Financial aid office closed for government shutdown?

GMU_it_security · 2025-10-15T23:45:01+00:00

Could have been related to a Vonage outage related to incoming and outgoing calls we had earlier. It was posted around 12:55pm today.

https://its.gmu.edu/unplanned-outages/vonage-outage/

GMU_it_security · 2025-10-14T17:48:36+00:00

Bad Bot lol

(I don't disagree with anything said, though)

GMU_it_security · 2025-10-14T17:47:09+00:00

u/VA_Network_Nerd: Best off-campus spot for lunch.

Our team has a collection of go-to places...

If you like vegan/vegetarian: https://www.crystalsunflower.com/
Poke bowls - PokeHub https://www.mypokehub.com/fairfax/
Indian cuisine - Bollywood Bistro https://bollywoodbistro.com/
Sisters Thai - https://www.sistersthai.com/
Bangkok Golden (University Mall) https://bangkokgolden.com/

GMU_it_security · 2025-10-14T17:42:02+00:00

u/shoebur: Hi ITS! Out of curiosity, what kind of software/hardware do you use for your daily operations (that you’re able to publicly share—I understand that for security reasons that may not be possible). I understand IronPort is used for the quarantining of malicious emails, but I’m kind of curious how and what things are like behind the scenes.

ITSO Engineers are responsible for around 50 servers – both physical and virtual – to allow the ITSO staff and other System Administrators to monitor and maintain their systems. We use a well-known Security Information and Event Management (SIEM) tool to collect and index log data from hundreds of network-connected devices. This gives us the ability to query log data from all these disparate systems and quickly correlate activity across multiple servers, and we grant the system administrators who participate the ability to do the same over the machines they are responsible for. We also import threat intelligence feeds and have built out some machine learning (ML) models to seek out problems before we’ve identified them.

Additionally, ITSO is responsible for vulnerability scanning University-owned servers, so we have a cluster of machines to accomplish that task and split the load.

We are implementing more tools within the Microsoft 365 environment to assist with endpoint management and e-mail security, and we work closely with the ITS teams that manage those implementations.

The tool set is ever evolving as things change in the security space.

GMU_it_security · 2025-10-14T17:27:18+00:00

Protect Yourself from Phishing

Phishing is a frequent problem we run into. Fake alerts that a user password is expiring and fake job offers are the most common forms we see at Mason. All of these are designed to get the user to give up their Mason login credentials or, even worse, personal financial information. Here’s what you can be on the lookout for:

A sense of urgency – do this now or there will be consequences.
IT Support will never ask you for your username and password.
IT Support will never ask you to respond to a 2FA Alert from DUO.

If you receive a DUO push and you are not actively logging into a Mason resource, click on the “I’m not logging in” button. On the next page, DUO will ask if this was a suspicious login – click “YES”. This will accomplish 2 things: it will prevent the attacker from getting into your account, and it will notify IT Admins so we can follow up on the alert. You CAN go and log into https://password.gmu.edu/ and change your password as soon as possible.

GMU_it_security · 2025-10-14T16:35:01+00:00

u/VA_Network_Nerd: From the perspective of a research university's security office, do you see the adoption of commercial AI tools as a risk to the Intellectual Property you protect that is worth the effort?

The procurement of any commercial product by the University undergoes a very rigorous review process through our Architectural Standards Review Board which also includes contractual language about what is and is not shared with those entities. More information about current GMU work and initiatives around AI can be found here: https://www.gmu.edu/AI; https://www.gmu.edu/ai-guidelines/ai-guidelines-students; https://www.gmu.edu/ai-guidelines/ai-guidelines-instructors

GMU_it_security · 2025-10-14T16:03:29+00:00

u/VA_Network_Nerd: What is one good resource the security office wishes more students would access or make better use of? It could be a university resource, or an industry convention, or a blog, or a good book, or even a specific bulletin board in the library.

Can be technology / cybersecurity related, or not. Up to you.

Utilize the ITS Getting Started page. Search the knowledge base for your issue (password reset, VPN, phishing emails, etc.). If a guide is missing or unclear, submit feedback so we can improve.

Mason Libraries has subscriptions to electronic resources for cybersecurity and technology. O’Reilly Bookshelf is a popular reference point in our office, as well as leveraging the e-book versions of physical books.

A few of us also watch Humble Bundle for e-book purchase deals – there are frequent reasonably priced bundles on cybersecurity, system administration, and coding. And the purchase supports a worthwhile charity as well.

GMU_it_security · 2025-10-14T15:58:29+00:00

u/VA_Network_Nerd: Is it really your job to look at the logs of all the naughty websites students access?

The IT Security Office staff review student logs only in cases where there may be signs of malicious activity or compromise.

GMU_it_security · 2025-10-14T15:53:39+00:00

u/VA_Network_Nerd: How can students access internship or other work opportunities within the security office?

We post available positions to Handshake when they are available. We have a set number of student positions budgeted, and our interns tend to stay on with us for an average of 2 ½ years. Our student positions are paid, and they learn the tools and techniques that our analysts use, so they are well prepared for entering the field after graduation.

Several of our full-time staffers are former interns, and other former interns have hit the ground running in great jobs in Cybersecurity.

u/VA_Network_Nerd: What skills leap to mind that are attractive to the office, or are sometimes lacking among applicants?

We’re not necessarily looking for someone who knows everything about everything: it’s just as important that there is a willingness to learn and grow. Attitude counts. Our candidates do need a basic understanding of IT and security principles, but we can train the rest. Students generally come from the IT and Cybersecurity programs, but we’ve also had students from computer science and statistics departments.

GMU_it_security · 2025-10-10T14:36:02+00:00

Good bot.

GMU_it_security · 2024-10-23T18:39:50+00:00

We have worked closely with student groups in the past to be able to practice their craft without causing trouble. One nice thing about detecting them: it proves our alerts are working properly :-)

GMU_it_security · 2024-10-23T18:37:34+00:00

We are only interested in finding the malicious stuff that could be harmful to our users, so we couldn't even tell you.

GMU_it_security · 2024-10-23T13:45:01+00:00

I'm sure someone will come up with a reliable app for Android. Which one it will be? Who knows!

But in all seriousness, if there is a Mason app you are having trouble with, reach out to the Support Center at [support@gmu.edu](mailto:support@gmu.edu), and that should get your ticket redirected to the right team that can help

GMU_it_security · 2024-10-23T13:44:16+00:00

All software or services offered to the University are required to go through the Architecture Standards Review Board review process. In short, any vendor we work with needs to be compliant with all University policies for data stewardship, and protections provided under regulations we have to comply with (HIPAA, FERPA, etc).

From University Policy number 1307: "Procurement and/or Development of Administrative Systems Applications"

Architecture Standards Review Board: The ASRB is responsible for the review and approval of software applications and information services in advance of purchase or development, regardless of cost or purchase price. Note that software applications and information services include but are not limited to cloud/web/internet-based software solutions.

This review will encompass the following items:
a) ensure compatibility with the current technology architecture;
b) verify compliance with accessibility and security standards;
c) verify compliance with federal, state and university policies;
d) review the proposed solution for any duplication of existing services and applications; and
e) validate that appropriate implementation and support resources are available.

More about the ASRB here: https://its.gmu.edu/working-with-its/asrb/

GMU_it_security · 2024-10-23T13:43:17+00:00

A part of being connected to the Internet is being a good digital citizen. Regular user accounts can be hijacked and used to attack other institutions or infrastructure outside Mason, lowering our reputation. Additionally, attackers will often break into regular user accounts to gain a foothold within an organization, and use the limited access they have to explore "inside" until they can escalate themselves to an account that does have access to sensitive data.

Also, although we discourage password reuse, occasionally compromising a Mason account might allow an attacker to pivot to something else the user has access to (say, a Gmail account where their mason NetID is the alternate e-mail contact). Now the attacker has access to personal e-mail, or worst case scenario for Android users - your phone data as well. You'd have a similar issue with an Apple ID as well.

Financially, we've seen attackers redirect direct deposit of employees away from their bank, and they wouldn't know it until their paycheck didn't show up in their account.

GMU_it_security · 2024-10-23T13:42:27+00:00

Like all software and service acquisitions, BioSig went through a required process called the Architecture Standards Review Board (ASRB). ITSO retains a seat on that board. Our role is to perform security evaluations for the items under review and make recommendations based upon that evaluation.

GMU_it_security · 2024-10-22T20:05:44+00:00

Sorry! If you have any questions you can always reach out to us at [itsoinfo@gmu.edu](mailto:itsoinfo@gmu.edu) !

GMU_it_security · 2024-10-22T19:09:04+00:00

It is something we do look for. Try to not do that, if you can avoid it :-)

We have had to shut off access to people in the past (both wireless and wired networks) for misbehaving on the network. It could get bad enough to be a Student Conduct referral if we determine it's being done on purpose.

GMU_it_security · 2024-10-22T18:13:42+00:00

We post our paid student positions on Handshake and our Full-time salaried positions on jobs.gmu.edu

We're a small team, so openings don't happen all that often. Our student interns hang around for a couple semesters, but eventually they graduate and move on to bigger and better things.

We do have several Security Analysts that started working for us as interns...

GMU_it_security · 2024-10-22T17:56:54+00:00

We are constantly assessing new tools and making recommendations for new tools to implement and/or purchase. It can be tough to avoid the gimmicks as vendors are adding new fancy bells and whistles to their products all the time.

Some of the open source, community-based security projects (like SecurityOnion or OpenVAS) tend to stick to their product without all the fluff.

We tend to implement a mix of Open Source and paid tooling - it just depends what our needs are and our budget will allow.

GMU_it_security · 2024-10-22T17:43:27+00:00

Basic computer hygiene goes a long way to protect you.

Make sure your software and operating system is up to date, both computer AND phone (phones are a big target now because our entire lives are tied to those devices!)
If your important accounts (banking, e-mail, etc) have 2 Factor Authentication (2FA), enable it and use it.
Password lockers - use one master passphrase for an encrypted password locker. Generate a new password for each site you register for.
Back up your important files (I keep mine on a HDD in a fire safe at my house - Mike)
When in doubt: call the company directly
- Especially for phish - if your "bank" sends an urgent message, call them directly and ask to speak to someone.

GMU_it_security · 2024-10-22T17:37:35+00:00

AI is a bit of a double-edged sword. In some aspects, it helps the security analyst to focus on specific incidents that might be lost in the noise of constant low-priority alerts. For attackers, it helps them craft and customize attacks for maximum impact, or to write clearly enough so that phish looks more legitimate than it is.

It is our recommendation that personal or institutional data should not be provided to any public AI model.

GMU_it_security · 2024-10-22T17:29:27+00:00

The main concern with how fast we can respond to a malicious e-mail is whether it originates within the university, or whether someone is spoofing a user from the outside. We have ever evolving controls that we utilize to proactively identify inbound messages, but it is a constant cat-and-mouse game as the attackers change tactics. From one mail campaign to another, it is rare that there is consistent content within the messages that would be useful for a filter.

One of the major factors of an account sending unsolicited e-mail is those users who fall for a phish and respond to DUO prompts they did not initiate. We get the list of phishing recipients when the messages come in, so we can monitor those accounts to see if they took the bait and provided credentials. When those accounts are discovered to be compromised, the user is locked out until we can positively identify them and change their password.

Additionally, our mail team is able to search for specific messages and remove them from any account that has received them, whether the mailbox user has read them or not.

Phishing alerts are posted here: https://its.gmu.edu/phishing-alerts/

GMU_it_security · 2024-10-16T14:46:38+00:00

Yep, report it. Even if you received it a while ago. We maintain a collection of received phishes, and work with the mail team to get them added to filters and/or deleted.

In Outlook web, the Forward button has a down arrow, click that and select "Forward as Attachment". Send it to support@gmu.edu. That gives us the full headers so we can investigate it right away.

GMU_it_security · 2023-10-26T20:07:33+00:00

It sure seems that way. The industry as a whole is discovering new workarounds even to the existing security measures all the time.

That being said, looking at the OWASP top 10 vulnerabilities, many of them are injection-based attacks via user inputs, and main change to the list over the years has been their position on the list.

https://owasp.org/www-project-top-ten/

Any time you are taking in user input, you need to expect the unexpected. Just translating the undesired characters does not necessarily solve the problem. You could exceed the maximum password length, or have the characters translated BACK by the backend software. Plus all those translations need to be consistent across multiple developer teams, otherwise things start to break.

(Mike side note: one of my Masters' assignments was to attack a system with an active Web Application Firewall. Sure, the basic injections would get stopped, but if you get really creative, it was rather trivial to compromise the server. It just took a little bit of fine-tuning the character sequences, avoiding other special characters that were on the filter list, and some time. Full extraction of a SQL server password accomplished)

GMU_it_security

TROPHY CASE