Security Initiatives

This page outlines ongoing initiatives and projects by the IT Security, Identity Management, and Compliance (ITSEC) team to increase campus network and data security.  For more information about these initiatives, please contact Jon Weber at jweber2@memphis.edu or see the FAQs below. 

Fall 2018

Network Border Firewall

The UofM network is the target of continuous malicious inbound traffic, ranging from scans seeking out vulnerable systems to actual attacks. Some of these threats are blocked by a network Intrusion Prevention System (IPS), however a significant number pass through undetected. In August 2017, the IT Security team instituted limited port blocks for SSH traffic originating outside the United States and Canada. While these blocks have proved beneficial, attackers are increasingly turning to US based hosting providers to launch attacks.

Given these threats, the IT Security team recommends further implementation of a firewall at the campus network perimeter to filter out any inbound traffic that has not been specifically granted by exception.  For further implementation details and timelines, please see the Security at the Network Perimeter - Border Firewall page.

Security Awareness Training Program & Duo Multifactor Authentication (MFA) Expansion

The IT Security team has previously undertaken projects to deploy the Duo Account Security Multi-Factor Authentication product and SANS Securing the Human training program to provide additional security for those individuals that access to sensitive IT systems or data. While Security Awareness Training has been mandated for the last three years for any individual with access to Banner HR or Finance roles (as well as all IT employees), Duo has largely been left in an opt-in state outside of several specific departments.

As the risk of social engineering through email phishing attempts and scams continues to rise, further adoption of Duo MFA and Security Awareness training is vital to lowering the risk of compromised user account credentials in our population.  Given the threats to the University, the IT Security team has recommended that all regular employees, defined as all faculty, staff and course instructors, should be required to use Duo MFA and participate in annual Security Awareness Training.

For further implementation details and timelines, please see the Multi-Factor Authentication (MFA) and Security Awareness Training Expansion page.


Frequently Asked Questions

Network Border Firewall

  • My work requires that I access numerous external resources. Will the firewall change affect my access?

    No, the firewall change will not impact access to external resources.  The firewall will only block incoming traffic to devices outside of the campus datacenters.

  • Will the firewall change impact access to ITS services like the myMemphis Portal, eCourseware, or Office 365 email from off campus?

    No, these services will still be available from off-campus without any change in access.

  • My work requires that I remotely access my office computer on campus.  Will the firewall change impact my access?

    Yes, the firewall change will block remote access to on-campus devices by default.  As a workaround, you can utilize the campus VPN service to bypass the block and continue to use services normally.

  • What if I cannot use the VPN server?  Can I request an exception?

    Yes, you can request an exception by using our firewall exception request form in the ITS Service Desk TOPdesk system.  Exception requests will be reviewed by the ITS Security team.

  • I collaborate with others outside of the University and they utilize programs running on a computer in my office or lab.  How will they connect after the change?

    You can request an exception by using our firewall exception request form in the ITS Service Desk TOPdesk system. Exception requests will be reviewed by the ITS Security team.

 

Duo Multi-Factor Authentication (MFA)

  • Why is this service necessary?

    As noted above, threats such as social engineering and phishing increase the risk of an individual inadvertently sharing their username and password.  MFA helps protect critical University resources by requiring an additional piece of information or factor during login that a hacker will not have access to.  Even if a password is compromised for an account, the account cannot be used to access critical or important University information.

  • What methods are supported by Duo MFA?

    When paired with an app installed on a smartphone or tablet, Duo can send a push message to the app that when acknowledged will serve as a second factor during login.  The Duo app can also be used to generate one-time passcodes in the event that the device does not have an wifi or cellular data connection.  Duo MFA also supports text messaging and voice calls.  Please see the Duo Account Security documentation for further assistance with Duo MFA methods.

  • When do I have to use Duo?

    Duo is required whenever you log on to a website protected by our Single Sign-On (SSO) authentication service, such as the myMemphis Portal, eCourseware and others.  It is not required to log on to your computer.

  • Do I have to do this every time I log on?

    Yes, you will have to use Duo MFA the first time you log on to a website behind our SSO authentication service.  You will not be prompted to use Duo on other sites if you already have an active logon session to another site.  If you restart your browser or computer, you may be prompted to use Duo again.  You can also use the "Remember me" option at the bottom of the Duo screen to remember your Duo session on that device for a seven day period.

  • Why don't students have to use multi-factor authentication?

    At this time, employees are the only group required to use Duo MFA, due to the risk to University data being exposed in the event of a compromised password.  Students can opt-in to use Duo MFA but are not required to use it at this time.

  • What if I don't want the university to have my cell number?

    You can use an office or other "land line" telephone number to enroll in the service with reduced functionality.  If you are frequently away from your phone, please contact the IT Security team at duo-help@memphis.edu for additional options.

  • What if I don't have my cell phone on me or it is not charged?

    When enrolling in Duo, you are prompted to enroll a backup device or phone number, such as an office or home phone, that can be used in the event your primary device is not available.

  • I travel frequently and don't always have cell service.  How can I use the Duo service?

    The Duo app, installed on a smartphone or tablet, can be used to generate a one-time passcode even when the device does not have an internet connection.  Please see the "Using the Duo Mobile Application in location with poor cell coverage or no WIFI" section of the Duo Account Security documentation.

  • What if I don't have a smartphone or don't want to use it?  Can I use something else?

    You can use an office or other "land line" telephone number to enroll in the service with reduced functionality. If you are frequently away from your phone, please contact the IT Security team at duo-help@memphis.edu for additional options.

  • Why can't I receive an email as a second factor?

    The Duo MFA service does not currently support email as a second factor.  In the event of a compromised password, a hacker could still login as they would also have access to an individual's University email account.

  • Duo didn't work.  How do I get help?

    Please see the Duo Account Security documentation or contact the ITS Service Desk at (901) 678-8888.


Security Awareness Training

  • Why am I being required to complete the training?

    As noted above, threats such as social engineering and phishing increase the risk of an individual inadvertently exposing critical University information or financial resources. Training can help individuals spot attacks and scams before they can impact the University.

  • How do I know if I need to complete the training?

    You will receive an email when the training period opens with a link to the training website. You will also receive reminder emails prior to the end of the training period.

  • I don't have time to participate in this training.

    Depending on pace, the training program is expected to take between 30 and 40 minutes. The training does not have to be completed all at once.

  • I have already completed Security Awareness Training previously.

    Hackers change tactics over time and the material has been updated to reflect the changing threat environment. Future trainings may track previous completion status or allow individuals to pre-test on the material.

  • I am on sabbatical/will be on sabbatical during the training period.

    The Security Awareness Training will be available online and accessible from anywhere in the world. If you are still unable to complete the training during the training period, please contact itsec-training@memphis.edu