We did it! We made it through October and Cybersecurity Awareness Month. I want to thank everyone who read the weekly articles, checked out the posters, and participated in the Virtual Scavenger Hunt. I want to congratulate Hanna Popa for her successful completion of the hunt and her luck in winning the Monster Clarity 102 AirLinks ear buds. She was one of the eight who completed the entire hunt out of the thirty-three who attempted some part of it.
If you enjoyed the hunt, or you missed it, but heard great things about it and wished that you had participated AND would like us to hold another one, just email firstname.lastname@example.org and tell us. While you’re at it let us know what information security topics you would like to see addressed here in articles or quick tips or even live (via Zoom for now) training sessions.
Speaking of live training, here in November there will be another opportunity to attend (via Zoom) live one-hour-ish lunchtime training on account management, covering everything from picking good passwords to using password managers, to enabling multi-factor authentication on all your accounts, particularly your Berry account. The event will be posted to the Event Calendar this week, once a final decision is made on the exact date, so check it out and sign up.
Our primary topic for this month is multi-factor authentication or MFA. MFA is now required for all Berry accounts and the Office of Information Technology (OIT) is rolling it out in phases. You will receive, if you haven’t already, an email detailing when MFA will be enabled on your account and how to set it up. The Network Operations group is holding training on MFA setup via Zoom, so if you have issues with the setup, be sure to attend. Details should be in the email you receive.
Why are we requiring MFA? You could potentially blame it on the corona-virus or COVID-19, but our attempts to require MFA have been in the works for many months before the virus hit our community. MFA places another layer of security on your Berry account, preventing someone who guesses or steals your password from accessing your account. It does this by requiring a second piece of evidence or a second “factor” in addition to your password to prove that you are you. That factor could be a fingerprint, or a temporary six-digit code texted to you or found in an app on your smartphone. In our case, the default second factor is just an approval via an app on your smartphone.
With MFA enabled, when you log in to your account, you will be required to enter your password, then a notification will pop up on your phone asking you to “approve” or “deny” the login request. You just touch “approve” if you are attempting to log in, or “deny” if you see a request when you haven’t tried to log in to your account. Without this second factor, the approval, or if you deny the login attempt, the login fails and the incident is logged so OIT can follow up and mitigate any potential threat to your account. This protects not just your email, but any web-based service you use here at Berry, from VikingWeb to the financial aid portal to the health center portal, so it is vital MFA is enabled on your account.
We’ve mentioned Zoom twice already in this newsletter, and we’re going to circle back to it now. One of the most critical aspects of using Zoom effectively is securing your Zoom sessions from “zoombombers” and others that wish to disrupt sessions. We depend on Zoom far too much these days, so we want to offer some information about how to properly secure your Zoom sessions.
Here is a Zoom document that discusses most of the security settings for Zoom. Don’t be daunted by the fact it is twelve pages long, there are pictures and cover pages and large type galore. Here are the high points, in a simple list:
- Use the waiting room feature if your meeting is not too large. This lets you control who actually gets into the meeting, albeit manually.
- Use a passcode for all meetings and use randomly generated meeting IDs, NOT your personal meeting ID.
- Only allow registered users to attend. Be careful with this setting, but it is useful if done correctly.
- Lock your meeting. Once everyone who is supposed to attend has arrived, you can lock the meeting to prevent anyone else from joining.
- Know how to manage users during the meeting. Understand the settings to control screen sharing, mute everyone, remove participants, and configure chat and annotation to prevent abuse.
Our current environment can prove difficult to navigate at times, but making sure you know how to manage a Zoom session will go a long way to make sessions requiring Zoom effective and secure.
One last thing before we wrap up. I want to encourage you to report ALL phishing emails you receive, using the “Report Email as Phishing” button available in the email browser interface (https://mail.berry.edu), on mobile devices using the official Outlook mobile client, and on the desktop using Outlook 2016 (Click-to-run version only) or Outlook 2019 (all versions). Doing so will help OIT protect the community by mitigating dangerous phishing emails identified by you, our first line of defense against phishing.