Duo to be required by all BOR schools
Students may not know it, but hackers and scammers try to steal university credentials every day.
This, IT security officer Joe Reynoldson said, is why the Board of Regents (BOR) is requiring all students to enroll in Duo Security by Jan. 27, 2021.
About half of all active students have Duo, and new students are required to enroll in Duo when they first pick up their university accounts, Reynoldson said. If a student doesn’t have Duo by Jan. 27, they will be required to enroll before they can access services like D2L.
Cybersecurity, Reynoldson said, is critical at all levels of people’s lives and is a complex field of work, though there are straightforward steps people can take to protect their information.
“The single most effective way to protect yourself, as well as your friends and family, is to enable multi-factor authentication wherever you can,” Reynoldson said.
Information Technology Service (ITS) sees a variety of attacks on a daily basis, Reynoldson said, but the primary goal of attackers is to steal student usernames and passwords. Attackers can then use this information to put spam on the internet or spread ransomware across BOR networks.
“What we see most often is that student passwords are compromised with different websites online,” Reynoldson said. “And because … people tend to reuse their password for lots of different accounts, they turn around and the bad guy takes those passwords, turns around and logs into a university account.”
With Duo, Reynoldson said, even if a password is stolen or put online, it’s useless without a second factor of authentication.
Nate Brady, a security engineer at ITS, said USD is a target because it has valuable information. He said attackers often try to use direct deposit information to steal student refunds and staff paychecks.
“They’re constantly trying to send emails to HR, or find other ways through phone calls to change my — or other staff members’ — direct deposits, just before payday,” Brady said. “They’ve done this research. I mean, it’s obvious that they know what they’re doing, they know who to talk to.”
Brady said ITS uses Microsoft Defender Advanced Threat Protection to send him alerts when student accounts are potentially compromised, like when an account which has been consistently logging in from Vermillion suddenly logs in from Latvia or Nigeria.
First, Brady has to vet the login because USD has some students who work and live overseas, though he knows who those people are because they’ve been found to consistently log in from that location by analytics. If they use Duo, he said, he knows it’s a good login.
“But when I see you’re in Vermillion today, and then in five hours you’re in Washington, and then a couple minutes later you’re in Nigeria, that means the bad guys are … checking your credentials to see if they can turn around and make use of them,” Brady said.
Additionally, ITS has installed software on university computers that seek and report malware. ITS also does penetration scanning against all of USD’s servers, Brady said.
Reynoldson said since adopting Duo, ITS has seen a significant decrease in compromised accounts. He said in Aug. of 2018, the university saw a large attack where hundreds of student accounts were logging in from foreign countries — after which ITS made students change their passwords — and since then, there have been spikes in compromised accounts at the beginnings of semesters, although each spike gets smaller.
“You’ll see them test the accounts, to see if the password works, approximately two weeks before the semester starts, and then about two weeks after the semester starts, they try again,” Reynoldson said. “They know our business processes, they know when our semester starts, they know when students are likely to be getting financial aid. They’re really targeting us, just like they do everyone else online.”
When the end of January comes and all students are required to have Duo, Brady said he will breathe a little easier since attackers often give up when they see they have to go through two-factor authentication.
Another tool that helps protect USD students and staff, Brady said, is the human firewall — the ability for people to report phishing or spam directly from their emails.
“It’s one of the best things, because if all of a sudden we’re getting hit really hard with a phishing scam, and let’s say they send in 100 emails, if you report it or a staff member reports it, it comes directly to my phone,” Reynoldson said. “I could get on it right away and delete those emails out of your inbox.”
For students looking for additional cybersecurity, Reynoldson said people should enable multi-factor authentication if possible for all their accounts using apps like Duo Mobile, Google Authenticator or Microsoft Authenticator. Using the best password manager for safari is a good way to protect passwords, especially for services which can’t be protected by multi-factor authentication.
Students who have not yet enrolled in Duo can do so by visiting link.usd.edu/duo-info.