Duke ITAC - October 29, 2020 Minutes
Agenda – October 29, 2020
4:00 – 4:05 – Announcements (5 minutes)
- Meeting minutes for October 1st motioned for approval. Hearing no objections, the meeting minutes are approved.
Next, Richard talked about a cybercrime threat involving ransomware targeting U.S healthcare organizations. Richard emphasized the need to patch/update personal devices and work/home computers and to also update internet browsers to try and minimize being targeted. Richard reinforced the importance of installing Crowdstrike on any Duke-managed computer and mentioned a home version of Crowdstrike had been acquired by Duke and could be installed onpersonally-owned computers running Windows operating system. Richard also encouraged the reporting of suspicious emails to firstname.lastname@example.org.
Q: Any signs yet that it has been seen around the Duke/ Duke health system?
A: no, we have not seen any hits against the indicators of compromise. Between the network monitoring and Crowdstrike put in place we have good visibility into malicious activity that occurs.
Q: How are they differentiating between Duke Health and University side as far as being attacked?
A: We took a broad approach to this because the health system and the university are so tightly coupled in certain areas. What these groups are doing is amassing information. For example, they gather information and say,” here are some hospitals along with their IP ranges and people associated with these hospitals” and then use that open-source information to attempt to infiltrate. They like to target Windows systems (e.g. RDP, SMB or and other vulnerabilities inside of Windows) and phishing (main driver for this).
4:05 – 5:00 p.m. – Home Network Attacks in the Age of the Remote University, ITSO (40-minute presentation, 15-minute discussion)
What it is: Continuing the IT Security Office’s Halloween tradition as part of National Cybersecurity Awareness Month in October, this presentation will discuss risks associated with an increasingly remote working and learning environment. The ITSO will demonstrate an attack chain targeting home networks and discuss potential mitigations for these threats.
Why it’s relevant: Remote learning and working has dramatically increased the threat landscape for Duke and its community. This presentation will discuss methods for ensuring remote networks are protected from these types of threats.
Niko started the presentation by presenting a fictitious story of a news headline about a Duke researcher that posted on Twitter a potential “cure” for the COVID-19 virus by using coconut water.
Due to the current situation of working from home for many people around the world, Niko posed a question saying, “why does the state of the fictitious Duke researcher home network matter to Duke?”. To try and answer this, Niko provided a scenario a hacker could target and gain access to a Duke researcher’s machine through their home network or personal computers/devices on that home network. One way in which this could happen is through infecting a machine via a website serving malware. For example, an attacker could gain access to someone's home network through an online scam offering free Fortnite v-bucks. These Trojan applications have become quite common around hacker circles and have a high success rate, especially among kids.
The way these applications work is that once a victim “claims” their free v-bucks, a malicious backdoor is installed allowing the hacker full access to the computer. The hacker can now create/read files, spy, or record videos by using the embedded camera or the hacker can install and try to spread more malicious malware.
Niko then continued to talk about other ways an attacker might target a user's home network or personal computer and what steps can the user take to better the home network security.
Niko shared metrics gathered by the Verizon Data Breach Investigation report:
- 86% of breaches driven by financial gain (up 15% from 2019)
- 70% of breaches are caused by bad actors (with 55% of these in organized crime)
- 67% of breaches were due to credential theft, errors, and social attacks
- 27% of malware incidents are from ransomware, and that threat is rising
- 43% of breaches are due to web app attacks (double from 2019)
- 58% of breaches involve personal data (double from 2019)
- 17% of breaches are caused by errors (double from 2019)
- 30% of breaches involved internal actors
- Human exploit attempts (known as "social actions" in DBIR) arrived via email 96% of the time
Niko explained that different stages throughout an attack are referred to as the chain attack.
- Infiltrate: the attacker decides who to target and how. Examples, router vulnerabilities, missing patches, untrusted devices
- Explore: Once the attacker has access to a network, the attacker can search the network for sensitive data and other high valued assets. Examples, network scanning, router compromise, device access.
- Execute: The hacker tries to turn his findings into profit. Examples, data exfiltration, credential harvesting, ransomware.
In the scenario mentioned earlier, what can be done to maintain a secure network?
Niko explained that the researcher and anyone at Duke can:
- Network-level blocking: upgrading the home router, segmenting the wifi network to have guests to use a “guest” wireless network.
- Patch management: an inventory of all devices on the network and which of these devices need to be updated.
- Anti-Virus: Use an endpoint security solution, such as Crowdstrike, for Duke owned computers. Optionally, use CrowdStrike Personal edition for personally owned computers (available on software.duke.edu).
- Account Management/ privilege account management: reduce accounts to standard users to minimize impact from malicious software installed on the computers. Enable multi-factor authentication on social media accounts and other accounts. For Duke, we recommend enrolling in Duke Unlock for easy authentication to shibboleth protected services.
Next came the questions/comments section.
Richard Biever emphasized the ITAC group to look at their home networks and assess the age of the router/modem at home. This is to stay up to date on security updates for the routers and upgrade to newer more capable equipment if needed.
It was also mentioned that it will be good to have good resources for people to follow network security practices.
- point of emphasis is that this is not just about the security of the home network but also user behavior. Niko expanded on this and mentioned that in the case of the researcher, another member of the household was the entry point of the attack. So, restricting the permissions on the device could have stopped the research documents and account credentials in the story from being stolen.
5:00 – 5:30 p.m. – SISS - DukeHub 2.0 update, Chris Derickson (15 minutes presentation, 15 minutes discussion)
What it is: SISS and OIT are in the final stages of a major redesign of DukeHub. The new version will go live shortly after the end of the Fall 2020 semester (weekend of December 5th). The project has been one of the most collaborative and inclusive efforts that SISS and OIT have conducted, and hundreds of users are already enjoying new features as part of an extensive pilot program. As a result of feedback from faculty, advisors, staff, and students, the new DukeHub has already evolved to better fit Duke’s needs. We’re excited to unveil the new feature and new interface in a little more than a month.
Why it’s relevant: Learn more about the current state of DukeHub 2.0 and hear from faculty and students who have already helped with testing and feedback. If anyone would like to have early access to the new DukeHub before the official go-live, just let us know after the presentation today.
Chris Derickson begins by crediting the DukeHub 2.0 team. Chris explains that DukeHub 2.0 is a new user interface that sits on top of the old student information system which is more than 20 years old and uses Oracle’s PeopleSoft. The goal of DukeHub 2.0 is to improve the overall user experience. A decision was made to go with a solution that grows as Duke grows and improves over time. This solution involved the following team: SISS, SISS-OIT, HighPoint, OUR, Financial Aid, Bursar, students, faculty, staff, and advisors.
The official go-live for DukeHub 2.0 is Saturday, December 5th to wait until after this unusual (due to Covid) semester is over. Planning has been ongoing since 2019. Planning included extensive fit-gap analysis and close work with HighPoint to document requirements. The project also included pilot groups, focus groups, training sessions, communications, and video creation. Now, anyone can request to be an early adopter by emailing email@example.com. As far as promotion, Camille Jackson, Director of Communications for OIT, has been amazingly helpful and came up with DukeHub 2.0 Just Better. There will be a student raffle over the break to incentivize students to leave comments. TikTok videos are coming. Chris underscores how they have tried to listen to the users throughout the entire process.
Chris talked about the old and new Features of DukeHub 2.0.
1. Modern, responsive design, new navigation
2. Constantly evolving and improving tool
3. Ability to create your tiles and customize your homepage; Oracle tool called Fluid
4. Favorites will be migrated from DukeHub 1.0
5. Campus Experience, the new interface, is built directly on top of PeopleSoft, so most features you loved will be there still
The new functionality of DukeHub 2.0 includes:
1. Drop if enrolled – drop class only if off of a waitlist
2. Directly enroll from multiple pages in the system
3. Gender pronouns for students
4. Integrated dashboard for faculty and advisors
5. Opportunity to pilot a new process for class permissions
6. Look up Student/Act as User which allows you to see exactly what the student sees
Chris, then, demonstrated the interface from the new landing page at dukehub.duke.edu. A few features were highlighted such as a student being able to send a message while requesting a class and the faculty page where faculty can see requests waiting for rejection or approval.
Q. JoAnne Van Tuyl – Can faculty make comments in connection with class approval or rejection?
A: Chris believes so.
Q. Jun Yang – Would it make sense to list the timestamp of the request in addition to just the date? Sometimes that would allow us to establish a FIFO processing order for an oversubscribed course.
A: Chris says yes, that’s in there.
Q. Robert Wolpert – Will I know how many slots have been given away with permission numbers since the two systems will be coexisting for a while?
A: Chris says a specific class will exist in only one system at a time so yes, faculty will know.
This concluded the presentations for the evening.