The University of Wisconsin rolled out multi-factor authentication from Duo Security on Sept. 9 as a measure to help make NetID accounts more secure, with a mandatory enrollment deadline of Oct. 31.
The service comes into play after 4,946 NetIDs were stolen last year, according to a UW press release.
The Duo program prompts students to scan a unique code with the device that is associated with their NetID. From that point onward, each login requires the student to choose to send a push notification or text message to their device.
Once the login request is approved through the notification, and only then, will the student be able to access their account.
The Interim Communications Director for the Division of Information Technology, Mary Evansen, explained there are multiple risks if someone with harmful intent were able to access a student’s NetID.
“The biggest risk to the account holder is having their personal information in the student center and email accessible by the criminal,” Evansen said. “The criminal can misuse the information to steal the student’s identity for financial fraud. The criminal would also have access to university services such as Canvas, MyUW Madison, Box and G Suite, to name a few.”
Fraud call scams student out of $15,000, phishing more prevalent on campus
Risk analyst and UW staff member John Nagler pointed out there is much more risk associated with some accounts when compared to others, depending on the level of access. Nagler explained that some researchers on campus not only have access to highly sensitive data but also to “millions of dollars in budget.”
Nagler also explained some students, such as student employees, have more access than others. Some student employees are able to view other students’ information, increasing the risk associated with the account if it were to be stolen.
“As an individual student, an attacker would only have access to that student’s data and potentially that student’s family’s data,” Nagler said. “As a student employee, an attacker could potentially have access to all that student’s personal data, and if they worked for financial aid, then there’s some greater potential for some real damage to other people.”
UW Office of Cybersecurity, Division of Information Technology staff member Ed Jalinske explained there are also response measures in place on campus in the case someone’s NetID account was phished or a device had malware on it.
Jalinske said the Cyber Security Operations Center is continuously monitoring for suspicious activity and shuts down accounts that may have been breached. They also remove compromised devices from the network to prevent the spread of malware to other devices, Jalinske said.
UW experts reflect on Atlanta ransomware attack, what it could mean for Madison
Jalinske said while the work of the CSOC is a “big deal,” it is also purely reactionary, which is more difficult than preventative measures such as Duo logins or cybersecurity education. As Jalinske described, cybersecurity is a “breakeven” business.
“If we are staying just at the same level as the attackers, we’re doing our jobs properly, because to stay ahead of worldwide threats, nation-states, rogue hackers and hacker groups on a continuous basis — I’m going to venture to say it’s an almost impossibility,” Jalinske said.
Nagler also said UW will be rolling out another security measure out to campus — a password manager known as LastPass. Nagler explained LastPass allows users to generate extremely unique, randomized passwords and store them so the user can easily retrieve and use them.
Nagler said the password can be a string of 20 letters, numbers and characters with random uppercase and lowercase that would be very difficult for humans to remember, let alone hack.
“That will increase the security posture of everyone on campus by an order of magnitude,” Nagler said.
UW Chief Information Security Officer Bob Turner explained that academic and cybersecurity experts both say identity theft is a low-risk and high-reward crime.
Turner also cited industry publications, such as the 2019 Verizon Data Breach Investigation Report, that found 16% of all breaches were breaches of public sector entities.
Cybersecurity measures at UW are implemented in order to support the many missions UW represents, Turner said.
“Our cybersecurity program, and specifically implementing MFA at UW-Madison, is designed to support the academic, research, outreach and administrative missions of the university and to prevent that type of evil from impacting the lives of students and staff,” Turner said.