you have a personal computer, smartphone, or tablet, you should also ensure that you have automatic updates enabled, and reboots set up as well - to protect your personal devices and data as well. The same kinds of attacks that target organizations often target individuals as well.
Many attacks don't even require a user to click on a link, or open an attachment if they are using vulnerable/unpatched software. Just visiting a legitimate site with compromised ads could infect you if you aren't up to date.
Administrative rights
What do we mean by administrative rights?
On a computer, an administrator is an account or member of a group that has complete and unrestricted access to create, delete, and modify files, folders, and settings on that computer. This is in contrast to normal user accounts. For the most part - an administrator level account is not needed and is risky.
When running as an administrator, you are more at risk of malware (malicious software such as viruses). You can also make changes that could cause issues, including making the computer unusable. Because of this - faculty and staff do not have administrative rights on their computers.
How are user account privileges handled at New Paltz?
At New Paltz, user accounts are setup as regular users - not administrators. This significantly reduces the risk of malware in terms of what it can do, unless it is also taking advantage of other vulnerabilities (privilege escalation vulnerabilities). The tasks that are needed for administrative rights are handled by our Desktop Support staff (installing and updating software primarily).
In rare cases - an exemption may be granted to give a faculty or staff member access (via a tool called LAPS) to a temporary administrator password for their computer. This is done upon justification by the faculty/staff member (i.e. why are these rights needed) and approval by the Information Security Officer and Chief Information Officer. Those exemptions are subject to re-review and can be revoked if they are being misused.
Personal Impact - why use a non-admin user on your own computers?
Even when using your home computer, we recommend that your general use is as a regular (non-administrative) user. You can, on a personal computer, create a separate account that you can use to elevate your privileges when necessary (such as installing new software). By not always being logged in as an admin user, you reduce the risk to your own computer.
Automatic screen locks
College computers are set to automatically lock the screen (and require the person using the computer to re-enter their password to unlock) when a computer is inactive. This is one topic we get a LOT of questions about. Prior to Summer 2022 this was not set on academic areas (classrooms/labs) but will be there as well.
Why do we have this in place?
Simply put - to prevent access to unauthorized users when someone steps away. People often forget to log out or lock their computers manually and step away, or even leave for the day. If your computer is not locked - then anyone at it would have access to not only the files on your computer, but any website (college or otherwise) that you have logged in, or any passwords you have saved on your computer.
This is especially problematic in classrooms and labs. Faculty, staff, and students who forget to log themselves out when they leave is the root issue - and this doesn't completely stop that but it limits the risk of it (for example, if you forget to log out - it will automatically lock the screen within a reasonable amount of time).
We often hear "but I have a private office - why do I need this?". That's a good question, but you may or may not find the reasons satisfying.
- Even if you have a private office - we in Information Technology Services don't know how many people have access to your office, or if you leave your door unlocked regularly.
- What is being protected is not just your data - but the data you are entrusted with as an employee AND the systems you are able to access as an employee.
- Even if we were to make exceptions, it would be complex to make exceptions on a per-user basis due to how the policy settings for Windows are applied. We would have to have an exception group per-department, doubling the number of policies being maintained. And that assumes that is the ONLY exception that needs to be applied. The more exceptions to the more policies, the more complex and error-prone it gets.
So unfortunately, you will have to re-login periodically if you are inactive at your computer.
Personal Impact - Why should you use a screen lock on your own computers?
If you have a laptop that you ever take out of the house, a screen lock reduces the risk of someone getting access to your computer if you leave it unattended or it is lost or stolen. If you're accessing New Paltz resources with your personal device, you also have a duty to protect that data from others in your household who may have access to your devices as well.
Information Security Awareness Training
Information Security Awareness Training is conducted annually (more frequently for those with special access or job roles) for all faculty and staff at SUNY New Paltz. It is required for all faculty/staff on an annual basis as per campus policy, and to comply with SUNY's Information Security Policy, and with certain NYS and federal policies and regulations (including the Gramm-Leach-Bliley Act).
Why are all these protections in place?
You may ask yourself - "why are all these protections in place?" or "why do they apply to me, I'm only a faculty/staff member and I don't deal with sensitive data?". Those are good questions! There are a few answers to this. The first is that the protections we have implemented are not arbitrary. The reasons these (and other) protections are implemented are:
- Due to research into what controls are most effective
- Third-party and internal risk assessments and penetration testing
- Requirements set by the State University of New York (not just New Paltz, but SUNY as a whole)
- Compliance with NYS and federal laws and regulations
- for example, the National Institute for Standards and Technology (NIST) 800-53, 800-63, and 800-171
- NYS Shield Act
- GLBA (Gramm-Leach-Bliley Act
- And more
- Requirements set by insurance providers for the college
If you're looking for why we are implementing these protections some of the references below may be of value.