Beginning on July 5, participating campus units will undergo an external cybersecurity risk assessment. This vulnerability scan, through Cylance, Inc., is intended to identify signs of malicious activity for the purpose of diagnosing possible compromise and risks to participating units. If compromised machines are discovered during the analysis, Cylance will contact the Office of Cybersecurity for follow up and remediation with system owners.
This initiative has received the endorsement of Chancellor Blank, the interim UW‑Madison Chief Information Officer, and the Chief Information Security Officer. The University Committee also understands and recognizes the project need.
Below are detailed answers to frequently asked questions about the risk assessment.
Why are you conducting this risk assessment?
Click to read a message from Interim CIO Mike Lehman giving a full explanation of why this risk assessment is critical.
Who has provided the sponsorship to conduct this risk assessment?
This initiative has received the endorsement of the University Committee, Chancellor Blank, the interim UW-Madison Chief Information Officer, and Chief Information Security Officer.
Who is coordinating the assessment for campus?
The Office of Cybersecurity is coordinating with Cylance and campus departments to conduct the assessment.
Who is Cylance and why was the company chosen?
Cylance is an industry leader in this kind of assessment . They provide a true third-party risk assessment that will help us validate our current approach.
What kind of data is Cylance collecting and analyzing?
Cylance looks for signs of malicious activity for the purpose of diagnosing possible compromise and vulnerabilities. Documents and research data will not be collected, but file names and browser history might be captured for the purpose of comparing this information against known malicious websites and file names.
What is going to happen with data that is collected?
Cylance processes the data collected through their malware detection engines and big data analytics platforms. They will deliver a final report of findings to the assessment sponsors. If they discover a compromised endpoint during analysis, Cylance will contact the Office of Cybersecurity for follow up with system owners. Cylance will only share the detected malicious files for reporting and follow up. All other gathered information will be destroyed.
Will sensitive data be collected?
While faculty, staff and student computer documents will not be collected, sensitive data may be obtained by the Cylance scripts, e.g. computer file names containing such information, etc.
How is sensitive information being handled and disposed of by Cylance?
Data collected by the Cylance scripts is sent over an encrypted channel back to their location for analysis. Once the Cylance report is developed, the original data collected will be overwritten and deleted from Cylance infrastructure. No backups or other copies of the data will be retained by Cylance.
When will the campus data collection start?
Cylance and the Office of Cybersecurity expect to begin the data collection by July 5, 2017. The timeframe for collection will be approximately 12 business days.
Will any personal use activity collected by the scripts be included in the Cylance report?
Browsing and other activities will not be highlighted in the report unless a malicious threat is detected.
Will the collected data be viewed by anyone other than Cylance?
No, only Cylance will have access to the data. However, Cylance will inform the Office of Cybersecurity if they detect any machines that are vulnerable or are infected with malicious code. The Office of Cybersecurity will follow up with those departments to recommend patches, strengthen security, etc.
FAQs for faculty, staff, students
What types of devices will be included in the assessment?
The assessment looks at university-managed endpoint devices, specifically desktop and laptop computers running Windows, Mac OS and Linux/Unix operating systems. Mobile devices such as tablets and smartphones are not included.
Will my personally owned computer be included in the data collection?
Personally owned computers not managed by the university will not be part of the data collection. If your machine is managed by the university, it may be included in the scan unless your IT administrator opts you out.
Can I opt out of the data gathering? How do I do that?
Personally owned computers are not included in the data collection and do not need to be opted out. If your department is participating in the assessment, your departmentally owned and managed computer may be included in the data collection. Please check with your departmental IT administrator to determine if your unit is included in the assessment.
What happens if my computer is found to be at risk?
The Office of Cybersecurity will contact your departmental IT staff to suggest remediation. If you do not have internal departmental support, the Office of Cybersecurity will contact you directly. The data collection is not meant to place blame, merely to assess vulnerabilities and put fixes in place in order to protect data.
FAQs for department IT administrative staff
How does Cylance do the assessment? Do they need to install software on my department’s computers?
Cylance has custom scripts they have developed to do the data collection. The scripts do need to be run on individual computers, but are not installed and will automatically delete themselves as part of the collection run.
Which departments/divisions will be included in the data collection?
We will be contacting units to participate and they will be given the opportunity to opt out.
What operating systems will be included in the assessment?
Cylance’s scripts will run on versions of Windows from 2000 up through 10 including server versions, Mac OS X and most commonly used Linux/Unix distributions including Red Hat, Ubuntu, CentOS, Scientific Linux, Oracle Linux, and Debian as well as AIX, HPUX and Solaris.
Will there be any outages or slowing of system performance during the data collection?
Cylance has run the data collection millions of times and has let us know that there is a very minimal risk of the loss of system performance or outages while the scans are run. The scan is a one-time script that is automatically deleted from machines after the scanning is complete.
What happens if one of the computers I manage is found to be at risk?
The Office of Cybersecurity will contact you with details about the computer and suggestions for remediation.
How many times do the collection scripts need to be run within a department?
It is anticipated that the collection scripts only need to be run once per department to obtain the best effort snapshot. If some amount of department machines are offline when the scan takes place, they may not be included in the data collection.
How will the scripts be run on individual university-managed computers?
In most cases it is anticipated that existing deployment solutions, e.g. BigFix, Windows SCCM, etc., will be leveraged to run the scripts on individual computers.
My departmental unit computers are managed with the central BigFix installation. How will this affect us?
Cybersecurity will create an environment-wide action that will run the scripts across all endpoints connected to the BigFix management console. Departmental admins will not need to take any action. Cybersecurity will be contacting campus BigFix administrators in June to let them know more details about the pending scans including the planned scanning date(s). In addition, the communication will include details for opting out.
What if my department’s computers are not connected to the Cybersecurity BigFix installation?
Cybersecurity will be contacting selected campus unit individually in June to make arrangements for these units to run the data collection scripts. If your unit would like to take part in the data collection but has not been contacted, please send an email request to firstname.lastname@example.org.
What is the difference between “scans” and “data collection” as being used in the Cylance assessment?
In the context of the Cylance risk assessment these terms are both used to describe the activity. Technically, these are scripts that need to run on individual hosts and not remote scans that are commonly used on campus, e.g. Nessus, Qualys, nmap, etc.
Can I review the final Cylance report for my unit?
If you participated in the data collection, you can request a copy of the findings for your unit by sending a request to email@example.com.
Are there more technical details about the scripts?
Campus departments not using the Cybersecurity BigFix console and participating in the data collection will be given access to the scripts and documentation.