Two-Factor Authentication With Duo

John Charles, Vice President of IS&T, announced earlier this month the upcoming requirement for using two-factor authentication to log into systems and services at MIT. Two-factor authentication secures our data by limiting the risk of a password compromise, which in turn could allow a cyber attacker to access services limited to MIT users. Duo Security is the service IS&T is using to leverage two-factor authentication.

Services that you will need to use Duo for, beginning September 30, 2015, include:

  • Touchstone and web services authenticated through Touchstone (such as Atlas, Barton, and Stellar)
  • MIT’s VPN service
  • Remote access to systems supported by IS&T or located within IS&T data center facilities.

Students are excluded from this requirement until Summer 2016.

Two-factor authentication is used in addition to a username and password to prove you are authorized to log into a system. It is based on the principle of something you know (your username and password) and something you have (your phone or a hardware token). Users are first asked to authenticate with their username and password (considered the first factor) and then prompted to retrieve a code that is sent to their phone or designated device (considered the second factor).

The code can be sent to the Duo application on your smartphone, which, when when it is received, you simply click on the message to OK. No re-entering of the code is necessary. You can also have a non-smart phone or hardware token set up for Duo.

Although this second step requires dedicating a bit of extra time to logging into a system, you have the option to have a browser remember you for the next 30 days, which turns off the prompt for the second factor during that time.

Learn more via the links below.

Using Duo Two-Factor Authentication (KB)

How do I log into MIT services that leverage Duo? (KB)

Register for Duo (sign up form)

Duo Memo (Letter to the Community)

MIT Certificates Expire on July 31

If you haven’t done so already, be sure to renew your MIT personal web certificates and at the same time update your password (if the password is over a year old). Pick a strong password so that it’s less likely to be compromised.

Renewal of personal web certificates is not automatic, so plan to renew to ensure continued access to MIT’s secure applications, including Atlas, Benefits, SAPweb, WebSIS and software downloads.

This year, signing up for Duo Authentication (see above article) is added as an option, but next year when certificates expire it will be required, including for students.

EVENT: BroCon ’15 Coming to MIT, Aug. 4-6

This year, BroCon is coming to the MIT campus. It will be happening on Tuesday through Thursday, August 4 – 6 at the Tang Center.

This convention offers the Bro community a chance to share experiments, successes and failures to better understand and secure networks. The convention is composed of talks and training exercises from the Bro development team as well as fellow users and enthusiasts.

Bro is a powerful network analysis framework that is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Bro’s user community includes major universities, research labs, supercomputer centers as well as open-science communities.

Learn more at bro.org

EVENT: Security SIG lunch on July 15

Please join us for free lunch and a talk on lessons learned from some of the biggest breaches in the healthcare industry.

Lessons Learned from the top Healthcare Information Security Breaches
Speaker: Roy Wattanasin, MITM (MIT Medical)

 The FBI has warned that hackers are or will be targeting your organization. 2014 was a rough year for data security, especially in the healthcare industry. About 43 percent of breaches came from healthcare per the Ponemon Institute. 2015 has been a trickier year with one of the largest healthcare information breaches reported to date. 

This talk highlights and walks through the top 2015 healthcare information security breaches (using public information). It gives an overview of the healthcare information landscape, covers the laws/regulations and offers recommendations to prevent these kinds of breaches whether you are in healthcare or another industry.

Where: W20-407
When: Wednesday, July 15, 2015, 12:00 – 1:30 pm, includes free lunch
How to sign up: Please email security_sig_events@mit.edu.

We hope to see you there!

If you haven’t yet joined the IT Security Special Interest Group mailing list, please subscribe here.

Cybersecurity Talent Woes

It is no secret that there is a shortage of talented cybersecurity professionals in the US. As posted in the news, this issue is worse than a skills shortage, it’s a critical gap. As an article at thehill.com states: “We don’t have the workforce needed to address the challenges before us.”

The article goes on to further sum up the concern: “There are simply an inefficient number of qualified, skilled professionals available to do what’s needed to protect organizations and consumers.”

The problem becomes clear when organizations attempt to hire cybersecurity professionals. Many applicants don’t have the necessary skills for the open positions, which means it can take months to hire someone, while a short-staffed security team is trying to safeguard data and critical infrastructure.

SANS Institute is doing its part to help professionals launch cybersecurity careers and also assist companies and organizations to obtain the talent. This resource is available for employers: https://www.sans.org/cybertalent/

This week, on May 14, SANS is also hosting SANS CyberTalent Fair, a two-day, online meeting place for top cybersecurity employers and jobseekers in the US. According to the event website, “More than 209,000 cybersecurity jobs in the US are unfilled.”

MIT is hiring cybersecurity professions to work in Information Systems & Technology. See the MIT Careers website. Contract positions for IT Risk & Security Engineers are also available. For a job description, please contact Harry Hoffman.

Cloud Security Research at MIT

For several years, computer science researchers at MIT have been reviewing and attempting to address the problem of attacks on data in the cloud. A recent method designed by faculty in MIT’s Department of Electrical Engineering and Computer Science would thwart attacks by disguising memory-access patterns. The scheme would be implemented in custom-built chips that write multiple data queries at the point where data is accessed, serving as a sort of decoy for attackers who are spying on other people’s data.

Read the full MIT News story.

EVENT: Laptop Tagging and Registration, April 1st

This week there is an opportunity to register and tag your laptop. 

Where: Lobby of Building 10

When: Wed., April 1st, 11:00 am – 1:15 pm

Cost: $10 cash (no cards) or MIT Cost Object

Just as you might register a bike with the police, you can also register your laptop. Information Systems & Technology partners with MIT Police to provide STOP (Security Tracking of Office Property) tags for laptops. The tag is affixed to the device, has a unique number, and is registered with a world-wide database.

Capt. Cheryl Vossmer of the MIT Police says that although a STOP tag is not software that can track a device via GPS or other means, it has been very effective at providing a way for lost or stolen laptops to be returned to their rightful owners.

Read recovery stories here of laptops with STOP tags.

Learn more about laptop registration at MIT. The next laptop tagging session is on May 6th, 2015.