During the 2016-2017 fiscal year, the Information Security Office at UNC-Chapel Hill continued to innovate and accelerate efforts to combat the growing number and sophistication of threats against the University’s electronic information. Here are highlights of the Information Security Office’s accomplishments over the past fiscal year.
Expanded user account protection for all students, faculty and staff
Phishing is on the rise, resulting in compromised user accounts. To help combat the threat of these compromised user accounts, ITS has implemented tools to automatically disable accounts as soon as they are known to be compromised. A total of 1,084 accounts were remediated through this process in fiscal year 2016-2017.
To further protect user accounts, ITS has made 2-Step Verification available via Duo to all faculty and staff. At the end of the fiscal year, there were 11,970 active Duo users. ITS requires Duo for highly sensitive data, such as W-2 tax forms in ConnectCarolina and power users with access to sensitive data in ConnectCarolina. In fiscal year 2017-2018, ITS will configure additional services for Duo (such as Office 365 and Shibboleth-authenticated systems) and expand the scope of enrolled Duo users to include students.
Protecting user accounts from unauthorized use is increasingly important as the University moves to Office 365 and other powerful cloud services.
Hardened campus network security
Every day the campus network is the target of millions of network attacks. To help combat these attacks, the campus network has several layers of defense, including intrusion-prevention systems (IPS) at the campus border, advanced “next-generation” departmental firewalls and web application firewalls in front of critical servers.
In fiscal year 2016-2017, ITS made significant improvements to the security of the campus wireless network by enabling inbound port blocking for all wireless devices. This protects wireless users from network-based attacks, and prevents unsolicited network traffic from even reaching their machines through the blocked ports.
In fiscal year 2016-2017, ITS also enabled “next-generation” features on all the campus firewalls, including IPS technologies to block malicious traffic, URL filtering to protect users from malicious websites, and file scanning to detect and contain malware traversing the network.
Introduced risk assessment service for new purchases
The risk assessment program within the Information Security Office continued to grow and mature over the last year. Collaborative efforts with Procurement, Privacy, Counsel, University Data Stewards and others have helped to better define the process. Several major risk assessments were completed, including an in-depth review of Carolina CloudApps and cloud vendors Microsoft (Azure) and Amazon (AWS).
- New requests for risk assessment: 49
- Completed: 33
Improved Payment Card Industry compliance
The University has made significant strides in achieving PCI Data Security Standard compliance over the last year to enable the University to safely accept credit-card payments. The Information Security Office, in conjunction with Finance and through the CERTIFI committee, has worked with more than 100 merchants across campus to improve security in credit-card processing. A third-party penetration test of the University’s cardholder environment found no gaps. UNC-Chapel Hill is on target to be fully compliant with the strict PCI data security standard by the end of October 2017.
Drafted all departmental risk reports for Project SIR
The ISO met with representatives from every department on campus to document the success of Project SIR and the residual risk not remediated by the Identity Finder solution. Some 34 departments were interviewed, and unique reports were drafted for each. With this information, the ISO will prioritize future security initiatives with a better understanding of department-level risk.
By the numbers
- 13,103 phish messages reported to phish@unc.edu
- 1,084 compromised user accounts deactivated
- 11,970 active Duo 2-Step Verification users
- 90 potential security incidents involving sensitive data investigated
- 22.95 billion unwanted network connections blocked by University firewalls