180 likes | 188 Views
Learn how Two-Factor Authentication (TFA) protects Federal Student Aid data systems from keylogger threats and safeguards Personally Identifiable Information (PII). Discover the scope of TFA deployment in educational institutions and countermeasures against security breaches.
E N D
Two Factor Authentication Protocol and the Protection of PII Steven A. Burke U.S. Department of Education
Project Overview To comply with the White House through the United States Office of Management and Budget (OMB) mandate, Memorandum M07-16 attachment 1, and as part of our ongoing efforts to ensure the security of Federal Student Aid data systems, the U.S. Department of Education is required to implement a security protocol through which all authorized users will enter two forms of “authentication” to access Federal Student Aid systems via the Internet. This process is referred to as Two Factor Authentication (TFA).
Postsecondary School Federal Financial Aid Eco-System • 6,400 unique institutions of higher education • Over 3,000 financial partners • Over 90K privileged accounts • Over 70M unique identities • Over 320M loans • Over 96M grants • Supporting students in 35 countries • $1T loan book • Over 13M students • Over 30M aid awards • Over $120B injected into the eco-system each year • FSA • Staff: ~1,300 • Contractors: ~ 10,000 • Services • Aid Apps • Grants • Loan Origination • Loan Servicing • Debt Collection • Compliance
What is a Keylogger? • A pervasive type of malware that can: • Record keystrokes • Read data transferred (even over secure connections) • Take screenshots of the user’s screen • Transmit all stolen data back to a central location • Data stolen usually includes logon IDs, Social Security numbers, bank/credit card information, etc. • The most common keylogger is WSNPOEM • a.k.a. “Banker” or “InfoStealer” • 93% of the keylogger incidents at FSA are WSNPOEM
Response to Keylogger Compromises • Deactivate the user account immediately • Contact the user and inform them what has happened and their required next steps • Review audit logs for any signs of suspicious activity • Unusual logon times; unusual/multiple logon IP addresses; unusual logon activity • At a minimum, go back at least 60 days from the date the account was compromised • Make the user provide evidence the machine has been cleansed and account is not reactivated until has been approved by the FSA Security and Privacy team • Make sure a new password is required before the account is reactivated
Keylogger Countermeasures • Use one-time passwords or multifactor authentication • Install antivirus and malware protection: • Keep them up to date (set an automatic schedule);free versions are available (AVG Antivirus, Spybot S&D Malware Prevention) • There is specific antikeylogger software • Do not click on links from unknown, untrusted sources • Enable your firewalls and avoid peer-to-peer sites • Be wary of using public computers, e.g., hotel and library computers
Two Factor Authentication Scope • Provide safe and secure access to FSA network services • Primary systems impacted across the enterprise • NSLDS, CPS, COD, AIMS, PM, FMS, and SAIG • This project encompasses approximately 96K users • FSA employees, Dept. of ED employees • Partners • Postsecondary Schools Destination Point Administrators (DPA) • Guaranty Agencies • Servicers, PCA’s, NFPs • Call Centers, Developers, Contractors, and Sub-Contractors • TFA project is focused on privileged users • A privileged user is anyone who can see more than just their own personal data
What is Two Factor Authentication? • Something that you know is the First Factor: User ID and Password • Something that you have is the Second Factor:Token with a One Time Password • The One Time Password (OTP) will be generated by a small electronic device, known as the TFA Token, that is in the physical possession of the user • To generate the OTP, a user will press the “power” button on the front of the token • A different OTP will be generated each time the button is pressed • Alternative Methods of obtaining OTP without TFA Token: • A) Answer three Challenge Questions online • B) Have the OTP sent to your Smart Phone
TFA Project Phases Phase 1 To ensure the successful deployment of two factor tokens for FSA – Citrix users 1,300 completed 5/1/2011 Phase 2 To ensure the successful deployment of two factor tokens for Department of Education Staff and FSA Contractors approximately 5,200 users and FSA Contractors have completed 10/28/2011 Phase 3 International users, Foreign Schools (FS) and Domestic Schools, when logging into FSA systems across 35 countries completed12/31/2011 Domestic users, to ensure the successful deployment of two factor tokens for users when logging into FSA systems: 88,600 users by12/31/2012 Phase 4 Guaranty Agencies, TIVAS, Third Party Servicers, Not-for-Profits, Payment Collection Agencies (PCA), and VPN users connecting through Virtual Data Center (VDC)
TFA Deployment Status • Total TFA Tokens Deployed: 32,176 to 35 Countries • Tokens Deployed to Phase III & IV for Partners: 25,594 • System Update: 90% Complete • NSLDS moved behind AIMS, completed on 12/18/2011 • COD TFA enabled on 1/28/2012 • SAIG Enrollment TFA enabled 2/12/2012 • EDconnect TFA enabled 3/4/2012
Attestation/Confirmation Process • For each school, the Primary Destination Point Administrator (PDPA)and the COD Security Administrator need to work together to ensure all users have been identified and receive tokens • Step 1: Confirmation/Attestation • Confirm/Attest to the individuals (unique users) at your school who are authorized users of one or more of the identified Federal Student Aid systems. This confirmation will only be used to determine the TOTAL NUMBER of tokens you will receive • Identify any Third Party Servicer(s) supporting your school • Confirm the physical street address to which tokens should be shipped, and provide a telephone number where we can contact you NOTE: We cannot ship to PO Boxes
Attestation/Confirmation Process • Step 2: Federal Student Aid Ships Tokens to School • The tokens will be sent to the attention of the PDPA via UPS • Step 3: Token Receipt, Distribution, and Registration • After the tokens are shipped, FSA will send a follow-on e-mail with more information about token distribution and registration • The tokens are to be registered within7days of receipt
How do I Register my Token? • Once you receive your token you must register it for each system for which you have access to and utilize • Each FSA System website will be slightly different when logging in and registering your token Next Steps: Click on the following link: https://fafsa.ed.gov/FOTWWebApp/faa/faa.jsp Then click on the Register/Maintain tokenURL on the top right hand side of the screen.
TFA Frequently Asked Questions • Will I be locked out of FSA systems if I don’t have a token? Once your school has been TFA enabled (locked) a token will be required to access FSA systems • I received more tokens than I have authorized users. What do I do with the extra tokens? Each token shipment will include at least one (1) extra TFA token, for use as a replacement for a lost or broken token, or for issue to a new authorized user • I need more tokens. How do I get them? For additional tokens please send an e-mail to [TFA_Communications@ed.gov] We can only send tokens to the Primary DPA • Do I need to provide tokens to my Third Party Servicer? No, however please indicate the name and point of contact if you have engaged a Third Party Servicer
Support Contacts Two Factor Authentication Questions: For general questions about TFA E-mail: TFA_Communications@ed.gov Central Processing System – Financial Aid Administrators (CPS-FAA) Student Aid Internet Gateway (SAIG) Phone: 1-800-330-5947 / TTY 1-800-511-5806 E-mail: CPSSAIG@ed.gov Website: FAA Access CPS Online (https://faaaccess.ed.gov/FOTWWebApp/faa/faa.jsp) National Student Loan Data System (NSLDS) Phone: 1-800-999-8219 E-mail:nslds@ed.gov Common Origination and Disbursement (COD) Phone: COD School Relations Center 1-800-474-7268(for Grants) Phone: COD Direct Loans 1-800-848-0978 E-mail: CODSupport@acs-inc.com Employee Enterprise Business Collaboration (EEBC) Support Hours: Monday-Friday, 8 AM – 5 PM Phone: 1-866-441-6633 E-mail:eebcservicerequest@ed.gov eCampus-Based (eCB) Support Hours: Monday-Friday, 8 AM – 8 PM Phone: 1-877-801-7168 E-mail: cbfob@ed.gov E-mail: secarch@ed.gov Website: The eCampus-Based System (https://cbfisap.ed.gov/ecb/CBSWebApp/welcome.jsp)