INITIATIVE: Multi-Factor Authentication (MFA) and Security Awareness Training Expansion (Fall 2018)
Background
The University of Memphis IT Security, Identity Management, and Compliance team (ITSEC) has previously undertaken projects to deploy the Duo Account Security Multi-Factor Authentication product and SANS Securing the Human training program to provide additional security for those individuals that access to sensitive IT systems or data. While Security Awareness Training has been mandated for the last three years for any individual with access to Banner HR or Finance roles (as well as all IT employees), Duo has largely been left in an opt-in state outside of several specific departments. As the risk of social engineering through email phishing attempts and scams continues to rise, further adoption of Duo MFA and Security Awareness training is vital to lowering the risk of suspicious activity for user account credentials in our population.
Duo MFA
Multi-Factor Authentication, or MFA, is a method of authentication where a user is prompted for a piece of information or "factor" that only they possess in addition to their normal username and password. Examples of factors implemented by Duo include acknowledging a "push" message in the Duo mobile application, a PIN sent via text message to a user's mobile device, acknowledging a call on a desk/home/mobile phone, or a PIN number generated by the Duo application. ITSEC has currently enabled Duo support for any resource protected by the ITS Single Sign-On (SSO) system, including, but not limited to the myMemphis portal, Banner SSB and INB, as well as other application whose primary login occurs via the sso.memphis.edu login page. Currently, 545 individuals have enrolled in Duo.
As risks from malware, ransomware, phishing and other attack vectors increase, protection of data solely through authentication by username and password has quickly become ineffective. MFA safeguards against these threats by ensuring that an attacker who has suspicious activity to a user password is still unable to gain access to protected resources without possession of the additional factor.
Security Awareness Training
While technical controls such as Duo MFA can alleviate some of the impact of user account suspicious activity, MFA alone cannot alter individual behavior to prevent account compromise from occurring in the first place. Security Awareness training can be effective in altering individual behavior if the program is designed in a way that promotes learning and retention, rather than simple compliance. In previous years, the program was designed around segmenting the population so that only high-risk users, defined as anyone having Banner Finance and HR access, were included and other users were not required to receive any training. This created a situation in which the required users questioned why they were mandated to receive the training, and other users who could have benefited from the program did not have access to the content. The segmentation, combined with the overall length of the training program, led to numerous faculty member complaints and the appearance of very low attention to the material. While the program achieved its highest level of completion compliance in FY 2018 (93% completion rate – 1102/1188), the number of complaints over previous years rose as well.
Risks
Members of the ITSEC team have identified multiple risks related to social engineering and compromised user credentials. Below are three of the risks identified, each of which can be mitigated by use of an MFA solution as well as a functional Security Awareness Training program:
Threat |
Impact |
Probability |
Financial Access: A high-level user account with finance access is compromised through phishing and is then used to transmit funds to an external entity through a wire transfer or other form of payment. Impact: Potential trigger of state breach notification, loss of funds, negative publicity, and damage to reputation potentially impacting student retention, student recruitment, and research grants. |
High |
Medium |
Confidential Data Release: A user account with access to restricted data is compromised through phishing and is then used by a remote attacker to steal bulk personally identifying information (PII) or research-related intellectual property (IP). Impact: Trigger of state breach notification, compensation/fraud monitoring for impacted individuals, negative publicity, lost market opportunity, and damage to reputation potentially impacting student retention, student recruitment, and research grants. |
High |
Low |
Account Escalation: A user account without significant access to restricted data is compromised through phishing or other social engineering. The account is then employed by an attacker to send large numbers of phishing or scam emails to other accounts inside the University, bypassing external filtering and increasing the chance of a high-level user being compromised. Impact: Trigger of state breach notification, disruption of University day-to-day functioning, negative publicity, and damage to reputation potentially impacting student retention, student recruitment, and research grants. |
Medium |
Medium |
Recommendations
Given the threats identified above and the risk they represent to the University, the ITSEC team recommends that all regular employees, defined as all faculty, staff and course instructors, should be required to use Duo MFA and participate in annual Security Awareness Training. As of current metrics, this population accounts for just under 4000 individuals at the University.
Implementation
Security Awareness Training: All regular employees will be required to complete a base security training program at least once every fiscal year covering the base topics of social engineering, phishing, and other critical cybersecurity topics. Employees will be given 4 months to complete the training, and metrics will be provided to HR and other division leaders. New hires will be required to complete the training program at or shortly after on-boarding. Additional training may be provided or required of other employee populations, depending on risk and job function.
Duo MFA: All regular employees will be provided an opt-in window to enroll in Duo MFA. If the employee does not enroll within the opt-in period, their account will automatically be enrolled in Duo and they will not be able to login to SSO-protected pages until they complete the enrollment process. ITSEC reserves the right to grant exceptions to the opt-in window depending upon the situation.
Timeline: ITSEC will announce both required programs on Wednesday, October 17, 2018. Duo would be required for all new hires beginning on November 1, 2018 and for all existing employees by Monday, February 4, 2019. Security Awareness Training for FY2019 would require completion by Friday, February 1, 2019.
Included ECLS Codes: F9, FD, FA, CH, AD, CL, S8, AE, AM, AB, AF, PF, TS, TH, TR, TE,
GA (if also GR1)
Other: Sponsored Employee and Emeritus Faculty
Note: Access to this service may be limited in compliance with sanctions announced by the Office of Foreign Assets Control.