Cybersecurity Month
As more of our work and data moves off-premises, be it working from home or cloud storage becoming the preferred storage method over traditional server infrastructure, VPUE IT has found it necessary to create an information security analyst role which I will be filling in addition to the application and device support I have provided for years. In May, I earned an MS in Cybersecurity Risk Management from IU and hope to apply some of that knowledge to our real-world work environment.
October is Cybersecurity Awareness Month and this, its 19th year, feels much different than 2003. Back then, we were furious at pop-ups but weren’t getting them on Chrome, which was not released until 2004. We were saving everything on our local hard drive, maybe a USB thumb drive, a local server in some cases. Facebook also was released in 2004 and once it let people outside the Ivy League join it still required a university email address to join before opening to everyone. Nobody was thinking the posts they were reading were part of a disinformation campaign. Gmail required an invitation at first. There was a sense of exclusivity to these early days of Web 2.0. Now, the Internet is the default method of communication. Not only can most forms be filled out online, but they must also be filled out online. Filing cabinets have been replaced by servers in buildings we don’t have physical access to. A careless click can send gigabytes of data to the wrong party, a far cry from when sending something to the wrong address meant physically putting paper in an envelope and going to the post office.
The ubiquitous nature of the Internet is why cybersecurity needs to be a part of everyone’s life. You don’t need to be a security guard to lock your door when you go to work and you don’t need to be a security engineer to practice cybersecurity basics.
What you can do
Let’s look at four actions you can use in your work and personal life to practice cybersecurity hygiene.
- Think before you click: Recognize and report phishing. I understand it can be frustrating to see news stories about hacks at major companies and wonder how you can possibly stop them affecting you. Most of these hacks get their initial footholds on the victim organization’s infrastructure by phishing, meaning most likely an employee clicked a link they shouldn’t have, probably in an email. We have seen these attacks at IU and in some cases they come from a legitimate IU email address. In these cases that account was compromised, probably because the account owner clicked something they shouldn’t have.
-
- Question any email that seems too good to be true. Someone you don’t know is giving away free money? I bet they aren’t.
- If in doubt, email the person or group and ask for confirmation. If you get a strange email claiming to be from HR, for example, look up HR’s email address and email them directly.
- Hover over the embedded URL to make sure it’s going to the address it claims to. For instance, this URL says indiana.edu but if you hold your cursor over it you’ll see it goes to ovpue.indiana.edu.
-
- Report phishing in Outlook. There is a Report Message icon in the Ribbon (top of the screen by default) in the Home tab. Click it and click Phishing. A window will open. Click Report.
- Report phishing in Outlook. There is a Report Message icon in the Ribbon (top of the screen by default) in the Home tab. Click it and click Phishing. A window will open. Click Report.
- Update your software: Operating systems and applications have millions of lines of code and new ways to bypass their security features are routinely found. Keeping them update is critical. At IU we use SCCM and Jamf to keep software updated.
-
- Connect your work devices that you keep at home to Ivanti Secure Access at least once a month. Set a calendar reminder if you don’t use Ivanti Secure Access normally.
- Work with us if a device isn’t updating. Things happen and sometimes IT will need to examine on your device, either remotely or in-person. Working with us in a timely manner can avoid larger issues down the road, such as the device being blocked from the network.
- Keep your personal devices updated. All these operating systems have a way to install updates automatically.
-
-
- Windows: https://support.microsoft.com/en-us/windows/update-windows-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a
- MacOS: https://support.apple.com/en-us/HT201541
- IOS: https://support.apple.com/en-us/HT204204
- Android: https://support.google.com/android/answer/7680439?hl=en
-
- Use strong passwords: IU enforces a minimum passphrase length. If you think your passphrase has been compromised, change it immediately
-
- Info on how to change IU passphrase: https://kb.iu.edu/d/atav
The thinking on strong passwords used to be that randomly selecting characters was the best way to make a password but the problem with this is we can’t remember them, so a password gets written down and used for everything. Size matters for passphrases, so using a sentence you can remember as a password can make a lot more sense to use than 10 random characters.
In your personal life, use a password manager. These are applications that allow you to make a strong main password and then you can create new random passwords for every website you have an account with and you don’t need to remember them, you just log into the password manager and copy/paste the password you need. KeePass is free for Windows. MacOS and iOS come with the Passwords app that will automatically suggest a random password when you’re creating an account on a website. These tools protect you by limiting the scope of the passwords you use. If you use the same password and username for your bank’s website and other sites with lax security, a hacker only needs to get your credentials from one of those lax sites to get your bank credentials.
- Enable Multi-Factor Authentication (MFA): This is sometimes called two-factor authentication (2FA) or 2-step verification if two factors are being used, usually a passphrase (something you know) and an authentication app or token like DUO (something you have). Security works best in-depth – the more hurdles there are to jump over, the less likely an attack will be successful. You’re already using MFA at IU and I would urge you to use it on your personal accounts. Some sites you may want to enable MFA on include:
-
- Amazon: https://www.amazon.com/gp/help/customer/display.html?nodeId=G3PWZPU52FKN7PW4
- Facebook: https://www.facebook.com/help/148233965247823
- Gmail: https://myaccount.google.com/signinoptions/two-step-verification/enroll-welcome
A note on links: we’re constantly saying don’t click on links and then sending you a lot of links. Banks are particularly bad at this in my experience, as I often get an email from my bank that is basically just a button with a link. They’ve conditioned us to click links and wonder why hackers have such success with their phishing campaigns. I’m including URLs here that you will have to copy and paste into your browser address bar.
Thanks for taking this journey with me. I know the seemingly constant changes in technology can be hard to keep up with. In a way we’re all tech workers as our jobs require technology to fulfill the mission of our business unit. Having a security mindset in our daily lives will help us and our organization maintain the confidentiality and availability of the data and devices we need to function.
Bonus fun
Here are a couple of podcasts that cover cybersecurity and technology I think everyone would enjoy:
- The Ransomware Files: stories of ransomware attacks and how they were combated. Basically, technology true crime. https://anchor.fm/ransomwarefiles
- Click Here: From NPR and Recorded Future, a cybersecurity company specializing in threat intelligence. https://therecord.media/podcast/