Randy Livingston put together the following notes for a recent Cabinet meeting. He's shared the notes across the campus to facilitate our campus wide transition to two-step authentication.
Key points regarding IT security for internal staff conversations
As part of its effort to improve IT security, Stanford is now requiring that all SUNet ID holders use "two-step authentication" for web-based services they log into with a SUNet ID. This requirement will be phased in across the Stanford community in the coming weeks.
The campus previously had asked users to change and strengthen their SUNet passwords, pay heightened attention to "phishing" attacks that arrive through email, and consider a range of other computer security practices. (See Vice President Livingston's 8/19/13 email at http://ucomm.stanford.edu/computersecurity/.)
Further steps for improving information security are likely to be announced in the coming weeks, including additional requirements for:
- upgrading or replacing older Windows XP operating systems
- encrypting all laptops and mobile devices
- enhancing password length and complexity
Why are these steps necessary? What is at stake?
- Increasing sophistication of attacks: Hackers, including foreign state-sponsored entities, are increasingly attacking the computer systems of American universities, and they are doing so with increasingly sophisticated technology.
- Vulnerability of University and personal data: We all have become accustomed to hearing about hacking incidents, and we may tend to treat them casually. However, the reality is that because of the increasing sophistication of these cyberattacks, every email and every file on an individual's computer – as well as the data within password-protected systems that an individual accesses – are vulnerable unless industry-best-practice security measures are protecting them.
- Cost: Security breaches and lost data are costly. The University will literally have to spend millions of dollars addressing security breaches if individual users do not take seriously their own responsibilities in helping secure Stanford's systems.
What is the purpose behind each action? What protection is it providing?
- Password strength: Hackers today are using increasingly sophisticated and automated systems for deciphering passwords. Short, simple passwords based on dictionary words are particularly easy to crack. Longer "pass-phrases" that include a mix of characters, numbers, punctuation marks and capitalization are stronger. https://itservices.stanford.edu/service/accounts/passwords
- Two-step authentication: This process enhances security because, even if a hacker is able to decipher a password for a SUNet account, getting in requires an additional code that is only available to the authorized user of the SUNet account. Users will be prompted for this second code at least once per month for each computing device and browser they use, OR more frequently if the particular application they are logging into requires it. https://itservices.stanford.edu/service/webauth/twostep
- Awareness of phishing: Cyberattacks often use an email that looks like an official, institutional email to trick users into clicking on malicious links. Stanford is seeing these attacks with increasing frequency, and they directly threaten the security of not just individual computers, but Stanford's systems as a whole. https://itservices.stanford.edu/phishing
- Windows XP: This is an older operating system posing particular security challenges. The campus will be working to upgrade or replace it where it is still used. Check with your local IT support team for additional information.
- Encryption: Encryption provides an additional layer of security against the disclosure of data if a device is lost or stolen. The priority is to encrypt all employee laptops and mobile devices ahead of encrypting desktop machines. https://itservices.stanford.edu/service/encryption/wholedisk (laptops) and https://itservices.stanford.edu/service/mobiledevice/management (mobile)
Regarding two-step authentication specifically – how does it work?
- When a user logs into a SUNet ID-protected website, such as Axess, a second login code sometimes will be required in addition to the SUNet password.
- Typically this is a random numerical code sent via text message to your phone or generated by an app on your smartphone. It also can be on a list printed in advance.
- Users will be prompted for this second code at least once per month for each computing device and browser they use, OR more frequently if the particular application they are logging into requires it.
How will the two-step authentication requirement be phased in, so that it minimizes the impact on users as the new academic year begins?
- More than 10,000 SUNet ID holders have already adopted it voluntarily, and it can be done at any time from the "Accounts" page on the Stanford website.
- The requirement will be phased in gradually – starting with staff, then moving to faculty and students. It will take several weeks to implement across the community.
- When two-step authentication becomes required for an individual, the individual will be directed to the two-step authentication page before being able to log in to a SUNet ID-protected site. The process should only take a few minutes.