Having trouble viewing this email? View it in your browser.

Office of Audit, Compliance & Privacy

Case in Point:
Lessons for the proactive manager

September 2017
Vol. 09 No. 09
“It's the little details that are vital. Little things make big things happen.”

-- John Wooden

As we've done in prior years, this month we turn our attention to IT security as October marks the start of National Cybersecurity Awareness Month. Robert Gottesman, Director of Institutional Compliance & Privacy shares some important thoughts. If you were not aware, Robert works behind the scenes to make Case in Point possible every month. Special thanks to Robert for his great work on this and for sharing additional expertise on an important topic this month.

* * *

Sometimes it's the seemingly simple things that cause the biggest problems. That is what appears to have happened with the recent Equifax data breach. Since 2004, October has been designated Cyber Security Awareness Month. For the last twelve years, the media, the National Cyber Security Division within the Department of Homeland Security in cooperation with the National Cyber Security Alliance, and various other organizations have repeatedly reminded -- patch your computers; use strong passwords.

According to news reports and security bloggers, the Equifax breach was caused when a hacker gained access to their systems in May 2017 due to a known web-application vulnerability. Several months earlier, an application patch was released which would have prevented the breach from occurring. The patch was not installed and ultimately the personal data, including social security numbers, driver's license numbers and addresses of 143 million people were exposed. Reporters have also revealed that a web application used by Equifax to handle credit-report content disputes from consumers gave complete access to anyone using the user id/password combination of ''admin''/''admin.''

This year alone there have been over 375 publicly reported breaches in the U.S. resulting in the exposure of the records of over 154 million individuals. There are many ways organizations can experience a reportable breach. The vast majority of breaches this year, so far, are the result of outsiders gaining access to an organization's network connected devices. Access is gained using a variety of methods, but the two most common first steps involve getting users to reveal their passwords via a phishing email or taking advantage of missing hardware or software updates.

The Equifax breach, hurricanes, earthquakes, and other such disasters give the bad guys the perfect opportunity to craft very legitimate looking emails with the intent to get victims to create accounts, send money, or reveal information they might otherwise think twice about. The hackers know that more than half of all users use the same password for most, if not all, websites that require credentials. If the phishing victim uses their institutionally provided user ID and uses the same password they use at work, the hacker is then able to access the victim's organization as well as any other sites using these same credentials.

As early as 2004, security professionals have been evangelizing the idea that ''passwords are dead'' because passwords alone are no longer enough to protect sensitive information or networks. While we continue to advocate using different passwords for each of your accounts, multi-factor authentication mitigates many of the vulnerabilities of the password alone. Multi-factor authentication requires that the user not only know their user ID and password, but also that they have physical access to a device (e.g. smartphone, token, etc.) in order to complete the authentication. AU has introduced multi-factor authentication requirements into more applications recently and this trend will continue. Many non-university websites also offer the option to enable multi-factor (or 2-factor) authentication, and we highly recommend you do so where this is available.

Software and hardware patches (or updates) sometimes introduce new features, but also correct coding mistakes that can give the hackers a foothold into the connected device and network. Networks are only as strong as their weakest link. Therefore, it is very important to make sure we regularly check for and install manufacturer hardware and software patches. Not only should we patch our work hardware and software but also our home computers, smartphones, and any other internet connected devices. If a device can access the internet, there is a possibility a hacker can access the device, and then gain access to your home or work network from that unpatched device.

Implementing these two basic security tenets (regular patching together with strong passwords and multi-factor authentication) greatly reduces the threat of someone gaining access to your personal data, whether at work or at home.

  1. If you were one of the millions whose personal information was exposed due to the Equifax breach, we recommend you visit the Federal Trade Commission's resource page for tips on protecting your digital identity.
  2. A fairly comprehensive listing of websites and whether they support multi-factor authentication can be found at https://twofactorauth.org/
  3. A listing of data breaches reported in the US can be found at https://www.privacyrights.org/data-breaches

* * *

Great thoughts on an important and timely topic. IT risks are one of many we face daily in higher education. As you review the events of the past month, we again suggest you consider ways you can proactively manage risk within your sphere of influence. As always we welcome your comments or suggestions.

M. Kevin Robinson, CIA, CFE
Associate Vice President
Office of Audit, Compliance & Privacy

Information Security & Technology Events

Sep 25, 2017: Your website remains your most influential marketing resource. Students and parents scored websites ahead of financial calculators, school emails and print materials for parents. Your site needs to be easy for smartphone users to navigate because 95 percent of high school seniors and their parents use mobile devices for their web browsing. Moreover, 74 percent of seniors and 60 percent of juniors have completed a college online form on their phone. So make sure it's easy - 29 percent of seniors have submitted applications via phones. (link)

Sep 11, 2017: As a result of the Equifax breach, Northwestern is prepared to provide identity protection and credit monitoring services at no cost for all faculty and staff. (link)

Fraud & Ethics Related Events

Sep 28, 2017: Rick Pitino, the Hall of Fame college basketball coach who over his 31-year head coaching career has led his teams to seven Final Fours and two national championships, has almost certainly coached his last game. The University of Louisville placed Pitino, its figurehead for the last 16 years and the highest paid head coach in all of college basketball, on unpaid administrative leave Wednesday citing allegations of corruption detailed by the acting US attorney for the southern district of New York that implicated Pitino's program and led to the arrest of 10 people including four assistant coaches at other major college basketball programs. (link)

Sep 26, 2017: The Federal Bureau of Investigation has charged several college coaches in conjunction with a corruption scheme saying that those coaches, advisors and others lied and used their stature to influence high school recruits to sign with schools. Oklahoma State assistant Lamont Evans, Auburn assistant Chuck Person, Emanuel "Book" Richardson of Arizona and USC assistant Tony Bland and six others have each been charged in the corruption and fraud scheme. (link)

Sep 25, 2017: Nine Florida football players face potential third-degree felony charges amid an alleged fraud ring, per Alachua County Courts records released Monday afternoon. Sworn complaints show players are accused of using credit card fraud in order to make purchases that included electronic devices. (link)

Sep 25, 2017: A Virginia Tech professor is accused of defrauding the United States government and the university in a case that involves grant funding in excess of $1 million. Yiheng Percival Zhang, 46, is charged with wire fraud, making criminal false claims and making false statements to the ''detriment of the United States Government's innovation and development programs,'' according to a federal affidavit filed in the U.S. Western District Court of Virginia. (link)

Sep 18, 2017: A top University of Florida housing official has been charged with stealing more than $180,000 to buy $16,000 worth of lunches, nearly $45,000 in furniture and $37,000 more in electronics, a report shows. Azfar Mian, 41, senior director of UF housing and education, was arrested Monday night and charged with grand larceny of more than $100,000. According to a UF police report, Mian used state funds to buy $25,000 in household items, more than $11,500 in maintenance items like lawn mowers and more than $44,000 for miscellaneous items including internet service, electricity and seven cellphones. (link)

Sep 11, 2017: A Kirksville man faces up to 30 years in prison and a $1 million fine after he pleaded guilty in federal court to defrauding a University of Missouri fraternity. Burt Beard, 62, a former MU student and business owner in Kirksville, waived his right to a grand jury and pleaded guilty to charges of bank fraud last week before U.S. Magistrate Judge Willie J. Epps. Between March 2008 and August 2014, Beard defrauded fraternity Sigma Alpha Epsilon of at least $380,502, according to documents from the U.S. Western District Court of Missouri. (link)

Sep 07, 2017: Dennis R. Black, the former longtime University at Buffalo vice president who resigned unceremoniously last year, pleaded guilty Thursday morning in State Supreme Court to felony charges that accuse him of stealing $320,000 from a university-related bank account. Black spent stolen funds on an assortment of luxuries and personal expenses, tickets to see James Taylor, Liza Minnelli, Yankees games and Broadway shows, $34,000 for membership in the private Saturn Club, UB staff parties at Bisons games, travel with his wife, and his son's wedding. (link)

Sep 01, 2017: A Canadian university says staffers unwittingly lost $9.5m (C$11.8m; £7.5m) in an online phishing scam. Fraudulent emails convinced staff at MacEwan University that one of its clients was changing its bank account details. Staff then paid money into the fraudulently created account. The university, in Edmonton, Alberta, is auditing its business practices. (link)

Compliance/Regulatory & Legal Events

Sep 29, 2017: The Justice Department announced on Tuesday that it would file a statement of interest in a campus free speech case. The case was originally filed by students against Georgia Gwinnett College, claiming that the institution had limited expression with its free-speech-zone policy. Mr. Sessions said the department would file more statements in the weeks and months to come. (link)

Sep 25, 2017: A new State of Texas law prevents most registered sex offenders from residing in dormitories on private or public campuses. The law codifies a policy already in place at many of Texas' biggest schools. (link)

Sep 22, 2017: The U.S. Department of Education has rescinded two pieces of Obama-era guidance that told colleges how they should handle issues related to campus sexual assault, and has replaced them with new interim guidance. The interim guidance gives colleges the discretion to use a ''clear and convincing'' standard of evidence, which is higher than the preponderance standard directed by the Obama administration. (link)

Sep 22, 2017: Eight months after a freshman athlete at Wheaton College was allegedly abducted from a dormitory - physically assaulted and threatened with sexual assault in an alleged hazing incident -- administrators at the Christian school in Illinois concluded that the statements of the alleged attackers about the incident were ''more credible'' than those of the alleged victim, according to a confidential document obtained by ABC News. (link)

Sep 21, 2017: Western Governors University was ineligible to participate in federal student-aid programs, according to an audit conducted by the U.S. Department of Education's Office of Inspector General, and the department should require it to return more than $700 million. The audit includes several findings. The big one .... is that it didn't follow requirements that distance-education programs be designed to provide students with "regular and substantive interaction" with their instructors. (link)

Sep 20, 2017: Four University of Utah students who were literally caught red-handed 15 minutes after allegedly spray-painting two red ''U'' logos and a white smiling face on the cougar statue at Brigham Young University's football stadium almost got away with the rivalry-inspired act of vandalism, according to a report filed by BYU police. However, the students -- two males, 18 and 20, and two females, 18 and 19 --returned to the scene of the crime to get selfies and other photographs of their artwork and were arrested by police in the early morning hours of Sept. 9, the day of the BYU-Utah football game. (link)

Sep 19, 2017: Two men who worked for a company that runs the Auburn University transit system have been charged in the alleged rape of an 18-year-old student on one of the buses. James Don Johnson Jr., 32, of Auburn, Alabama, and Tony Martin Patillo, 51, of Columbus, Georgia, were arrested Saturday, the Auburn city police department announced Monday. Each is charged with first-degree rape and first-degree sodomy in the Friday night attack. (link)

Sep 18, 2017: Despite higher education's reputation as a bastion of political correctness, Indiana universities are defending a host of lawsuits brought by black employees who say they were denied opportunities because of their race. Some say they were denied merit raises or tenure. Others say they were ignored by bosses, belittled by them and snubbed by them. (link)

Sep 18, 2017: The Evergreen State College professor at the center of campus protests this spring will receive $500,000 in a settlement that was announced Friday. Bret Weinstein and his wife, Heather Heying, resigned from their faculty positions effective Friday. The couple filed a $3.85 million tort claim in July alleging the college failed to "protect its employees from repeated provocative and corrosive verbal and written hostility based on race, as well as threats of physical violence," according to the claim. (link)

Sep 14, 2017: The University of Oregon agreed to pay a $90,000 settlement to fired Oregon Bach Festival Artistic Director Matthew Halls this week, in the midst of a public relations disaster over his abrupt termination in August. The $90,000 payment to Halls, almost equivalent to one year's pay from the UO to him under his terminated contract, resolves a dispute about how much the UO owed him after ending his contract without cause on Aug. 24. (link)

Sep 14, 2017: Garrett College, Allegany College of Maryland and Frostburg State University now require incoming full-time students to complete an education program in relation to heroin and opioids as part of a new Maryland law. The Start Talking Maryland Act of 2017 became law July 1. It requires schools to offer drug education that includes the dangers of heroin and other opioids starting as early as third grade. (link)

Sep 13, 2017: A group of faculty members and one former graduate student at the University of Rochester filed an Equal Employment Opportunity Commission (EEOC) complaint on Sept. 1 against the university for allegedly failing to address years of rampant sexual misconduct by a male professor. The 113-page EEOC complaint, which was filed by eight complainants, details years of alleged sexual harassment by Florian Jaeger, a brain and cognitive sciences professor at the University of Rochester. (link)

Sep 12, 2017: The Department of Justice has for months been investigating how Utah State University responds to reports of sexual assault. In a January letter released by USU on Tuesday, the department's civil rights division said it had learned of allegations regarding how the school has handled "numerous reports of student-on-student sexual assault." The department said its investigation was focusing on cases between 2013 and 2016. (link)

Sep 11, 2017: Kyle Carrington, a former Liberty University football player, has filed suit against LU, its spokesman Len Stevens and the accuser who made sexual assault allegations against him. With his lawsuit filed Monday in Lynchburg Circuit Court, Carrington becomes the third former football player to sue Liberty, Stevens and the accuser over sexual assault claims made last year that were investigated by the Lynchburg Police Department. No charges were filed in the case. (link)

Sep 07, 2017: More than 30 people were arrested early Thursday evening in Harvard Square during a rally by educators to protest President Trump's decision to phase out DACA, the program that protects young immigrants who came to the United States as children. The protesters were taken into custody around 5 p.m. because they were blocking Massachusetts Avenue, Cambridge police spokesman Jeremy Warnick said. They were charged with either disturbing the peace or disorderly conduct. (link)

Sep 06, 2017: Galen Suppes, a former MU chemical engineering professor, was ordered to pay $600,000 in damages after a 12-person jury voted in favor of the UM System Board of Curators on Wednesday in an intellectual property lawsuit. The jury found him liable for two of the three claims alleged by the curators: that he was in violation of his contract with the UM System and for working in competition against the system. (link)

Sep 05, 2017: Baylor University and an alleged victim of a gang rape by then-football players at the school agreed to a settlement Tuesday in a Title IX lawsuit the woman filed in January. This is the fourth Title IX lawsuit Baylor has resolved related to its sexual assault scandal. The school has also reached settlements with at least three other alleged victims of sexual assault who did not file lawsuits. Baylor still faces six active Title IX lawsuits. (link)

Sep 03, 2017: Michigan State University is being sued by the organizer of white supremacist Richard Spencer's speaking tour. The suit, filed in federal court late Sunday night, alleges MSU violated Spencer's First Amendment rights when it denied him permission to speak on campus. (link)

Sep 01, 2017: As the Florida State University football team was marching to a national title in the fall of 2013, the school was investigating allegations of academic favoritism involving a half-dozen of its leading players, including one who scored the winning touchdown in the championship game. The inquiry, previously unreported, stemmed from a complaint by a teaching assistant who said she felt pressured to give special breaks to athletes in online hospitality courses on coffee, tea and wine, where some handed in plagiarized work and disregarded assignments and quizzes. (link)

Campus Life & Safety Events

Sep 28, 2017: More than a week after Hurricane Maria made landfall, the leaders of Puerto Rico's public university are confronting damaged buildings, broken windows, felled trees, and water damage, a level of destruction that they say will keep their campuses closed for at least several more weeks. (link)

Sep 23, 2017: Cal State Long Beach police have stepped up patrols in the wake of racially charged threats made over the internet and in menacing fliers that targeted Latino and Jewish students, officials said Saturday. The incidents included a threat to shoot leaders of the La Raza Student Assn. posted on the group's Facebook page, and images of Adolf Hitler along with the phrase ''finish what he started'' taped to doors and windows in and around the campus multicultural center, said campus spokeswoman Terri Carbaugh. (link)

Sep 22, 2017: A bake sale at the University of New Mexico set up by a nonprofit group to charge students based on race and ethnicity ended after outraged opponents disrupted it. The group, Turning Point USA, set up what it called an ''Affirmative Action Bake Sale'' on campus Thursday with a sign advertising higher prices for Asians and Caucasians and cheaper prices for African Americans and Hispanics. (link)

Sep 19, 2017: The alumni board of a Cornell University fraternity has decided to close the school's chapter indefinitely, the school said Tuesday, after students who may have been involved in the fraternity were accused of attacking a black student, beating him and calling him by a racial epithet. A Cornell undergraduate was arrested in connection with the episode and charged with third-degree assault. (link)

Sep 17, 2017: Four American college students were attacked with acid Sunday at a train station in Marseilles, southern France, a spokeswoman for the Prefecture of Police of Bouches-du-Rhône said. All four are women in their early 20s. Two of them were taken to a hospital and two were in shock, police said. Boston College said Sunday the young women were students who were studying abroad. (link)

Sep 17, 2017: An engineering student from Gwinnett County was fatally shot by a police officer on Georgia Tech's campus Saturday night. The GBI is investigating the incident in which the student, who has been identified by Georgia Tech spokesman Lance Wallace as 21-year-old Scout Schultz of Lilburn, was allegedly barefoot and carrying a knife.  (link)

Sep 16, 2017: A New York professor drew ire from City University administrators and law enforcement officials because of a tweet in which he said teaching "future dead cops" is "a privilege." Michael Isaacson, an adjunct professor at CUNY's John Jay College of Criminal Justice, was placed on administrative leave because of the three-week-old tweet, which appears to have recently caught the attention of the college's president and New York City's largest police union. (link)

Sep 16, 2017: The Lipscomb University president issued an apology to the college community on Friday after centerpieces in his home were deemed offensive by students. Randy Lowry invited African-American students to his home for dinner this week to chat about their experience at the university, according to a Facebook post. Some of the students who attended shared their concern about material used for centerpieces which contained cotton stalks, according to the post. (link)

Sep 15, 2017: In a dimly lit, wooded area on the southwest side of St. Catherine University in St. Paul, Minn., the handgun Brent Ahlers brought to work accidentally discharged, wounding him. As a security officer at the Catholic university, Ahlers knew the school did not typically arm its personnel, and he feared that bringing his weapon on campus would lead to his firing, police said. Within minutes, 55 officers swarmed the campus, along with four police dogs and a State Patrol aircraft to search for the suspect. (link)

Sep 06, 2017: A 28-year-old man has been charged with using his iPhone to secretly record a University of Tennessee student inside a women's restroom at a campus dorm. Howard Sterling Hensley II, of Knoxville, was arrested on one count of unlawful photographing in violation of privacy in connection with the Aug. 27 incident, according to an arrest warrant. (link)

Sep 01, 2017: Over the past couple of years, Ohio State University students have used sticky notes and other materials to create messages and artwork on their dormitory windows. But that has come to an end. When students returned to campus this year, they learned the university has adopted a new rule banning all dorm window displays. (link)

Sep 01, 2017: The Dean of Students and Deputy Title IX Coordinator at Fordham University-Rose Hill has reportedly been placed under investigation, after he allegedly brought female students to tears by presenting the political debate over campus sexual assault statistics at an Aug. 18 Resident Assistants (RA) training session. Christopher Rodgers upset the RAs by showing videos depicting the views of the political right and left on campus rape, according to a statement from honors student and RA Rowan Hornbeck. (link)

Other News & Events

If you have any suggestions, questions or feedback, please e-mail me at robinmk@auburn.edu. We hope you find this information useful and would appreciate hearing your thoughts. Feel free to forward this email to your direct reports, colleagues, employees or others who might find it of value. Back issues of this newsletter are available on our web site at https://www.auburn.edu/administration/oacp.

If you have any suggestions for items to include in future newsletters, please e-mail Robert Gottesman at gotterw@auburn.edu.

Back to top

Office of Audit, Compliance & Privacy
Auburn University
304 Samford Hall
M. Kevin Robinson, Assoc. VP

© Redistribution of this newsletter, with or without modification, is permitted provided Auburn University Office of Audit, Compliance & Privacy is listed as the source.