If you’ve ever logged into your Gmail account using a different device than usual, you’ve probably had Google ask you to verify your identity by sending a code to your phone.
Vanderbilt students may soon encounter a similar process when logging into university services like YES and Brightspace. Multi-factor authentication is one component of VerifyU, the new cybersecurity initiative from Vanderbilt University Information Technology (VUIT).
Vanderbilt experiences cyber attacks constantly, VUIT Director of Security Operations Masood Sidiqyar said. Many attacks take recognizable forms and are thwarted easily by behaviors like reporting untrustworthy emails.
Still, cyber attacks present a moving target. More and more attacks rely on social engineering, Sidiqyar said, including the use of technology to impersonate a boss over email or to interfere with payroll. What’s more, Vanderbilt’s status as a Research 1 Institution increases its likelihood of being targeted in these attacks, Sidiqyar said.
VerifyU, VUIT’s newest response to cyber attacks, features three technologies: multi-factor authentication for campus accounts and services; CrowdStrike, a next generation antivirus for university-owned computers; and CrashPlan, a data loss protection system.
Multi-Factor Authentication
According to Sidiqyar, at least 1,000 student, staff, and faculty accounts have been compromised in the past two years, mostly through phishing mechanisms. To combat security breaches like these, VUIT will implement multi-factor authentication to various Vanderbilt accounts and services using the third party vendor Duo.
Multi-factor authentication requires an additional form of credentials to log on. For example, a student logging onto YES might enter their VU NetID and password, and then complete one additional step of authentication using the Duo app on their phone– perhaps choosing between a red x and a green check.
VUIT hopes to first implement multi-factor authentication in the university’s Virtual Private Network (VPN), which gives off-campus users access to private Vanderbilt resources, in mid March.
The whole student body should expect to see the effects of this change as it spreads to YES, Brightspace, and other Vanderbilt applications in the coming months.
Since most Vanderbilt students have encountered multi-factor authentication when accessing their bank or email accounts, VUIT anticipates little pushback to this change, Vice Chancellor for Information Technology John Lutz said.
CrowdStrike
The second component of VerifyU is CrowdStrike, a next generation, market leader antivirus which will be implemented on faculty and staff computers. CrowdStrike protects against a wider range of threats than prior antiviruses. It also enables VUIT to respond more effectively when an attack does occur, Sidiqyar said.
Since student laptops vary greatly, and many students already have their own preferred antivirus, VUIT refrains from prescribing a specific antivirus for students. Visit here to see VUIT’s suggestions for antiviruses on student-owned computers.
CrashPlan
Ten years ago, many Vanderbilt faculty backed up their research data to a physical data center on campus. Today many use cloud services like Box, DropBox, or OneDrive instead. Now VUIT offers CrashPlan, a data loss protection service that has already gained momentum in other schools and on Vanderbilt’s own campus, Lutz said.
CrashPlan backs up data to the cloud automatically and continuously, protecting data in case of hard drive failure or attack by ransomware, software that steals and holds data hostage for ransom. In either case, the data in question would be fully recoverable from the CrashPlan cloud.
Although CrashPlan will serve mostly faculty and staff, student researchers can back up their data there as well.
The Vanderbilt community should expect a full roll out of these three technologies in the coming months. In the meantime, students themselves can strengthen campus cybersecurity by reporting anything that looks untrustworthy to the TechHub station in Rand or by email to [email protected].