CONTACT US AT:
Information Security Office
Clear Lake Center
Suite 1.158
Webster, TX 77598-1230

Phone: 409.772.3838
Email: iso@utmb.edu

 


The Information Security Corner With Bob Shaffer

Over the course of the last 12 months we have seen a significant increase in the number of phishing campaigns that target our employees with the intent of stealing usernames and passwords for the purpose of identity theft and other types of fraud.

Institutions throughout the UT System have seen several incidents where criminals have stolen logon credentials and used them to change direct deposit information of individual employees, essentially stealing their paychecks. As phishing campaigns get more sophisticated, users are finding it difficult to determine the legitimacy of a request sent through email. One way to reduce the risks associated with phishing activities is to implement two-factor authentication on Internet accessible systems that manage personally identifiable information.

Users will have until September 30, 2015 to register for two factor authentication for VPN access to UTMB. This open enrollment period will give personnel the option to use our traditional username/password or the two factor authentication method, allowing them ample time to address any unforeseen issues that they may encounter with the new logon process.  On October 1st, the two factor authentication method will be required for VPN Access.

The two-factor registration site is located at: https://myvpn.utmb.edu. Beginning September 1, 2015 the default VPN login will initiate the two-factor enrollment and authentication process.  If you prefer to use the traditional username/password logon, a link will be provided on the VPN homepage (https://myvpn.utmb.edu)

Because of hardware upgrade issues, two factor authentication for Citrix has been delayed until November 1, 2015.  

More information about two-factor authentication, including frequently asked questions and instructional videos, is available at https://www.utmb.edu/duo/.
~~~
Frequently Asked Questions:

What is “Two-Factor Authentication”?
Even tech savvy employees have fallen for cyber-attacks that trick them out of their passwords using a technique called phishing. The bad guys can then use your stolen password to log into systems such as PeopleSoft and re-route your paycheck to the criminal’s bank account, steal your identity using your tax statements also available in PeopleSoft, or access information in your email account and Epic. 
Two-factor authentication ensures that even when your password is stolen, the bad guys cannot access sensitive information. When remotely logging into UTMB information resources from a new computer, you will be asked to verify your identity in one of four ways: Duo Mobile app, cell phone text message, cell phone call or use of a keychain device.

How do I log into VPN with DUO two-factor authentication?
The following guide provides instructions for registering with Duo and logging into VPN - Duo two factor instructions. Between 9/1/2015 and 9/30/2015, you can use either the traditional username/password or the new two factor authentication method.  Effective 10/1/2015, two factor authentication will be required for VPN access.

What is Duo?
This is the name of the product UTMB has selected for implementing two-factor authentication.

What if I don’t have a phone or don’t want to use my phone for two-factor authentication?
The use of your phone for two-factor authentication is not mandatory. If you would like to remotely access our systems without the use of a phone, a keychain token can be provided with the approval from your department management. Please note that there is a $50.00 charge associated with a key chain token.

How do I setup/register my phone?
The first time that you login to an information resource with Duo two-factor authentication enabled, you will be prompted to register. You will only need to register once, even if you access multiple types of information resources.  Registering your office phone as an alternate method of authentication is highly advised.

Do I need to use Duo every time I login?
No, if you are on a trusted device such as your home computer, you can “trust” the device for 30 days. All devices on the UTMB network are automatically trusted and will not ask for you to perform two-factor authentication.

What information resources require two-factor authentication?
All information resources with sensitive information used by employees, faculty, staff and students will require two-factor authentication. This will be implemented for all systems over the course of the next couple years.

  1. Juniper VPN Network Access (September 1 2015)
  2. Citrix (November 1, 2015)
  3. Outlook Web Access (Under Consideration)
    1. Only required when accessing from untrusted networks (e.g., home, Starbucks)
    2. Those already registered will not need to re-register for Duo Mobile

I received a login request message that I did not make, what do I do?
Immediately change your password as it is likely that someone has stolen your password and is trying to use it maliciously. If you are using the Duo App, pressing the red “deny” button will alert Information Security. If you are not using the Duo App, you should contact the Service Desk to let them know of the incident.

What if I get a new phone number or have no access to my old number?
You can enroll additional phones or tablets at any time. However, to prevent the malicious registration of unauthorized devices, you will need to have access to at least one of your registered devices. If you do not have access to one of your registered devices, you may contact the IS Help Desk to have your device registration reset.

I need to change the phone number registered to my account. How do I do that?
If you have multiple devices registered (such as your desk phone), you can visit http://myvpn.utmb.edu, log in with your username and password, then click “Manage Devices” to add or remove a new device. If you do not have multiple devices, for security reasons you will need to contact the Information Resources Service Desk to have your account reset.

Why am I not seeing the “Manage Devices” option or being prompted for Duo authentication? You are not seeing this option because you selected Duo to remember your device for 30 days.  In the event you do need to add or make changes to your devices and need to be prompted for Duo authentication, do one of the following:

  1. Clear the cookies of your browser through your Internet options.
  2. Use a different browser.  Using a browser to which you have not saved any of your Duo preferences will prompt you to authenticate when logging in.

Can I register for two-factor while on campus?
While VPN services are only available from outside of the network, Information Services has setup a website at http://myvpn.utmb.edu that will allow you to register for two-factor authentication while on the UTMB network.

Can’t you just block access from outside of the United States?
Since UTMB is an international organization, there are many legitimate users outside of the United States who daily need to connect to our sensitive information resources. Additionally, attackers are using infected computers in the Unites States to carry out their cyber-attacks against UTMB.

Can I use the Duo mobile app to protect other accounts with Two Factor, such as Gmail and Facebook?
Yes. For more information, please visit http://guide.duosecurity.com/third-party-accounts. Please note that the use of Duo mobile for these personal accounts is not supported by the IS Service Desk.

I am traveling internationally. Will my device need to have international voice, texting, or data to authenticate?
No, you can still use the Duo Mobile app or a physical keychain fob to authenticate. By opening up the Duo Mobile app, you can press the “key” icon which will generate your 6-digit login code. This does not require a cellular or wi-fi connection. Alternatively, pressing the button on the keychain will present the 6-digit login code.

Is the Duo Mobile app trustworthy to install on my personal device?
The Duo Mobile app is highly rated in both the Android and Apple stores. Additionally, this app has been reviewed and approved by the Information Security department to ensure appropriate levels of security and privacy. The app does not have the ability to access data on your phone such as pictures, messages or contacts.

My username and password do not have access to anything confidential. Why do I still need two-factor protection?
Most attackers are interested in using your username and password to break into the secure internal network so that they can look for vulnerabilities on the thousands of sensitive internal systems on campus. Alternately, attackers will login to a user’s email account and send out hundreds or thousands of phishing messages to other faculty, staff and students in an attempt to compromise their computers and\or get access to sensitive information.

Do I need to install software on my laptop or home computer to do two-factor authentication?
No, two-factor authentication is integrated into the various login pages, so additional software is not required.

Duo Walkthrough PowerPoint

Search the National Vulnerability Database
Enter Vendor. Software or Keyword