Want to Join the Wayne State IT Security Team?

Are you or someone you know interested in moving into the field of Information Security? Want to collaborate with talented and motivated people? Keen on working with awesome technology and tools? Think you can handle a boss with an unhealthy David Hasselhoff obsession?

If so, I have some good news for you! Wayne State University is hiring for an IT Security Specialist position. This is a full-time entry level position in the field of Information Security. This position will be responsible for maintaining and auditing University firewall configurations, act as the first-level responder for reported threats and incidents, and will perform the initial triage and notifications for identified vulnerabilities. While no direct IT security experience is required, we are looking for individuals with great analytical skills, familiarity with general networking, and a few years of supporting an IT enterprise in some fashion.

For more information or to apply, please search https://jobs.wayne.edu for posting number 042473.

National Data Privacy Day Presentation

Next Thursday, Jan. 26 is National Data Privacy Day. Data privacy is becoming more and more crucial as our personal data is being collected, used and mined in all sorts of ways that we could not even fathom a few years ago.

Think for a second – how would YOU want organizations and companies to use information they collect about you and your family? How could disclosing personal details on Facebook and Instagram affect you in the future? What is that “free” app scanning and analyzing so you can play that hot new game? Should it be alright or acceptable for the maker of your SmartFridge to report back when you are low on milk? Questions like this need to be thought about and answered as we keep moving forward in this information age.

So mark your calendars and come on down! The Privacy Office, C&IT and University Libraries are sponsoring a web-based talk that day from 1-2 p.m. in the Simons Room on the first floor of Purdy/Kresge Library. Refreshments will be provided! Relax, step away from your daily routine and listen in on this crucial growing area of data privacy.

Speaking is Cindy Compert, Chief Technology Officer for Data Security and Privacy at IBM. Further details about the talk can be found here:
http://events.educause.edu/educause-live/webinars/2017/big-data-whats-the-big-deal

Later this spring, additional live speakers will be announced. Watch Geoff Nathan’s ProfTech blog and campus announcements like this one for details. The goal of our campaign is to raise awareness of privacy as an important issue and perhaps to gather a group of people on this campus who are interested in ongoing conversation about these issues.

Thanks and looking forward to seeing many of you there!

January 2017 Security Patches

Two posts from IT Security in a single day? Say it isn’t so! Don’t worry, this one is relatively painless.

It’s time to deal with our not-so-favorite time of the month, Microsoft Patch Tuesday. Happily, Microsoft has released *only* four patches yesterday — and one of them is a patch for Adobe Flash Player.  Told you it was relatively painless!

MS17-001 – Security Update for Microsoft Edge
MS17-002 – Security Update for Microsoft Office
MS17-003 – Security Update for Adobe Flash Player
MS17-004 – Security Update for LSASS

More information regarding the January patches can be found here:
https://technet.microsoft.com/library/security/ms17-jan

C&IT is testing and deploying these updates to our enterprise and supported desktop environments this week. It is strongly recommended that you update your computer with these important security fixes; Wayne State computers should be patched by departmental IT staff, while any personal computers will usually download and install them automatically:

https://support.microsoft.com/en-us/help/17154/windows-10-keep-your-pc-up-to-date

Stay safe and stay patched!

Ransomware Threat

Good morning all,

Happy New Year to everyone! I hope that you all had an enjoyable and relaxing break.

One of our higher education brethren in California did not enjoy a nice break; Los Angeles Valley College was just hit with ransomware on their central servers which encrypted all email and shared files. This brought all operations to a standstill and unfortunately, because of a lack of security controls, the college forked out $28,000 in bitcoin in order to get back in business:

http://thevalleystar.com/valleys-pays-ransom-with-cyber-insurance/#sthash.bNmKzCdr.dpbs

Ransomware is a serious threat — thankfully there are a few easy ways you can protect yourself from downtime and financial (and reputation) loss:

  1. Ensure you have backups of critical data on removable or offline media
    Any departmental shared drives you use should be backed up on a regular basis to media that malware cannot access. This can be tape, a USB drive, or a hard drive that nobody has access to remotely. Your backups do no good if the malware can just encrypt and hold those files hostage too. And make sure to test your restore procedures every few months to make sure your backups can save you!
  2. Use Application Whitelisting
    C&IT DeskTech began using application whitelisting after the “invoice.zip” outbreak to outstanding success. By only permitting software signed by known vendors (or manual exceptions by file hash), the initial malware that could encrypt all your files CAN NOT RUN. It’s hard to get infected when the OS refuses to run unknown software!
  3. Limit Administrator Privileges
    This should be old hat right now, but it’s still important, especially for the people on this list — limit any administrative privileges to your accounts. This includes removing accounts from a computer’s local “Administrators” group, as well as using DIFFERENT accounts when YOU need to perform administrator actions. Best practice is for you to use one account for your day-to-day office work and to do a special “Run As” execution when running any administrative programs. This way, any damage caused by malware should be limited to just one computer or user profile instead of an entire network or domain.

As always, thank you for the hard work you do in keeping the university safe and secure from these electronic threats.