Information Technology Governance Committee (ITGC)

Letters to Community: Security Memo

On Tuesday, April 2nd, Executive Vice President and Treasurer Israel Ruiz sent a letter to the members of Academic Council to disseminate throughout their respective areas. The letter describes improvements to systems and procedures to ensure the safety of the MIT community. This page provides additional details about the upcoming changes to MIT's network that are described in the letter.

Strengthening Campus Security

April 2, 2013

To Members of Academic Council:

The recent hoax incident of February 23 and hacks to MIT’s information network have given us the opportunity to reassess our emergency preparedness, emergency communication protocols, and network security practices. Today I want to share with you the improvements we are making to our systems and procedures to ensure the safety of our community and the integrity of our campus. I ask that you disseminate this information throughout your respective areas, so that we can build awareness of the important enhancements we are pursuing.

Safeguarding our community

We have upgraded our emergency-preparedness training program, and are reaching out to all parts of our community through our Security and Emergency Management Office (SEMO). It is critical that each department, laboratory and center (DLC) have an emergency coordinator and a concrete emergency plan. SEMO staff will connect with DLCs to provide guidance in crafting and communicating these plans, to share training materials and provide in-person training.

We are also working with housemasters in our residence halls and staff members in the Office of the Dean for Student Life to strengthen the safety of our students and enhance the preparedness of our dormitories and fraternities, sororities and independent living groups (FSILGs).

Reaching people in an emergency

We have revised our emergency communication protocols so that we are able to notify people within minutes of an emergency situation, and are working to expand our addressable alerts system to include all members of our community on all devices. We currently send text-message alerts to all Institute owned mobile telephones and email to all MIT email addresses.

In addition, approximately 60% of our faculty, students and staff have elected to participate in MIT's alert program so that they may receive alerts through personal mobile telephones and email addresses. We will be sending email to those who have not yet signed up to urge them to participate in this expanded system of alerts, so that we are able to reach everyone quickly in the case of an emergency. 

Improving MIT’s cyber security

With guidance from CSAIL Professor Frans Kaashoek, who serves as technology domain expert for the Information Technology Governance Committee, we have examined how we deliver network services to our community. We have determined that we can modify practices to establish a higher level of resilience for our network while accommodating the needs of our faculty, students and staff.

MIT has a long history of operating an open network environment, allowing devices on MIT's network unrestricted incoming and outgoing access to the Internet. The Institute remains committed to providing open Internet access to support the core mission of teaching, learning and research, while also providing a more secure network environment for our community.

In order to provide the community with a more secure network environment, Information Services and Technology (IS&T) will soon implement several changes to our network. For most of the MIT community, particularly those engaged in research, teaching, and learning activities, these changes to our network will be invisible.  Connections to MIT's communications (email and Web) and academic services (Stellar and WebSIS) will not be impacted. Some administrative users, particularly those who work while away from campus, may see changes to how they interact with MIT's administrative systems. Questions about planned changes highlighted below can be directed to cybersecurity-questions@mit.edu.

  • Network traffic policies are being strengthened. By default, traffic originating from outside MIT's network (from non-MIT IP addresses) will be blocked to reduce the potential for damage to MIT information systems. This will not impact open services such as email and publicly accessible websites.
  • Access to MIT administrative applications such as the Data Warehouse, SAP and MITSIS will require connecting from MIT's network on-campus (from MIT IP addresses) or by making use of MIT's virtual private network (VPN) service.
  • MIT will implement stronger password quality and expiration policies.
  • Those engaged in research, teaching and learning activities will be given the option to opt out of the default network security policy through a self service mechanism.
  • Community members requiring access to their computer systems from non-MIT IP addresses are encouraged to use MIT's VPN service for access rather than opting out.
  • Individuals whose work involves access to legally protected or otherwise sensitive information are advised to take additional precautions on devices used for confidential data access, such as use of two-factor authentication and full-disk encryption.

I am deeply and personally committed to safeguarding our community, protecting our campus and securing our systems. Together with our colleagues dedicated to campus safety and security, with the support of senior academic leadership and in collaboration with the campus community, we are deploying all necessary resources to this effort. It will require the dedication of all of us to promote safety awareness, complete necessary emergency training, and adhere to reinforced cyber security guidelines. IS&T staff members are working with information technology (IT) leadership and partners across campus in making the changes described above. We continue to explore all opportunities to further strengthen our preparedness, and will communicate additional information as these plans evolve. 

Sincerely,

Israel Ruiz

Additional Details

Evolving MIT's Cyber Security

MIT remains committed to providing open Internet access to support the Institute's core teaching, learning, and research mission. In order to better provide the community with a safer, more secure network environment, IS&T will soon implement several changes to our network. For most of the MIT community, particularly those engaged in research, teaching, and learning activities, these changes to our network will be transparent and should require no behavior changes for end-user computing activities. Some administrative users, particularly those who work while away from campus, may see changes to how they interact with MIT's administrative systems.

Full details are provided below for these upcoming planned changes, which are expected to be implemented in the coming weeks.

Default Network Traffic Policy

By default, incoming traffic originating from outside MIT's network destined for clients on IS&T-operated networks will be blocked. Today, systems on the MIT network are subjected to thousands of unauthorized connections per day from nearly every country around the globe and, as a result, MIT sees more than ten compromised user accounts each day. Blocking incoming traffic reduces the potential for damage to MIT systems from malicious activity on our network. This change excludes privately operated networks, such as those of CSAIL, RLE, the MIT Media Lab, LNS, and MIT Medical, among others.

Connections to MIT's communications and academic services from off-campus will not be impacted; this includes email (both Cyrus IMAP and Exchange), Stellar, and WebSIS. These systems are operated out of IS&T data centers and are configured assuming they will be connected to the public Internet. To protect systems that are exposed publicly, we will require strong passwords be in use for all MIT Kerberos accounts; please see below for additional information about upcoming changes to MIT's password policies.

Community members engaged in MIT's research, teaching, and learning activities will be given the option to opt out of the default network security policy via a self-service process. Initially, this opt-out mechanism will take the form of firewall exception rules. In the future, IS&T hopes to offer a VLAN-based implementation of the opt-out process.

IS&T will work with DLCs providing departmental services (email, web, file sharing, etc.) on affected networks to identify appropriate alternatives, such as relocating this equipment to an IS&T data center or existing IS&T service. Exceptions to the network traffic filtering may also be established to allow these services to remain in operation.

Community members requiring access to their desktop systems from outside MIT's network are encouraged to use MIT's virtual private network (VPN) service for access, rather than opting out of the default network security policy. Please see below for additional information about MIT's VPN.

Access to MIT Administrative Systems

Access to major MIT administrative applications (SAP, Data Warehouse, MITSIS, etc.) will require connecting from MIT's network, either through being on-campus or making use of MIT's VPN service. This service is available for all major desktop operating systems and mobile devices. For additional information about MIT's VPN, please see http://ist.mit.edu/vpn.

Password Policies

Insufficiently complex passwords and passwords that are not regularly changed present a significant risk to MIT's security, and are routinely exploited by attackers to obtain access to MIT services for malicious purposes, such as sending "spam" email. As mentioned above, some MIT provided academic and communications services will remain open to the public Internet, such as email, Stellar, and WebSIS. Without strong passwords in place, these systems remain at risk.

In order to address this vulnerability, MIT will implement more standard password quality and expiration policies. Kerberos passwords will be required to be changed yearly; affected community members will be notified via email to change their password at least two months prior to expiration. Passwords will also be tested to ensure a minimum level of complexity; existing weak passwords will be required to be changed.

Additional Resiliency for MIT Web Site and External DNS Service

MIT's primary web site (web.mit.edu / www.mit.edu) is a high-profile target for electronic vandalism, and has been the target of several recent distributed denial-of-service (DDoS) attacks. In order to mitigate this risk, MIT will begin making use of Akamai's content distribution network to provide access to both web.mit.edu and www.mit.edu from off-campus. There will be no change in behavior for on-campus use of either web.mit.edu or www.mit.edu.

In addition, MIT will make use of Akamai's network for providing MIT.EDU Domain Name Service (DNS) for clients outside of MIT's network. Clients on MIT's network will not make use of Akamai for DNS, but please see below for a change that will affect MIT's internal DNS servers.

Securing MIT's Domain Name Service (DNS) Servers

Historically, MIT's domain name service (DNS) servers have been operated as "open" resolvers, allowing recursive access from any client on the Internet. This configuration is no longer recommended, and is known to be a potential risk; it can be exploited to cause MIT's DNS servers to participate in denial of service attacks against other Internet sites. In the near future, MIT will restrict recursive access to the MIT DNS servers to clients on MIT's network. This may require some off-campus clients with non-standard configurations to reconfigure their systems, but impact to the MIT community should be minimal.

Questions about planned changes highlighted above can be directed to cybersecurity-questions@mit.edu.