SECURE IT - January 2022

Enabling MFA for All WPI Connections

On December 21, 2021, WPI Information Technology (IT) updated Multi-Factor Authentication (MFA) to include the campus and in the classroom to help secure access for students, faculty and administration. This completed the implementation of MFA for employees across all of WPI. In April, 2020, all remote access to WPI resources (such as Workday, SalesForce, O365, etc.) from off-campus locations had MFA enabled. In August, 2021, MFA was enabled on all WPI Virtual Private Network (VPN) connections.

MFA requires more than one method of authentication from independent categories of credentials, which are used to verify a user’s identity. For example, the WPI login (username/password) is the first factor, and a text message, app or token is the second unrelated factor. This makes it more difficult for an unauthorized person to access network resources. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. MFA is a way of safeguarding access to WPI data and applications both on the network and in the cloud. MFA strengthens the authentication process, and greatly improves the verification of a user’s identity.

It is best to choose at least two verification methods, and we highly recommend installing the Microsoft Authenticator App. Visit the WPI Hub link below for verification methods, instructions, and the Microsoft Authenticator installation link.

You may notice some one-time connectivity issues with older applications after MFA has been enabled. If you encounter issues configuring MFA or connectivity issues using MFA, please notify the IT Service Desk using the Help Form at the bottom of this page.

Please note that if you do not have a mobile device or do not wish to use your mobile device for MFA, tokens are available from the IT Service Desk.

Thank you for your ongoing support of the WPI security program.

Mitigating Zero-Day Vulnerabilities that impact WPI (Log4j)

What is a Zero Day Vulnerability?

A zero-day vulnerability is a flaw in a system or device that has been disclosed but is not yet patched. A malicious action that attacks a zero-day vulnerability is called a zero-day exploit. Because they were discovered by bad actors before security researchers and software developers became aware of them and before they could issue a patch, zero-day vulnerabilities pose a higher risk to users.

What is Log4j?

Log4j, open-source software provided by the Apache Software Foundation, records events including errors and routine system operations, and communicates diagnostic messages about them to system administrators and users. Several companies use the Log4j library worldwide to enable logging and configure a wide set of applications.  

The Log4j vulnerability discovered in mid-December, 2021 allowed hackers to run any code on vulnerable machines or hack into any application directly using the Log4j framework. This vulnerability, which was being widely exploited by a growing set of threat actors, presented an urgent challenge to network defenders given its broad use. End users are reliant on their vendors, so the vendor community must immediately identify, mitigate, and patch the wide array of products using this software. Federal agencies and security personnel across the globe have worked on several mitigation measures to fix this flaw and identify any associated threat activity.

What is WPI doing to mitigate this vulnerability?

As soon as the vulnerability was identified, WPI Information Technology organized a multi-disciplined task force to assess the threat to WPI computing resources and mitigate the risk of an exploit based on the Log4j critical security flaw. The task force initiated the following five steps:

1. Identified the vulnerable software products currently implemented on WPI endpoints / servers
2. Identified the vulnerable software products included in the WPI Software Library
   
3. Identified the vulnerable software products provided by WPI vendors, partners, products, etc.
   
4. Mitigated the risk by updating the vulnerable software to a secure version (provided by Apache)
   
5. Tested each system to ensure the updated software was installed and configured correctly 
   

The timely remediation of the Log4j vulnerability and other critical vulnerabilities discovered across WPI systems, endpoints, networks and applications helped to ensure our critical operations are secure against the latest cyber threats.