Security & Alerts Archive

NCSSM IT Security Improvement History

Updated June 2016

  • Palo Alto Networks (PAN) firewall implemented in 2014
    • Layer 7 instead of layer 3
      • A layer 3 scan looks at traffic only with respect to IP addresses and ports; like diagramming a sentence without understanding its meaning
      • A layer 7 scan understands the application and can control misuse of the application; like understanding the detailed nuances of the words in a sentence
    • Enables VPN access for secure off-campus access
    • Includes edge scanning of malware including WildFire
      • Most malware scanners look for telltale signs of malware in the code itself; the code or signs must be known of in advance
      • WildFire executes suspicious code in a virtual environment and can determine if it behaves like malware; thus unknown or new malware is detected and blocked before it can infect computers
  • WPA2 Enterprise (802.1x) wireless network security implemented in winter of 2010
    • Only authorized access permitted
    • On an open network, anybody can use (and abuse) the network
    • All traffic is encrypted
  • AirWave and controllers,
    • Allows unitary configuration, control and monitoring of the wireless network
  • ClearPass installed
    • Allows fine-grain control over access and security
    • Eduroam
    • Clean access: prevents infected and out-of-date clients from accessing the network
      • This is the first component of a clean access environment. Additional appliances are needed to complete the implementation
  • Virtual Local Area Networks (VLANs) implemented on our network
    • Enables the secure separation of our network into different groupings and access based on role at the school. For instance: students are in one VLAN that does not allow access to the servers and resources accessible by the staff VLAN.
  • Implemented security training
    • Securing the Human from SANS in the fall of 2014, required for the entire community including students
    • One-on-one training provided to community
  • Email security features
    • Filters
    • SPF implemented to prevent domain spoofing, or sending an email in such a way as to give the impression you are sending from one domain, such as ncssm.edu, when you are actually sending the message from somewhere else entirely
    • DMARC implemented to prevent sender spoofing, which can lead to phishing attempts
  • Identity Finder (IDF) implemented in December 2014
    • Scans personal and departmental network shares for Personal Identifiable Information (PII)
    • Scan of laptops in high-risk areas of campus for PII including but not limited to HR, Business Office, Registrar
  • Voyance cloud-based network analysis implemented in April of 2016
    • Enables real-time network visibility and monitoring
    • Tracks common security threats on our network, such as out-of-date browser versions
    • Powerful at identifying the OS versions of devices on our network, allowing ITS to track down and update out-of-date computers and mobile devices
    • Finds network problems spots but also lets us know when port scans occur so that we can proactively respond to security threats
  • Nutanix virtualized server solution
    • Drastically reduced number of servers, thereby making a large reduction in the number of potential targets for security threats, reducing the institution’s risk by decreasing the size of our attackable surface area
  • Moved servers and appliances from campus to the MCNC data center providing secure, off-campus hardware housing along with redundant services including cooling, power and physical security. The data center houses our Nutanix virtual servers and provides controlled access only IT staff exclusively.
  • Adopted Red Hat Enterprise Linux (RHEL) in 2014.
    • Provides centrally managed, enables central control of software updates and security patches
  • Adopted ISO 27002 as our standard for IT security in 2012
    • ISO 27002 gives us a common framework and vocabulary for talking about security, policies and procedures, which in turn, ensures that we consider all important elements of security.
  • Created ISO 27002 crosswalk mapping each element of our security policies and practices to the corresponding element(s) of ISO 27002, thereby ensuring that we have addressed all relevant security points
  • Comprehensive risk analysis of our network
    • Identified areas of needed mitigation
  • Built the framework for a Policy Manual. Created data security policy, AUP, password security policy, mobile device policy, etc.
  • Whole-disk encryption of state equipment
    • BitLocker on Windows
    • FileVault on macOS
  • Implemented Two-Factor Authentication (2FA) for IT accounts
  • Have initiated contract negotiations for 3rd party security resources such as Qualys and Splunk
    • Qualys gives us the ability to see what resources are available on our network, so we can ensure that only appropriate resources are available
    • Splunk allows us to monitor server access and activity, record significant events, and notify ITS personnel when some untoward event occurs
  • Moved many previously locally-maintained applications to a software as a service (SaaS) model
    • E.g., Google Apps for Education or Instructure’s Canvas
    • SaaS allows us to offload the responsibility of maintaining the software and hardware providing the service to a third party who specializes in the offered services
    • They typically have large, dedicated teams for security, backup, and other critical aspects
    • They ensure near-100% availability
  • Implemented webNetwork
    • webNetwork allows us to control access to internal resources to only community members (a VPN-like capability)
  • We subscribe to the following cyber security organizations including UNC-GA ITSC, Raleigh ISSA, MS-ISAC, NC-CERT, US-CERT

October 18, 2016 Phishing Email and Security Update


ITS would like to update the community on the phishing email attack from yesterday afternoon.

In summary:

At 12:49 PM on Monday afternoon, an email titled "IMPORTANT PDF" purporting to be from Scott Laird in Humanities was sent out to much of the NCSSM community. This message was, in fact, sent from Scott's account, which was compromised about an hour earlier, and contained his email signature. The message stated "Scott Laird sent you a document to Read & Sign" and had a large yellow button saying to "REVIEW DOCUMENTS". This link redirected through several pages to get to a website that looked similar to a Dropbox login page. Although the page has a somewhat convincing look, this page was only disguised to look like Dropbox when, in fact, it was designed to steal email addresses and passwords. Several community members clicked this link, and then some of those same people proceeded to enter their username and password. Following the attack, ITS was able to act quickly to notify the community, cut off access to the offending site from within our network, change passwords for compromised accounts, etc.

Screenshot of the email with RED markup showing details to look out for:



Screenshot of the website linked from the email with RED markup showing details to look out for:



We would like to take this opportunity to warn the community about the dangers of phishing email attacks and what can be done to protect against them going forward.


First of all, there are a few things that ITS recommends looking at in any given email message and on any website asking for you to "log in".


  • For example, if you are not expecting to receive a particular document from a specific person that you will need to "Read & Sign", then you should be suspicious about messages such as this one.
  • You should also be wary when messages contain a number of words written in ALL CAPS, as with this message, or have any obvious misspellings or grammatical errors.
  • Words indicating a sense of urgency are also a common indicator of phishing attacks.
  • Additionally, you should always be suspicious if the appearance of an email or website don't look quite right, such as the colors, fonts, or images you are being presented.
  • And lastly, always pay attention to the URL or web address of links in emails, which you can preview by hovering your cursor over any buttons or links, and if you do not recognize and trust the address in question, do not click the link.


An important takeaway from this particular phishing attack should be that even if you trust an email's sender, you must evaluate the content of each message in order to determine whether or not it is something that you really should be opening.


In any situation in which you receive an email that meets any of the above criteria, or in which you might just not be totally sure about its veracity, please use these instructions to get the raw text of the message in question and send it to ITS in a ticket for further evaluation: http://wiki.ncssm.edu/index.php/Reporting_spam_and_phishing_emails_to_ITS


Secondly, ITS recommends following some password security recommendations to help limit the impact of stolen account credentials on individuals and the community. First and foremost, we recommend that everyone at NCSSM take advantage of utilizing Google's 2-Step Verification option to use a secondary device, such as a smartphone, to function as a second required method of authentication. Turning this security feature on makes it impossible for someone to access your account unless they have both your credentials and physical access to your secondary device. Please use these instructions to set up this 2-Step Verification option: http://wiki.ncssm.edu/index.php/Set_up_Two-Factor_Authentication_for_Google_account. ITS also recommends not re-using your NCSSM password on other websites and services, generating a secure password, and utilizing password managers for securely-storing your many passwords in a way that is difficult to compromise. All of these recommendations, including additional details and instructions, can be found in the ITS Wiki here: http://wiki.ncssm.edu/index.php/Password_security_recommendations


Third, this might be a good opportunity to access Securing the Human (available as a bookmark from My NCSSM or available directly via https://ncssm.securingthehuman.org/ca_main.php), and review the Email, Phishing, & Messaging instructional video. This video, which is only three and a half minutes long, specifically looks at phishing attacks and how best to identify and respond to them. Additionally, one of our supplementary materials for training on phishing, the Phishing IQ test is available here: https://sites.google.com/a/ncssm.edu/sth-custom-links/#TOC-Email-Messaging-Video:-Phishing-IQ-Test. If you have not taken this brief test already, we recommend that you do so in order to test your own ability to detect phishing emails and scams.


As always, if you have any comments, questions, or concerns regarding your network security, please don't hesitate to contact ITS with a ticket. You can send us a ticket by going to My NCSSM and clicking on ITS Help Desk, or going directly to the site here (and clicking the "g" icon to log in):http://ncssm.freshservice.com/support/home.


Update 6/29/16: ITS has now published a list of the network security improvements made over the last several years.


Update 6/22/16: Over the last three days, three separate phishing emails have been sent out to the community titled “VIEW DOCUMENT” that each contain a blue button with a "CLICK DOCUMENT” link. The page that opens if this link is clicked asks for your credentials.


Please do not click this link and, if you do, do not provide your credentials.


These emails are not legitimate and have been sent from the compromised email accounts of recently-graduated students. Their accounts have subsequently been secured and the link in each of these emails has been blocked when accessing from our network, however, if accessed off-campus or using a mobile device on a cellular connection, this page can open. Providing your credentials to this attacker may allow your NCSSM account and email account to become compromised. ITS recommends deleting these messages immediately and also to be continue to be wary of any further messages that look like this going forward. As a general rule, we do not recommend clicking links or downloading attachments from unknown senders, and we strongly recommend against ever providing your credentials or other personal information on a website that is linked from an email, even if it appears to be legitimate.


If you have clicked any of these links and provided your credentials, please let ITS know immediately. Also, we recommend changing your password as soon as possible.


Additionally, please review the Security Corner on its.ncssm.edu at your earliest convenience to read our recommendations for creating secure passwords. We also provide additional security documentation and best practices on our Wiki.


FBI Security Update 6/21/16: ITS has received the following security update from the FBI concerning an Advanced Persistent Threat (APT) that is targeting email systems at schools. Thankfully, NCSSM is not vulnerable to this particular threat, however, ITS is paying close attention to these types of alerts from the federal government, security software vendors, security experts at other institutions across the state, and others. As relevant IT security alerts become available, we will share them with the community.


View FBI security warning (PDF)


Update 6/5/16 and 6/20/16: New phishing emails have been sent out to the community. Please do not click the link in these emails or provide your NCSSM credentials in the webpage that opens.


If you have provided your credentials in one of these messages, please contact ITS and change your password immediately.



Chrome Security Vulnerability


If you are using the Chrome browser its version is prior to 50.0.2661.94, you are vulnerable to an arbitrary code execution vulnerability that could result in your computer being compromised. You should update Chrome now!


Get a Chrome update when available

Normally updates happen in the background when you close and reopen your computer's browser. But if you haven't closed your browser in a while you might see the Chrome menu in the top right change colors:

A green menu means an update's been available for 2 days.

An orange menu means an update's been available for 4 days.

A red menu means an update's been available for 7 days.

To update Google Chrome:

  1. In the top right, click the Chrome menu .
  2. Click Update Google Chrome. If you don't see this button, you're on the latest version.
  3. Click Relaunch.

The browser saves your opened tabs and windows and reopens them automatically when it restarts. If you'd prefer not to restart right away, click Not now. The next time you restart your browser, the update will be applied.

See https://www.us-cert.gov/ncas/current-activity/2016/03/24/Google-Releases-Security-Update-Chrome for more information.


Firefox Security Update


Mozilla has released a security update for Firefox to fix multiple security vulnerabilities.

Get a Firefox update when available

  1. Click the menu button , click help and select About Firefox.
  2. The About Firefox window will open and Firefox will begin checking for updates and downloading them automatically.
  3. When the updates are ready to be installed, click Restart Firefox to Update.

See https://www.us-cert.gov/ncas/current-activity/2016/03/08/Mozilla-Releases-Security-Updates for more information.

Ransomware is About

  • 25 Feb: News reports this morning indicate that the City of Durham has recently been hit twice with ransomware attacks. Please be on your guard!
  • 23 Feb: We are seeing increasing reports of ransomware infections in our sister institutions and elsewhere. Ransomware, once installed on your computer, silently encrypts files on your computer and on network drives (including any backups it can reach), then demands payment to provide the decryption key. These programs use strong encryption, so they're essentially unbreakable without the decryption key.

Ransomware gets on your computer in the same manner as any malware, so the same rules apply: Don't open unsolicited email attachments, click on suspicious links, and the like. DO keep your antivirus up to date, be on your toes, and contact ITS when in doubt. The data you save many be your own!


NC IT Cybersecurity Tips

The NC Department of IT publishes a monthly newsletter of cyber security tips and warnings.


Volume 11 Issue 8: Back to School

Volume 11 Issue 7: Going for Gold in Cybersecurity

Volume 11 Issue 6: Traveling Securely

Back Issues of all Cybersecurity Tips Newsletters


SANS Institute Newsletters and Security Tips


SANS Institute is the information security training curriculum (StH) used at NCSSM. In addition to the online training videos, SANS provides monthly newsletters on security topics. The June newsletter's topic is on Encryption.


Advanced Persistent Threat (APT) is back

  • 28 Apr: Our APT is back with a vengeance this morning, posting dozens of phishing emails attempting to trick you into opening an infected attachment. I believe that I've caught most of the attempts, but I can't guarantee that some have not slipped through. So, keep your guard up and let ITS know of anything that seems the slightest bit odd.
  • 26 Apr: I haven't detected much activity from the APT since the first week of April. But please do stay vigilant. He could reactivate and there are always people attempting to penetrate our network. Thanks again for your cooperation!
  • 11 Apr: Our APT seems to be on vacation. He was active early last week, but I've heard nothing since then. Please keep your guard up and see our training page for information on how to submit suspicious email to us.
  • 22 Mar: Our APT is hitting us hard, with dozens of messages this morning that I know about. Fortunately, I've managed to block him, although you may get strange messages from the "Mail Delivery Subsystem" as a result of our rejection of his attempts--check with me if you doubt the legitimacy of these emails.
  • 21 Mar: I've managed to find commonalities in the attack profile that allow me to block many of the APT's attempts. However, I'm by no means certain that I'm blocking it all and the profile will likely change as our APT realizes that he's not succeeding. So, please continue to be wary.
    • 3:00 PM: As predicted, the APT has changed his attack profile. I've responded, but the game continues!
  • 11 Mar: The probes continue. They're trying hard to avoid triggering malware detection, for example sending javascript and web page attachments, instead of programs. Thus, it seems that we're keeping them at bay, but do not depend on your virus scanning tools to determine whether an attachment is safe. Fortunately, they seem to have an idiosyncratic grasp of grammar and idiom, so clues abound.
  • 7 Mar: Our APT is, indeed, persistent. However, since the last report I am seeing some variations in the attack methods, indicating that he's probably not penetrated our network. Keep up the good work!
  • 2 Mar: More phony invoices sent in the past 24 hours. They're targeting a variety of staff accounts, so be alert.
  • 1 Mar: And the beat goes on. The latest wrinkle is that they're spoofing NCSSM email addresses in an effort to get you to click on the link. Given enough time, Google does identify the payload as malware. And, I'm going to take steps to prevent this ruse from working, but please continue to be suspicious.
  • 25 Feb: Amidst all of yesterday's excitement, our APT sent dozens of emails containing malware and a number of email phishing attempts. It's clear that they're again ramping up their attempts. Be wary!
  • 18 Feb: The attack continues at a low-level, but if it follows the pattern of the last attack, it will soon ramp up. Please keep on your toes!
  • 16 Feb: Our APT (Advanced Persistent Threat: an attacker that brings concerted effort and resources to penetrating a specific target) seems to have returned. In the past week I've gotten three fake invoices through email and I know of at least one other person who has also been targeted. Please be on your guard and do not open any attachments that are unexpected or seem the slightest bit fishy. Instead, let ITS know. We'd rather deal with a false alarm than a successful compromise of our network. Thanks for being alert!

June 2, 2016 Phishing Update 4:55 PM:

ITS would like to provide the community with more details about the phishing email incident from Tuesday, May 31, as well as discuss our response and some of the actions that we will be taking to prevent similar incidents from taking place in the future.


Following the emails sent from a staff member's compromised NCSSM email account, multiple staff, faculty, and parents clicked the link in these messages, and a significant number of those then proceeded to provide their NCSSM account usernames and passwords. ITS worked with these individuals to reset their NCSSM passwords, thereby preventing their own accounts from also being compromised. All in all, a very busy day for all involved.


Given these circumstances, ITS is planning to augment security training, utilizing the Securing the Human web application available at https://ncssm.securingthehuman.org/main.php. Securing the Human will have a new curriculum beginning this fall. We will be requiring all NCSSM faculty and staff to take this security training annually, and all new faculty, staff, and students starting this fall will be required to take this security training before they begin at the school.


Additionally, we need to take steps to prevent infections by the type of worm that infected the staff member's PC and caused these messages to be sent. For those of you using Windows-based PCs, ITS requires the installation and regular updating of an anti-virus tool, such as Windows Security Essentials, Windows Defender, or another AV tool of your choosing. You need to also regularly scan your computer using one of these tools. (ITS will be happy to make recommendations, assist with installation, and train you on these tools.)


Lastly, we would like to make password security recommendations to help limit the impact of stolen account credentials on individuals and the community. These recommendations include:

Set up Google 2-Step Verification. This will add an additional step when logging in to your Google account utilizing a secondary device, typically a smartphone. This second method of authentication would have prevented this attack from taking place and would have also made it so that those who shared their credentials with the attacker would still be secure; without the ability to access the second method of authenticating, the attacker would be unable to compromise any NCSSM accounts.

To set up 2-Step Verification: https://support.google.com/accounts/answer/185839

To use 2-Step Verification: https://support.google.com/accounts/answer/1085463

Do not use your NCSSM password on other websites and services. This will prevent any single compromised password from one website or service from compromising all of your accounts.

Generate a secure password utilizing a minimum of 10 characters drawn from the classes of uppercase letters, lowercase letters, digits, and symbols.

Use this website to help generate a strong password: http://passwordsgenerator.net/

Use these instructions to change your NCSSM password: http://wiki.ncssm.edu/index.php/Security

Use a secure password manager to store your secure and unique passwords. These services can help make it possible to use many different and long passwords without having to remember them all, all while keeping your password database encrypted. Options include:

LastPass (Multiplatform)

1Password (Multiplatform)

mSecure (Multiplatform)

aWallet Cloud (Android)