Meetings and News

Using the DuoSecurity "Push" Feature in the CWRU VPN

posted Mar 11, 2017, 10:06 AM by Tom Siu   [ updated Mar 11, 2017, 10:08 AM ]

In response to a statement from committee Chair A. Herin in the March 2017 Committee Meeting, members of the FSCICT Committee asking about the DuoSecurity Push feature.

Here is a reference to the online documentation on how to use Duo with the VPN interface.  It should be noted that the CISCO VPN does not have the availability of "help bubbles" to guide a user unfamiliar with the interface, so we are reliant upon this documentation, and if additional questions arise from a user, we anticipate they would call the CWRU Help Desk for assistance and advice.

Mid-way down the page, under the
  section, the steps are noted.

Information Security has training videos posted, but FSCICT members should note that the use of the Duo Passcode feature is preferred method for login to the VPN, for simplicity's sake.

Meeting 2016-10-10

posted Oct 6, 2016, 11:06 AM by Steven A. Hauck

The October meeting will be held in Adelbert M2 from 10-11 AM.

Meeting 2016-09-12

posted Sep 6, 2016, 5:52 PM by Steven A. Hauck   [ updated Sep 6, 2016, 6:32 PM ]

The September 2016 meeting will be in Adelbert M2.

Preventing others from accessing your CWRU account

posted Nov 26, 2014, 4:54 AM by Raymond Muzic   [ updated Nov 26, 2014, 9:50 AM ]

Information Technology Services (ITS) is piloting a dual factor authentication mechanism.  
This means that login would use a password and another piece of information such as a code transmitted to your smartphone, a text message, or land-line.

While it takes a little extra effort to log in, the advantages are that 
  • others are prevented from accessing your account even if they have your password
  • passwords might not have to be changed as often as they are now.

Opt-In to give Duo Security a try
  1. Go to this page
  2. Click  Duo Security self-enrollment page
If you want to preview how authetication works after you are enrolled in Duo, look here.

Meeting 2014-10-28

posted Oct 26, 2014, 12:32 PM by Angelina Herin   [ updated Nov 23, 2014, 5:14 PM ]


1     Review and accept Minutes 

2     Committee Announcements

       Advisory Committee on Research Computing (ACRC) - FSCICT representatives Roger B, Chris B

       Information Technology Services Planning and Advisory Committee (ITSPAC) - Angelina 

       ITSPAC Security & Policy Subcommittee- Tom S, Angelina H 

       Council of Technology Officers - Roger Z.

        FS Committee on University Libraries - Kurt K. 

3   OLD BUSINESS: Continue Discussion on Topics for AY 2014-2015. Current suggestions include: 
                               Data Storage Solutions and Options 
                               ADA Compliancy Issues, specifically with the CWRU search box on internal pages 

4      NEW BUSINESS:  Meet the new CIO, Sue Workman. 


Meeting 2014-09-11

posted Sep 10, 2014, 8:20 AM by Angelina Herin   [ updated Sep 10, 2014, 8:21 AM ]

1   Introductions 

2   Role of FSCICT (including charge to the committee) as it relates to the institutional community.   Note: Student and 
      faculty members of committees of the Faculty Senate who are not elected senators may attend all meetings of the 
      Faculty Senate. If you would like to exercise this option please contact me so that I can ensure the Chair of the 
      Senate and the Secretary of the University Faculty are alerted and issue formal invitations. 

3   The website is world-read; FSICT and few others have can write and edit.

      FACULTY SENATE websites: (main)   


                                    (working documents, only available to senators)

4       Logistics - Confirm meeting schedule (The Matrix); materials distributed electronically.

         •   I recommend that you bring a laptop or tablet

         •   Taking Minutes (monthly assignment - please see Matrix).

         •   Suggesting topics, agenda items; addressing concerns. 

5     Committee Introductions and Updates

       Advisory Committee on Research Computing (ACRC) - FSCICT representatives Roger B, Chris B

       Information Technology Services Planning and Advisory Committee (ITSPAC) - Angelina 

       ITSPAC Security & Policy Subcommittee- Tom S, Angelina H

       Council of Technology Officers - Roger Z.

        FS Committee on University Libraries - Kurt K. 

6     Meeting at different schools, college, or entities. SOM, CAS, SON, CSE, SODM, MSASS, ITS, WSOM, Students & 

        postdocs all represented by FSCICT members.

        In 2012-2013, FSCICT met with SOM, CSE, SODM, ITS, and Internationalization so we should prioritize other 
        entities. We did not venture into the colleges/schools last year – is this something we should reconsider for this 

7   OLD BUSINESS: Updates on existing projects 
      Priorities Review Boardoverview and summary of last year's projects  – Colleen Nagy

       DuoSecurity Project: overview and progress - Chet Ramey 

8      NEW BUSINESS:      
        Identify Topics for AY 2014-2015:

        Interactions with schools, college, entities 

        Two Factor Authentication/DuoSecurity 

        Electronic signatures

        Network Access

        Others: Bring ideas, concerns, topics; now and throughout the year. Solicit input from the constituency you     


Digital Security Updates - Perspective from GSS Representative to FSCICT Kate Dunning

posted Apr 15, 2014, 6:10 PM by Raymond Muzic

Note sent 4/15/2014


Hello all,

Two parts to this email: (1) updates in the wake of the Heartbleed security breech and (2) two potential updates to CWRU's approach to digital security.


Heartbleed Security Updates

Coming out of yesterday’s meeting of FSCICT (Faculty Senate Committee on Information and Communication Technology) I would like to send some important updates concerning digital security in the wake of the Heartbleed security breech, which I’m sure you have all heard about by this point.

Many companies are working on patching their sites, but here’s what you can do:

·         Change your passwords for important sites, like your finance related websites, your social media sites, your CWRU passwords, etc. Many companies will not ask you to reset your password, but it is a good idea to do so by going directly to the website, rather than using an alternate link. To emphasize CWRU is not pushing password changes as a reaction to the Heartbleed OpenSSL vulnerability and will not be sending a link asking you to reset your password because there is no indication that accounts were compromised. That said, resetting your password is good in a general context.

·         Consider using a password manager like LastPass, which is a free service if used only on the computer or $12 per year to use it on your mobile phone as well. This site allows you to create one complex passphrase that you can remember and then auto-generate complex, secure passwords for your other sites. There are additional security factors available through this service as well, including two-factor authentication. I would be more than happy to help anyone interested in setting this up. It’s very simple, secure, and effective.

·         Consider using a two-factor authentication. Facebook, among others, for example, allows you to have a code texted to your phone when you enter your password into the website. This way, if someone gets your password, they still cannot access your account (and you are aware that someone has attempted to access your account). While CWRU Single Sign-On does not yet offer two-factor authentication, there is a pilot for two-factor authentication when using VPN. Remember, using a service like LastPass allows you the option for two-factor authentication on any site.

·         Be aware of phishing attacks, especially in the wake of Heartbleed. Many attackers are using this as an opportunity to send emails asking you to reset your password by misdirecting you to a phishing website. Always type in the site URL yourself, rather than using the link from the email. The Chief Information Security Officer reported yesterday that most CWRU accounts that are compromised are compromised through phishing attacks rather than hacked passwords. So have strong passwords, but also pay careful attention to where you enter those passwords.

·         When possible use a passphrase rather than a password. For example, “My cat is adorable” could become “*My_cat_is_adorable!*2010”—this 25 character phrase is a lot easier to remember and just as secure as this 25 character gibberish: dfjKH35#d9&d)dh!Ujdwhnd_m. Another option recommended, especially if limited in characters, is taking the first letter of each word in a favorite lyric, poem, or phrase. So, if your favorite song goes, “I can call you Betty, and Betty when you call me, you can call me Al,” then you’ve got, “PS-IccyB,&Bwycm,yccmA.<1986>”—or some variation on that based on character constraints.


General CWRU Digital Security Update

CWRU is very concerned with making sure that all accounts are secure and important information protected.

As part of this effort, two changes are under consideration and your feedback is appreciated if you have an opinion: (1) increasing the passwords for Single Sign-On to a 12-15 character requirement and (2) adding an optional (and perhaps eventually required) two-factor authentication for Single Sign-On.

If you like or have concerns about either of these possibilities, please don’t hesitate to send your comments to me.

Thank you and I hope some of this information is useful for you!


PS - For those who are also Paul Simon fans, here's a bonus for making it through the whole email: You Can Call Me Al and The Boxer

Kate Dunning
Ph.D. Candidate
The Department of English
Case Western Reserve University

Test-drive a system for improving security of logins

posted Apr 14, 2014, 10:01 AM by Raymond Muzic   [ updated Apr 14, 2014, 10:17 AM ]

Tom Siu, our Chief Information Security Officer, is looking for people who want to test-drive a system for improving security of logins without making things over-burdensome for users.  

Google and other sites now support two-factor authentication (e.g. something you know and something that you have).  For example, you know your password and have your mobile or office phone.  

By using two factors to authenticate (login), the consequences of having your password stolen, hacked, of phished are reduced.

Please give it a try: and tell Tom what you think.

In conjunction with this there are other changes under discussion
* increasing the password length requirement but making it easier to remember by not requiring numbers or symbols
* not requiring passwords to be changed each year if people are using two-factor authentication

Heartbleed OpenSSL Vulnerability

posted Apr 11, 2014, 6:11 AM by Raymond Muzic

Please note this message from ITS regarding the security flaw that has been recently reported in the media.

1-10 of 79