Re: [EXTERNAL] Re: [SECURITY] Personal VPN Policy Accessing University Applications

["Theodore J. August" <theodore.august () SALVE EDU>]

Thanks to all that have replied so far!

I see a lot of similarities on how this type of traffic is being handled by us based on replies.  I’ve definitely 
caught a lot of VPN/proxy logins on the Azure AD logs when investigating low and medium risky user alerts that 
Microsoft is not (yet) aware is an anonymous IP.  We have an IP block list that pre-dated our MFA roll-out, so we add 
them into there when we verify IP ownership.  We also have a white-list rule that we can add users into that bypass 
that IP list once they let us know they use VPN services to access our applications.  If they reach out to our 
Technology Services Center team that they are having issues logging in, we verify the VPN use on their device and 
white-list them.  Some users see they are blocked and disable personal VPN services before accessing our services.

I’m close to discussing with our team whether or not we switch the block list to a MFA challenge list instead.  My 
biggest fear is an end-user, because they are getting more MFA challenges, hitting the “Approve” button in Microsoft 
Authenticator, without verifying *why* they are getting the MFA challenge.  We already had a couple of these instances 
with our current procedures and it concerns us.  This is definitely a user education issue, just like paying attention 
to an admin/UAC challenge is on Windows or Mac, but for many that access our services, cybersecurity awareness isn’t a 
real concern, and MFA is an inconvenience than a feature.  Perhaps if we can improve our user education on MFA we can 
adjust policies at that time.

Thanks again for all the great discussion and feedback.

Sincerely,

--
Ted August
Assistant Director of Cybersecurity and Compliance
Office of Information Technology
Salve Regina University


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Dexter Caldwell 
<dexter.caldwell () FURMAN EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Tuesday, October 6, 2020 at 11:41 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [EXTERNAL] Re: [SECURITY] Personal VPN Policy Accessing University Applications

We’re seeing the same thing.

We use Azure AD as well, however, this is a timely conversation.  When we receive impossible travel alerts, we reach 
out to the users and verify if they are traveling, using vpn, or other possible things if they are relevant to the 
alert.  With increased remote work, we are finding this to be more of an issue with some employees because they are 
either using security packages that enable vpn’s by default, or because they are simply concerned about security.  
Right now, we’re making a note of these users and are considering requiring or recommending that they enable MFA for 
the application involved if not already and that they report their use of vpn so that we can look up their name on the 
list before deciding whether to call or force a password reset.  We haven’t decided  if we’ll still alert or 
periodically ask them to verify yet, but these are a few things we may do.  (Ex, contact them once every year or 6 
months or so to verify they are still using vpn services and we log the date of confirmation so we know how long it’s 
been.  For example, if we don’t get alerts on them for months, but they’ve been logging in successfully without vpn, 
and then suddenly the impossible alerts start again, that might be something we verify.  We also have to may make notes 
about which devices they are using vpn’s on when we contact them, so that if they have it on mobile, but not on PC, we 
would understand why our alerts would be all over the place.


Dexter Caldwell
Dir. Systems, Networks, Security
Information Technology Services
Furman University



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ken Munro
Sent: Tuesday, October 6, 2020 11:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Personal VPN Policy Accessing University Applications

Hi.

We don’t prohibit the use of commercial VPNs to access our services. With so many overseas/distance students, I don’t 
think it would be practical to ban them. I think it would be more work to ban them than to monitor their use, in our 
case.

It does make for a lot of false positive investigations, but it hasn’t become overwhelming for us.

We use Azure AD, so I review the impossible travel incidents in the Azure security reports and the Cloud App Security 
reports. I compare the user agent identifiers between logins from different countries. If the user agents differ, I 
will look into it. But if they are the same, then I am assuming it’s a legit user using a VPN.

I have started looking up the IP addresses from the Azure reports on Shodan. In one case, Shodan listed a slew of 
potential vulnerabilities for the server using that IP address. I emailed the student the link to our VPN webpage and 
advised him to use another one. If he continues to use that server, we might do something about that IP.

We do provide advice on our 
website<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.msvu.ca%2Fcampus-life%2Fcampus-services%2Fit-services%2Fit-security%2Fcybersafety%2Fvpn-tips&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C5c7184540d664e0e6e9608d86a0e4689%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C1%7C637375956839063079&sdata=6whgI1SG1tU%2Fmv5TJCI4ZqzGZp4%2BqY1IAFM1ajsBI80%3D&reserved=0>
 on how to select a (more) reliable/trustworthy VPN service. I am not sure that means we encourage it, but we are 
steering them towards VPNs that have a better reputation.

Cheers.

Ken Munro

________________________________________
Ken Munro
Security Compliance and Training Specialist
Information Technology and Services
Mount Saint Vincent University
166 Bedford Highway
Halifax, NS B3M 2J6
(902) 457-6150
ken.munro () msvu ca<mailto:ken.munro () msvu ca>

Confidentiality Notice: This email may be private and confidential. If you have received this e-mail by mistake, please 
immediately notify the sender by e-mail or telephone, delete it from your system, and do not copy or distribute it.

Phishing Warning: IT&S does not request passwords or other personal information via email. Messages requesting such 
information are phishing attempts and should be deleted.





From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Frank Barton
Sent: Tuesday, October 6, 2020 11:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Personal VPN Policy Accessing University Applications


[ Email originated outside of MSVU, use extra caution. ]
I think there's a difference between inbound and outbound VPNs

Inbound - "Aw heck no!" If I find one, I'm shutting it down!

Outbound, there are a number of reasons why someone might want or need to use a VPN to reach out of the university. We 
have a number of faculty that also work for one of the local hospitals, and they need to be able to VPN into the 
hospital to access some of the things there (that they also need for clinicals)

On the student side, it gets a little bit murkier. I can use the same logic for enterprise VPNs, but the commercial 
VPNs I have a much harder time justifying, as typically those are used for bypassing monitoring, and to enable them to 
torrent copyrighted materials.

I don't know that there's a "good" answer

Frank

On Tue, Oct 6, 2020 at 10:26 AM Curt Kappenman <ckappenman () andersonuniversity edu<mailto:ckappenman () 
andersonuniversity edu>> wrote:
I have been dealing with this same issue for a while now.  My problem has been coming up with a policy that doesn’t 
almost immediately start having exceptions.  I look forward to hearing what others have been able to come up with.

Curt Kappenman
Security Compliance Officer / Systems Technician
316 Boulevard, Anderson, SC 29621
Phone: (864) 231-2850
Help Desk: (864) 231-2457
ckappenman () andersonuniversity edu<mailto:ckappenman () andersonuniversity edu>
www.andersonuniversity.edu<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.andersonuniversity.edu%2F&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C5c7184540d664e0e6e9608d86a0e4689%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C1%7C637375956839063079&sdata=qhtK2UVaut%2B%2BV42S1IPWIfyrzeDqqZTuhjTQ7ogK8fY%3D&reserved=0>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Theodore J. August
Sent: Tuesday, October 6, 2020 10:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Personal VPN Policy Accessing University Applications

Hello all,

I was just wondering how other higher-ed institutions handle users who access applications using personal VPN services 
such as Express VPN, Cyberghost, etc?  We’re seeing an overall increase in the use of these services, especially on 
mobile devices, from students.  While we appreciate the heightened awareness of privacy and security that members of 
our community are displaying by using these services, it’s also causing lots of false positives for intrusions in a 
number of our detection systems, for obvious reasons.  Right now we handle these on a case-by-case basis, but that’s 
starting to become overwhelming, and we would love to come up with a blanket policy we can socialize to our end-users. 
I’m hesitant to ban them outright, but the anonymous nature of these services makes it extremely hard to filter out 
legitimate use from malicious use.

Thanks in advance for your feedback, and thank you to everyone who participates in this list – it’s enlightening and 
educational to read all the posts whenever I have the time to check-in and catch up!

Sincerely,

--
Ted August
Assistant Director of Cybersecurity and Compliance
Office of Information Technology
Salve Regina University


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C5c7184540d664e0e6e9608d86a0e4689%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C1%7C637375956839073074&sdata=5QNkhKljCpI5saIcYfWCU%2FYV4aw64Fca51hEUYHs3mQ%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C5c7184540d664e0e6e9608d86a0e4689%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C1%7C637375956839073074&sdata=5QNkhKljCpI5saIcYfWCU%2FYV4aw64Fca51hEUYHs3mQ%3D&reserved=0>


--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University
PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C5c7184540d664e0e6e9608d86a0e4689%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C1%7C637375956839083075&sdata=pSlgcX8J75oM3J8kmo4JdlCbzyi9AYQBSc72TXQz%2BUw%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C5c7184540d664e0e6e9608d86a0e4689%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C1%7C637375956839083075&sdata=pSlgcX8J75oM3J8kmo4JdlCbzyi9AYQBSc72TXQz%2BUw%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7C5c7184540d664e0e6e9608d86a0e4689%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C1%7C637375956839093070&sdata=c0t2exydwqL82oa2C0YQS%2Fljy54tNbFrDvp9ah8emXg%3D&reserved=0>

*** This message was not sent from a Salve Regina University e-mail address. Please exercise caution when responding, 
clicking on links or opening attachments. ***

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community