1 of 26

IAM in Higher Ed: �Balancing Security and Ease of Use

IAM Online – November 2024

Speakers:

Matt Morton | Assistant Vice President and CISO, University of Chicago

Eric Zematis | CISO, Lehigh University

Forest Crowley | Security Architect/IAM Manager, Lehigh University

Moderator:

Jeremy Rosenberg | Assistant Vice President for IT and CISO, Yale University

InCommon.org

2 of 26

Welcome
Introductions
Presentation
Q&A
Closing

AGENDA

SHORT TITLE

[ 2 ]

internet2.edu

3 of 26

Welcome

[ 3 ]

internet2.edu

4 of 26

We’re taking questions and comments live using the Zoom Q&A function, so please send those messages during the presentation because we want this to be as interactive as possible.

Also feel free to post messages in the chat. Just be sure when �you are posting, your message is being sent to everyone, from the drop-down menu options.

We are also recording this webinar, you will receive the link to the recording via email, and it will be posted on the InCommon website and on our IAM Online YouTube channel soon!

REMINDERS

SHORT TITLE

[ 4 ]

internet2.edu

5 of 26

Introductions

[ 5 ]

internet2.edu

6 of 26

Today’s Speakers

Matt Morton

Assistant Vice President and CISO

University of Chicago

Eric Zematis

CISO

Lehigh University

Forest Crowley

Security Architect/IAM Manager

Lehigh University

Jeremy Rosenberg

Asst. Vice President for IT & CISO�

Yale University

Moderator

[ 6 ]

internet2.edu

7 of 26

Presentation

[ 7 ]

internet2.edu

8 of 26

Challenges & Impacts

[ 8 ]

internet2.edu

9 of 26

About Us

Matt Morton

Role: Assistant Vice President and CISO
Tenure: 3 years

Number of Students: ~18,500
Number of Employees: ~11,000
Number of IAM Team Members: 8 (1 opening)
Infrastructure Snapshot:

User authentication including SSO (Okta)
Active Directory (ADDS)
Azure Active Directory (AAD)
Account provisioning and service provisioning (Sailpoint)
MFA (Cisco Duo)

[ 9 ]

internet2.edu

10 of 26

Eric Zematis

Role: CISO
Tenure: 6 years

Number of Accounts: ~20k
Number of IAM Team Members: 5
Infrastructure Snapshot:

Open Source Tools

midPoint (Provisioning)
SimpleSAMLphp (SAML2 & CAS Authentication)
OpenLDAP

Active Directory, Microsoft 365/Entra ID
MFA (Cisco Duo)

About Us

Forest Crowley

Role: Security Architect/IAM Manager
Tenure: 9 years

[ 10 ]

internet2.edu

11 of 26

Challenges

[ 11 ]

internet2.edu

12 of 26

Our Challenges

Multiple attempts weekly to compromise accounts through the service desk. Relying on desire to service customer quickly by trying to get the staff to shortcut the processes.
Service Desk staff are typically the least trained and sometimes are contractors.

processes are complex and have multiple layers many times.

Most of the recent ransomware attacks follow this attack sequence

get account reset or MFA tokens through service desk (social engineering)
look for ways to escalate to a domain administrator

https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429

deliver ransomware payload and control domain completely

[ 12 ]

internet2.edu

13 of 26

Our Challenges

Fraudulent support calls

Driven by the move to phishing-resistant MFA
Attackers impersonate genuine users armed with detailed profiles�

Other common threats still present

Password spraying, confidence scams, phishing, etc.�

Attacker Objectives

Financial gain through redirecting grants and payroll
Compromise unmanaged or personal accounts associated with victim
Obtain internal network access via VPN�

Broad Trends

Research finance specifically targeted
Abuse of traditional higher education dynamics
Emerging threat of admissions fraud

[ 13 ]

internet2.edu

Primary problem for attackers is no longer acquiring credentials, it’s bypassing MFA.

Step-ups in Lehigh’s posture can be divided into three timeframes

Before Risk-Based Auth: Push and Call Fatigue

After Risk-Based Auth: Duo HOTP Code Phishing

HOTPs are long-lived, infrequently used, yet are often widely available for Duo Security users.

After phishing-resistant MFA: Social Engineering

Direct targeting of support desk

Leverages an extensive profile about the owner of the targeted account

More detailed attacker objectives:

Financial Fraud

Grant payment redirection

Direct deposit Fraud

Opportunism

Seek out sensitive information in inboxes, cloud storage, etc.

Compromise third-party accounts

Pivot to unmanaged accounts (e.g. a personal linkedin, a department’s Instagram)

Identity theft attempts (“id.me” specifically targeted)

Pivot internally

Use VPN access to attack internal hosts

Broad trends:�Research related finance is specifically being targeted.

Other institutions have experienced the same targeted attacks at the same time.

This knowledge was obtained in hindsight - few if any institutions shared, even in private information sharing groups.

Tactics reflect traditional strategic cybersecurity issues in higher ed

Highly diverse user populations mingled in the same environment

High degree of implicit trust among members of the institution

Need for small, incremental changes allow attackers to pivot tactics as institutions make improvements

14 of 26

Impacts

[ 14 ]

internet2.edu

15 of 26

The Impacts

Creates additional stress on the service desk
Need to create tighter processes between the desk and security
Mandated required Zoom verification for all resets

increased the amount a time to resolve
puts pressure on the desk

[ 15 ]

internet2.edu

16 of 26

The Impacts

Financial Loss

Direct deposit redirection
Expanding population coverage of MFA requirements incurs additional licensing costs�

Security Improvements directly impact users

Higher security authentication leads to increased user difficulty
Friction during support desk calls
Equity concerns

[ 16 ]

internet2.edu

17 of 26

Addressing the Challenge

[ 17 ]

internet2.edu

18 of 26

Our Insights & Actions

Require Zoom + ID for recertifications

Works but causes a significant amount of slowdowns for TTR for tickets

Looking at verification products to automate identity proofing
Added new alerts that trigger off of recertification events

[ 18 ]

internet2.edu

19 of 26

Our Insights & Actions

Moved to phishing-resistant MFA

Disallowed HOTP codes, Phone Calls, and SMS codes

Moving away from knowledge-based identity verification
Implementing conditional ID verification

Support calls involving a reset of a single factor doesn’t require an ID

Answer a phone call at the number on record, accept a Duo MFA push, provide limited knowledge-based proof

Password reset + MFA bypass requires providing institutional ID card over Zoom

Piloting document verification services

Pushing the effort of verifying government IDs (often non-US IDs) to a third party service.
Exploring automated ‘forgotten credential’ resets through document verification.

[ 19 ]

internet2.edu

20 of 26

Advice

[ 20 ]

internet2.edu

21 of 26

Recommendations for Others

Formalize an ID verification procedure with support desks and offices.
Flag high-risk populations for more strict verification requirements.
We change attackers change. Continuous process.

Be prepared to implement more strict controls at short notice.
AI generated IDs?

Enhance or adjust your technology strategy.

ID Verification Tools

IAM Governance Review

[ 21 ]

internet2.edu

22 of 26

Conclusions & Final Thoughts

Key Takeaways:

[ 22 ]

internet2.edu

23 of 26

Q&A

[ 23 ]

internet2.edu

24 of 26

Q & A

We’re taking questions and comments live �using the Zoom Q&A function.

[ 24 ]

internet2.edu

25 of 26

Closing

[ 25 ]

internet2.edu

26 of 26

THANK YOU

Thoughts about today’s program?

Please complete our Zoom survey.

Feedback about IAM Online?

Contact Jean Chorazyczewski, jeanc@internet2.edu

Next IAM Online: January 15, 2025 @ 1pm ET

One Year In: InCommon's Future: In March 2024, InCommon launched its ambitious Futures2 Strategy, aiming to become the trusted authority for Identity and Access Management (IAM) in Research and Education. This webinar reflects on the first year of progress, highlighting key initiatives such as the development of audience-specific resources to support teaching and learning, federal agencies compliance, and shared IAM architectures. Join us to explore lessons learned, successes achieved, and areas for continued focus as InCommon advances its 2028 vision of advancing secure, interoperable digital collaboration and resource sharing for Research and Higher Education.

Got Ideas?

Submit your ideas for future IAM Online webinars!

www.incommon.org/academy/iamonline/iamonline-ideas

[ 26 ]

internet2.edu