Skip to content Skip to navigation

Security Announcements

Next Phase of Stanford's Encryption Initiative

October 16, 2015

Dear Colleagues,

As you are all aware, information security remains a shared concern and plays an important part in protecting university assets and personal privacy. To strengthen this protection, in January 2014 the university established a requirement to verifiably encrypt all employee Windows and Macintosh laptops/desktops used on the campus network by May 31, 2015 (with limited exceptions for special research equipment). More than 24,000 of these computers are now encrypted, and I deeply appreciate your participation in this effort.

The theft and loss of devices has been (and will continue to be) a common occurrence, and if these devices are not encrypted, the consequences to the university can be highly time consuming and expensive. Fortunately, modern encryption technology provides robust protection for both Stanford data and personal information, with virtually no downside.

What's new?

We are now entering the next phase of the encryption initiative where we are: 1) requiring verifiable encryption of Apple and Android mobile devices that are used by employees on the campus network; and 2) restricting access to the campus network from unencrypted laptops, desktops, and mobile devices that are subject to the requirements. This phase will be rolled out over the next few months. With more than 12,000 employee mobile devices already verifiably encrypted using AirWatch (Stanford's mobile device security solution), we are well on the way to completion on the mobile front.

What should you do first?

As an important first step, please visit our new "My Devices" website (mydevices.stanford.edu) to see a list of the computers that Stanford's records indicate are currently associated with you, along with their compliance statuses. If you see a device that is no longer in use or no longer associated with you, simply click the "Remove" button. You can find more information about each device by clicking on the link in the Model column.

What happens next?

On October 20, we will begin a rolling deployment of the mobile device encryption requirement and the unencrypted laptop/desktop/mobile device network restrictions, progressively including all employees over several months. When your time comes, we will notify you by email, and you will have a 30-day grace period to encrypt any non-compliant devices. A 30-day grace period also applies to any new devices as well as those that fall out of compliance. We will send you weekly reminders listing these non-compliant devices and the remaining grace period days for each. The emails will refer you to My Devices and our Encryption website (encrypt.stanford.edu) for instructions explaining what to do and how to get help if needed.

What's not new?

Visitors to Stanford and employees with personal devices not used for Stanford business can use the guest wireless network without having to meet the encryption requirements. Meanwhile, the long-standing University policy to verifiably encrypt all devices storing HIPAA and other High Risk data (dataclass.stanford.edu), regardless of ownership or where they are used, remains unchanged. In special cases where specific research computing systems cannot be encrypted and no High Risk data is involved, exceptions can be requested.

The tools provided to assist you in the encryption process and subsequently periodically verify the compliance status of your devices have long been in use at Stanford, and we are committed to full transparency regarding the operation of these systems. VLRE, one of the newer tools developed in-house, is an encryption verification option for laptops and desktops where High Risk data is not involved. To validate its functionality, the source code was reviewed by Stanford's Computer Science department. You can find information about what data is collected by SWDE/BigFix, VLRE, and AirWatch. We specifically do not collect user content (email, calendar events, contacts, instant messages, personal files, etc), passwords, or GPS location information from devices using these tools.

Where can you find more information?

Your starting point for information security is security.stanford.edu, where you can quickly find links to the My Devices and Encryption websites along with a copy of this memo.

Thank you for supporting this important privacy and security initiative.

Sincerely,

Randy Livingston
VP of Business Affairs

Encrypting Employee Laptop and Desktop Computers

August 5, 2014

Dear Colleague:

Proactively encrypting your laptop and desktop computers is the single most important step you can take to protect your information and the University's data in the event the device is lost or stolen. The University has established a goal of verifiably encrypting all faculty, staff, and postdoc Macintosh and Windows computers by May 31, 2015, and we are asking you to begin now using one of three options presented below. This requirement applies to both Stanford and personally owned computers that will continue to be used for Stanford activities on the campus network, other than those granted exceptions due to special research requirements. Anyone who stores, transmits, or accesses High Risk Data information as defined under the Risk Classifications should have all data encrypted now and not wait until the May 31, 2015 deadline.

As you may know, an Ad Hoc Faculty Committee on IT Privacy met last spring on a wide variety of information security issues and affirmed the importance of encrypting employee computers used for Stanford activities. When these systems are lost or stolen, it often leads to months of follow-up and remediation effort that could have easily been prevented if the systems had been encrypted. More than 16,000 University employee laptops and desktops are already encrypted (thank you!) via the Stanford Whole Disk Encryption (SWDE) service, which turns on the built-in encryption capabilities of both Macintosh and Windows computers. SWDE includes the University's systems management utility called BigFix, which also periodically verifies encryption status and collects other information regarding the device.

On rare occasions during the encryption process, we have seen disk failures occur. For this reason, as well as being a general best practice, you are strongly encouraged to back up your files before starting to encrypt. CrashPlan PROe provided by University IT is the recommended backup service and is widely used within Stanford, but your local IT group may provide other options. CrashPlan encrypts your backups for secure storage and also provides the option of setting a secondary password to ensure that only you can restore the files. 

For encrypting your computer, there are currently three options:

  1. To make rapid progress toward the May 31, 2015 deadline, we are presently focused on encrypting the more than 15,000 computers with BigFix already installed that have native encryption capability but are not yet encrypted. For those SWDE-ready computers, users will soon be requested to initiate the encryption process, beginning with a short "(Stanford Device Identification") questionnaire that will appear on the screen as early as Aug. 12, 2014. In the subsequent days or weeks, the SWDE installer will ask to initiate encryption, which can be postponed until a convenient time. Campus IT support staff are familiar with the SWDE installation process and will assist as needed.
  2. Users can download and run the SWDE installer at any time on their systems. SWDE will begin by checking the operating system and hardware configuration and will indicate if any update is needed. 
  3. For those who would like to encrypt now without using BigFix or SWDE, you have the option of checking to see if your system is encryption-ready and activating the native encryption on your own. As a reminder, we strongly recommend backing up your files prior to encrypting.

On Macintosh systems, native encryption is entirely transparent once enabled. On Windows systems, the only noticeable difference will be the need to enter another password of your choosing upon booting. Some older Macintosh and Windows systems may need to be upgraded to be encryption-capable, and your local IT staff can help you in those cases. The Information Security Office has a process for you to request an exception from the encryption requirement for research computers that are not yet capable of efficient encryption. 

In the coming months, further communications about the University's encryption initiative will be sent, and utilities will be made available to easily attest the encryption statuses of your computers. More information about encryption is available at encrypt.stanford.edu, and help is available by submitting a HelpSU request. I urge you to encrypt soon as a supplement to the other information security best practices we have been recommending, including regularly patching your operating system and applications, backing up your fileschoosing strong passwords and remaining vigilant for phishing attempts. Thank you for your continuing partnership in these efforts to protect Stanford's data as well as your personal information.

Kind regards,

Michael Duff
Chief Information Security Officer

Faculty Committe Formed to Discuss Information Security

February 13, 2014

Vice President for Business Affairs Randy Livingston announces the formation of a faculty committee to assess the information security challenges facing Stanford and help chart institutional strategies for addressing them. Several elements of the information security mandates announced on Jan. 15 for Stanford employees will be suspended in the meantime.

Dear Colleagues:

On Jan. 15, I sent you a communication outlining new information security mandates for University employees. Since that time I have heard from a number of faculty expressing their concerns about the potential impact of the mandates on individual privacy and research productivity. While all of us share the goal of containing and mitigating information security risks, we want to respect and protect individual privacy, and avoid impairing the University's research efforts.

On Feb. 11, I met with the Faculty Senate Steering Committee to discuss faculty concerns. I proposed formation of a special faculty committee to assess the information security and privacy challenges facing Stanford, help chart an institutional strategy that reflects the diverse needs of University stakeholders, and partner with the administration in revising the mandates. The faculty committee will be formed within the next two weeks and will be led by Andy Fire, Professor of Pathology and Genetics, and co-chaired by David Palumbo-Liu, Professor of Comparative Literature and English, who are also members of the Faculty Senate Steering Committee.

While the committee undertakes its review, all agree that we should suspend several elements of the mandates as described below:

1. Windows XP - The mandate to migrate from Windows XP laptops and desktops will be suspended for devices that manage scientific instruments or run unique software applications that cannot be easily upgraded. The April 8 deadline will remain for laptops and desktops used as standard business systems.

2. BigFix - The deadline for installation of BigFix will be suspended for systems that do not store or access personally identifiable information (PII), such as Social Security and credit card numbers or protected health information (PHI). BigFix must be installed on University and personally owned systems that store or can access PII/PHI no later than May 28.

3. Identity Finder (IDF) - This tool, which scans computer files to identify PII that a user may have downloaded unwittingly, will not be used except with specific consent of the individual whose files are being scanned.

4. Encryption - The requirement to encrypt laptop and desktop devices will remain with the following deadlines:

  1. New University-owned laptops and desktops must be encrypted immediately following purchase.
  2. SWDE encryption must be in place on all University-owned and personally owned devices that store or can access PHI in any manner by Feb. 28.
  3. SWDE must be in place on all devices storing more than 500 PII records by July 31, and with more than 10 PII records by Nov. 30. PII belonging to the device user and family members, such as would be found on copies of an individual's tax return, will not be counted under this requirement.
  4. With the exceptions of the devices that manage scientific instruments without PHI/PII, we will pursue a goal of having encryption in place on all laptops and desktops by May 31, 2015.

5. Encryption for Mobile Devices - The requirement to install Mobile Device Manager (MDM) is suspended for those individuals with no access to PHI. However, for those with access to PHI, the original mandate to install MDM on University-owned and personally owned mobile devices by Feb. 28 will remain.

6. File Backup - Frequent and secure file backup is highly recommended for all systems and all members of the Stanford community. We are suspending the requirement to use a University or department managed file backup service, but these services remain available to all members of the Stanford community.

Once the faculty committee is formed, we will communicate its membership and encourage all of you to provide input to them.

We also will be issuing additional communications soon providing tips for maximizing your own computer security and answering common questions we have been receiving from the Stanford community. Strengthening our information security is an imperative for the University, but we intend to do so in a manner that is consultative and using transition processes that are as simple as possible for everyone to implement. Thank you for your partnership in these efforts.

Regards,

Randy Livingston
Vice President for Business Affairs

New Security Requirements for University Employees

January 15, 2014

In a letter to the Stanford community, below, Vice President for Business Affairs Randy Livingston provides an update on information security at Stanford and outlines new requirements for University employees. Deadlines are provided for implementing each of the new requirements.

Dear Colleagues:

Over the past several months, we have undertaken several initiatives to improve the security of Stanford's IT environment and protect the privacy of information stored on our systems. Thank you for your support in changing passwords and adopting two-step authentication.

To further improve information security and privacy, we will be requiring several additional steps for all University employees. These requirements apply to all University-owned laptops, desktops, smartphones, and tablets ("devices"); personally owned devices used on the Stanford Network; and personally owned devices that could be used to access Protected Health Information (PHI) or other High Risk Data. Other personally owned devices used at home or on the wireless Stanford Visitor network are encouraged to follow these mandates, but not required to at this time. Your organization may impose additional security requirements that you are required to follow. Exceptions to the mandated requirements are outlined at the end of this communication.

  1. Windows XP Migration - Windows XP will no longer be supported by Microsoft after April 2014, and as a result, represents a significant security vulnerability. Approximately 2,500 Windows XP systems are currently used by University employees. Employees with Windows XP laptops or desktops must migrate to Windows 7 Enterprise or Ultimate, or Windows 8 Pro or Enterprise no later than April 8, 2014. The University now has a site-wide license with Microsoft whereby employees can download the latest operation system and application versions at no cost.
  2. BigFix - BigFix is a program that ensures operating systems and other applications are patched with the latest security updates. More than 80 percent of employee laptops and desktops already have BigFix installed. All desktop and laptop computers are required to have BigFix installed no later than May 31, 2014. BigFix can be downloaded from the University IT website and installed directly by any Stanford employee.
  3. Identity Finder - IDF is a program managed by BigFix that scans your computer files for personally identifiable information (PII) such as Social Security numbers and credit card numbers, and provides you or your IT support team with a report that allows you to delete PII that is unneeded. In a broad pilot program last spring, 15 percent of scanned systems had more than 500 PII records, and an additional 15 percent had between 100 and 500 records. Starting on Feb. 28, 2014, BigFix will install IDF and occasionally run in the background on your system, similar to a virus scan or file backup. No action is required on your part to run the program, but you will be notified if PII is found on your system, and you should then delete unnecessary files. Your technical support team will be able to assist you to ensure permanent deletion.
  4. Encryption - All laptop, desktop, and mobile devices must be encrypted. If a device is lost or stolen, encryption ensures that a third party cannot access protected information, such as PII or Protected Health Information (PHI) that may be stored on the device. In addition, it provides the University a "safe harbor" with respect to legal requirements to report a breach of information stored on the device. We have learned that a stolen device may be determined after the fact to have PII/PHI even when the user believed there was none. Given this understanding, and the high incidence of PII found by IDF scans, we are requiring all devices to be encrypted with the following deadlines:
    1. All new laptops and desktops purchased with University funds must be native encryption capable and install Stanford's Whole Disk Encryption (SWDE) service immediately. Operating systems supporting native encryption currently are: Mac OS X 10.7 or later, Windows 7 Enterprise or Ultimate (TPM chip required), or Windows 8 Pro or Enterprise. Replaced systems must be relinquished upon receiving the new one.
    2. All iOS and Android mobile devices must install Mobile Device Manager (MDM) to encrypt the device no later than Feb. 28, 2014.
    3. All laptops and desktops that store or can access PHI in any manner must install SWDE no later than Feb. 28, 2014.
    4. All remaining laptops and desktops will be required to install SWDE by a specified date based on the number of PII records found by IDF. Systems with more than 500 PII records must install SWDE by July 31, 2014; systems with more than 10 PII records must install SWDE by Nov. 30, 2014; and all remaining systems must install SWDE by May 31, 2015.
  5. File Backup - All documents, files, and custom programs relating to University activity must be backed up on a regular basis by a University or department managed service. File backup capability should be in place before SWDE is installed, and must be implemented for all devices no later than May 31, 2015. Stanford laptops and desktops typically store many years of important work products and enable our daily work. When devices are lost, stolen, or otherwise compromised, critical data can be irretrievably lost. When they are backed up, lost data can be readily recovered.

Your technical teams will receive additional details to aid in the implementation of these requirements by the dates specified below. In some instances your School or Department may have established earlier deadlines for completing the tasks outlined in this memo. Further communication will be forthcoming to department IT groups regarding security requirements for servers, and to student and postdoc populations regarding requirements for their devices.

Mandate Deadline Summary

File Backup Prior to Encryption
Encryption — New Laptops/Desktops Today
Encryption — Mobile Devices Feb. 28, 2014
Encryption — Existing Laptops/Desktops that Store/Access PHI Feb. 28, 2014
Identity Finder Scans — All Laptops/Desktops with BigFix Installed Feb. 28, 2014
Windows XP Migration April 8, 2014
BigFix Installation — All Laptops/Desktops May 31, 2014
Encryption — Existing Laptops/Desktops with >500 IDF Records July 31, 2014
Encryption — Existing Laptops/Desktops with >10 IDF Records Nov. 30, 2014
Encryption — All Laptops/Desktops May 31, 2015

EXCEPTIONS - A handful of laptop and desktop devices are used for complex computation purposes where these management tools might interfere with their effective operation. In addition, some devices are used to control scientific instruments and cannot be upgraded at this time. For these situations, you should request an exception. In addition, Linux systems, BlackBerry mobile devices, and Windows Phones are temporarily exempted until SWDE and MDM are available for these platforms. Until they are available, these devices should not be used to store, process, or transmit PHI or other High Risk Data without a formal exception.

Thank you for the steps that you and your organizations have already taken to increase our security standards. I appreciate your understanding and cooperation as we work together to protect both University data and personal information through the implementation of these best practices.

Sincerely,
Randy Livingston
Vice President for Business Affairs

Activating Two-Step Authentication

September 24, 2013

In a letter to the Stanford community, below, Vice President for Business Affairs and Chief Financial Officer Randy Livingston provides an update on information security at Stanford and announces that two-step authentication will be required for SUNet users. The process allows users to choose one of three methods -- a printed list of codes, text messaging, or a smartphone app -- to provide a second level of identity verification when logging into Stanford systems.

Members of the Stanford Community:

I am writing to notify you of additional steps to enhance the security of Stanford’s information systems and protect against the pervasive threat of online attacks. In addition to the initial password changes we required over the summer, we now ask all University community members with a SUNet ID to activate two-step authentication, a simple and highly effective security mechanism already adopted by many organizations.

Starting this Thursday, we will begin requiring anyone with a SUNet ID to have two-step authentication enabled in order to access web-based services. The community will be added on a rolling basis, so your prompt to enroll may occur anytime over the next several weeks. Already more than 10,000 SUNet ID account holders have voluntarily elected to use this enhanced security.

Two-step authentication substantially reduces the ability of would-be intruders to access your account by requiring a second login code in addition to your password. Commonly, this is a random numerical code generated by a smartphone application or sent via text message to your phone. You will be prompted for this extra code at least once a month for each computing device and browser that you use.

I encourage you to go to the Accounts page and enroll now, if you have not already. Once at the Accounts page, click “Manage,” then click “Two-Step Auth” and follow the instructions.

We will be taking additional measures over the next few months to further safeguard our information systems. Your technical support teams and University IT will be working with all campus units to upgrade or replace older Windows XP operating systems and to encrypt all employee laptops and mobile devices. We also intend to require longer or more complex passwords.

I will continue to provide updates on our progress. Thank you for your understanding and cooperation as we work together to protect both University data and personal information through the implementation of these information security best practices.

 

Sincerely,
Randy Livingston
Vice President for Business Affairs
Chief Financial Officer

Update on Attack of Stanford's IT Systems

August 19, 2013

In a letter to the Stanford community, Vice President for Business Affairs and Chief Financial Officer Randy Livingston provides an update on the recent breach of Stanford's information technology systems and offers recommendations for maximizing one's own computer security.

Members of the Stanford Community:

I’m writing to you today to outline steps that the University is considering to make our network more secure in light of the attack on Stanford’s information systems infrastructure that occurred last month.

Background

In late July, Stanford discovered that an unauthorized party or parties gained access to a portion of its information systems infrastructure. The attack appears to have been launched from an overseas location and was similar to foreign state-sponsored attacks reported in recent months by many large organizations in the United States. The purpose of the attack remains unclear, although data security experts suggest that these kinds of attacks are aimed at capturing intellectual property that could have commercial and economic value to the intruders' country. The intruders may also be interested in tracking activities of their overseas citizens. Universities are increasingly the focus of these intrusions, as reported by The New York Times in its July 16 article, “Universities Face a Rising Barrage of Cyberattacks.”

Upon discovery of the attack, as a security measure we sent a notification to all employees and students directing them to immediately change their passwords. While our investigation is continuing, we believe the attackers gained access to all Stanford SUNet ID account usernames and a “hashed” version of the passwords. The hashing algorithm converts a password into a different string of characters. While this hashing of passwords disguises the original password, hackers have the capacity to decipher simpler and shorter passwords. Though Stanford has no evidence that the hashed versions of the passwords were deciphered, Stanford is notifying all SUNet ID account holders of that possibility.

At the present time, we have no evidence that personal information — other than usernames and hashed passwords — has been accessed, but this is an ongoing process and we are continuing to investigate. Stanford has retained experts to assist us in this investigation, and we continue to work with law enforcement as well. As the Times and others have pointed out, cyber-intruders are persistent in their attempts to gain access to information systems and are very good at covering their tracks. We will continue to update the community and take action as information develops.

New security measures underway

To better protect Stanford assets and our information — including University data as well as personal information — additional security protections are being adopted to meet the ever-increasing threats of attacks. These safeguards will result in some inconvenience to users, but please be assured they are being implemented to improve our overall security.

One of the first measures will be to implement two-step authentication. When logging into certain Stanford applications like Axess or Oracle, in addition to their user names and passwords, users will need to input a second factor or means of identification. Users can learn more about two-step authentication and voluntarily begin using it by going to the Accounts page on the Stanford website. Click “Manage,” then click “Two-Step Auth” and follow the instructions. To date, more than 3,000 SUNet account holders have begun using this security feature. In the coming weeks, two-step authentication will become mandatory for accessing certain critical applications.

In addition to two-step authentication, Stanford is also taking steps to improve and enhance the security of its core infrastructure systems.

It is important to recognize that the hackers of today are very sophisticated. We cannot assume that new procedures, passwords, and security enhancements fully eliminate their continued presence. It may take several iterations of security improvements over some period of time to regain confidence in the security of the network.

Cooperation from users is essential

While we have no evidence that personal information — other than usernames and hashed passwords — has been accessed, the University is encouraging all users of Stanford’s computer network to be increasingly vigilant regarding their online activities. Cooperation from the University community will be essential, and everyone — staff, students, and faculty — will need to take more personal responsibility for the security of user devices and confidential information.

Users should, at a minimum, take the following steps to protect themselves and the University:

  • Change passwords regularly, both for University connectivity and for personal use — financial, health, etc. For any personal accounts, use passwords  that are different from your SUNet password.
  • Follow protocols to make passwords more difficult for an unauthorized user to determine, including using capital and lower case letters as well as numbers and symbols. The longer and more complex the password, the safer it is.
  • Be aware of efforts by outside parties to gain access to passwords and personal identification information. This begins with understanding and recognizing “phishing” attempts. A phishing attack is the practice of attempting to obtain your user name and password or other confidential information, typically by sending an email that looks as if it is from a legitimate organization but contains a link to a fake website that replicates the real one. Phishing attacks have been increasing and are more sophisticated than ever.
  • Turn on the native encryption capability provided by recent versions of Mac OS X (versions 10.7 and newer) and Windows 7 (Ultimate or Enterprise edition) or Windows 8 (Professional or Enterprise edition) and through Mobile Device Manager (MDM) for iOS devices (versions 5.1 and newer) and compatible Android devices (Android OS version 4.0 and newer). Talk to your department’s IT contact for guidance as to the procedure for turning on that capability.
  • View the information security awareness video on the Accounts site referenced earlier.

As many employees have multiple devices that are linked into the Stanford system, use best practices for securing not only your University-issued devices but also your home computer and personal mobile devices.

Moving forward

Further investigatory work — systems diagnostics, intensive activity monitoring, and working with law enforcement — is helping us understand more specific details of the attack on our system. Much of this work must remain confidential as it is helping to identify further steps that the University can take to protect and ensure the security of its systems and data.

As has been the case with other organizations that have experienced similar intrusions, efforts to ensure that Stanford’s infrastructure is free from compromise will be measured not in days or weeks but in months. The sophistication and persistence of these kinds of intrusions, combined with the complexity of the University’s data and information systems, create challenges that make the securing of those systems a painstaking process.

Thank you for your support and understanding. We will keep you updated on our progress.

Sincerely,

Randy Livingston
Vice President for Business Affairs
Chief Financial Officer