University of Calgary to undergo IT policy update
By Scott Strasser, June 24 2016 —
In response to a recent ransomware attack, the University of Calgary will undergo an IT policy update this summer.
U of C vice-president finance and services Linda Dalgetty gave an IT systems issues update at a town hall on June 24, highlighting the university’s plans to help prevent future cyber attacks.
“This was our first opportunity to really come out before the full community and give them an opportunity to understand not just what happened, but where we’re going,” Dalgetty said.
The U of C’s last IT policy update was in 2007.
The U of C fell victim to a ransomware attack on May 28 2016 — a form of cyberattack that encrypts computer files until a specific sum of money is paid to the attacker. The malware disabled Exchange Email and Skype for Business. The university also temporarily blocked access to Office 365 webmail and the AirUC-Secure wi-fi network while investigating the attack.
In order to regain access to their encrypted files, the U of C paid the equivalent of $20,000 CDN in bitcoin ransom to the unknown source that hacked the university’s computer systems.
Following the attack, the U of C’s IT department advised university students and staff to change their passwords, created over 9,000 new Office 365 email accounts and deployed tools that look at network traffic coming into the university.
According to Dalgetty, the U of C’s IT department found vulnerabilities in the university’s cyber security while investigating the malware attack. One vulnerability was the prevalence of “unmanaged devices” — such as laptops and home computers — used by staff and faculty that had access to the university’s servers.
An unmanaged device is any computer that has access to the U of C’s servers, but was not set up by IT. A managed device is any computer that was bought and set up by IT.
Dalgetty said unmanaged devices won’t be able to access the U of C’s secure servers effective July 1, though they will continue to access public web applications such as D2L, webmail, Employee Self Service and ucalgary.ca
“For those machines we don’t have those protections on — that people bring and plug in to our networks — they will no longer be able to be plugged into the network,” Dalgetty said. “People will still be productive, but they won’t be able to put a [potentially] unprotected machine that has no protection at all on our network that puts the entire community at risk.”
By July 4, faculty and staff will be able to request IT convert their unmanaged devices into managed devices.
Dalgetty hopes all unmanaged devices can be converted to managed devices within 10 business days.
“Within 10 business days we will have them fully within the managed environment,” she said.
Dalgetty said the changes should not impact students unless they are also employed by the U of C.
“[Students] never had access into the managed domain, so there’s no change,” Dalgetty said. “If they’re an employee, they have different access because they’re probably printing, using university administrative devices.”
Dalgetty also said the U of C plans to fully phase out Exchange and Cyrus email and replace them with Office 365 accounts in the coming year.
A previous version of this story identified the ransom paid by the U of C as $20,000 in bitcoin, while it was actually the equivalent of $20,000 CDN in bitcoin. We apologize to our readers for this error.