CAM Week 2 – MFA and Securing Devices

Multi-Factor Authentication and Securing Devices at Home and Work (or School)

This week, as we did last week, we are covering two cybersecurity awareness topics. We’ll discuss securing devices at home and at work (or school) and we will cover multi-factor authentication and why you need it enabled on your account.

MFA

We’re talking about multi-factor authentication (MFA)!

We, as in the Office of Information Technology (OIT), have been talking about MFA quietly for about two years, but now we’re speaking up a little louder. You need to have MFA enabled on your account, now more than ever. Cybercriminals have increased the frequency and intensity of attacks, sending evermore sophisticated emails to try and convince you to click on a link or open an attachment.

If you click on a malicious link and enter your credentials on a fake login page, not having MFA enabled will allow the attackers to take control of your email account. This will also allow them to take control of other accounts and services you use, as your email username and password also grants you access to other resources associated with the college, like VikingWeb and Canvas. With MFA enabled, attackers won’t be able to log in to your account, even with your credentials.

It’s easy to get MFA setup. Simply email computing@berry.edu and request MFA be enabled on your account. You’ll get a response indicating it is active and you will be required to go through the setup process. There is a document available here that goes through the process or you can view a video that explains the process at this Microsoft Stream link. You’ll have to log in with your Berry email username and password to view the video.  The gist of the instructions is that you will need to install an app on your smartphone to be able to respond to MFA requests, then complete the setup process to link the app to your account.

The web page linked above also has a document explaining in more detail why we are doing this and answers some frequent questions, like “should I do this for all my accounts?”. SPOILER: You should! There is a link on this same page to the website Lock Down Your Login which has more information on how to secure your home, device and popular web accounts.

More information about MFA is coming soon. Keep an eye on your emails and the BerryOIT social media accounts on Facebook (@BerryColleOIT), Twitter (@berryoit), and Instagram (@berrycollegeoit).

Securing Devices at Home and Work

2020 saw a major disruption in the way many work, learn, and socialize online. Our homes are more connected than ever. Our businesses are more connected than ever. With more people now working and or attending class from home, these two internet-connected environments are colliding on a scale we’ve never seen before, introducing a whole new set of potential vulnerabilities that users must be conscious of. Here are some steps users can take to protect internet connected devices for both personal and professional use.

    • Make sure, as mentioned last week, your devices are all up to date.
    • If you are using a personal machine, not managed by the college, make sure you have up-to-date virus and malware protection installed.
    • Don’t bypass security features of the device…for phones and tablets, this primarily means assigning a passcode to secure them, and for laptops and desktops, this means having a password on all accounts on the systems.
    • If you are using a VPN, be sure it is up to date.
    • Don’t mix your personal files with your school or work files, and don’t make copies of sensitive college data and leave them your personal machine.
    • Following up on that, make sure that you are the only one who can access college data on your personal machine, if it is used by other household members. This may require you to create multiple accounts on the device.
    • Follow all college policies regarding use of OIT resources. If you feel any policy is hampering your ability to work or learn, bring it to the attention of OIT. Violating policy can expose you and the college to risk.

If you are still having difficulty with your Week 1 Virtual Scavenger Hunt answers and can’t get to the second week page, here are a couple more clues.

    • For question one, the types of factors are 1. Something you know 2. Something you have 3. Something you are
    • For question two, the answer is the result of 2 to the 6th power.
    • For question three, LastPass and 1Password are examples of this…
    • For question four, the first word of the example password is a four-legged animal
    • For question five, see the security awareness poster at this link or alternatively the answer is the square root of the answer for question two.

IMPORTANT: You don’t have to resubmit your answers on the week 1 form, but these clues should help you get the correct URL for week 2 of the scavenger hunt.

Finally, even though this post is not about “phishing” emails, per se, I want to remind everyone to please be very careful with unexpected emails, and report any phishing emails using the “Report Email as Phishing” button, available in the mail.berry.edu webmail interface and on mobile versions of Outlook, as well as the traditional Outlook client on PCs and Macs. It’s very important to report these emails using the button and not to simply forward them to Information Security, as this allows us to take action on these emails to protect the community.

 

Photo Credit: Photo by Brina Blum on Unsplash

CAM Week1 – Passwords, Password Managers, and Protecting Connected Devices

Passwords and Password Managers & If You Connect It, Protect It

Welcome to the first week of Cybersecurity Awareness Month! Each week we will discuss two primary topics. One of those topics will be the CAM 2020 “official” weekly topic and the other will be localized for the Berry community. This week, the official topic is “If You Connect It, Protect It”, and the local topic concerns passwords and password managers.

If You Connect It, Protect It

Once we connect a device to the Internet, via a wireless network or cellular data connection, or other method, it is exposed and vulnerable. That’s a terrible way to look at it, but there are stories every day of new vulnerabilities in software and hardware that we use all the time. In 2019 there were over 22,000 vulnerabilities identified, with over 12,000 of those reported and assigned a Common Vulnerabilities and Exposure (CVE) identifier, which is used to identify and promulgate information about the vulnerability.

That 22,000 number is across hundreds of companies and products, but you know the names of some of the most affected companies. They include Microsoft, Adobe, Apple, and yes, even Google. It’s a safe bet that whatever device you connect, it will already have, or will have in the future, vulnerabilities. What to do?

When reputable companies find or are told about vulnerabilities, they create and release updates, unless the software or hardware is no longer supported. We see evidence of this all the time…Windows wants to reboot to install updates, your phone tells you it needs to reboot to install updates. Don’t ignore these warnings, especially when first connecting a device to the network. At the same time, become familiar with what these warnings look like to avoid being fooled by fake update messages in the future.

All of this to say that the most important rule of properly securing connected devices is to keep your devices updated. The first thing to do after you connect something new to the Internet is update it.  On average, newly connected devices are attacked within 5 minutes and are targeted by exploits specific to the device within 24 hours. That’s not much time to go out and get the latest update for the device. Do it quickly!

Passwords and Password Managers

We talk about passwords a lot, for good reason. With all of their inherent flaws, passwords are the de facto way we authenticate to all of our accounts. The average person now has 27 discrete accounts, while people in information technology fields or younger people may have two or three times that many. This means the average person should have at least 27 different passwords, but humans take shortcuts, even when it is dangerous to do so.

One particularly dangerous shortcut people take is to reuse passwords for multiple accounts. Aside from the need to keep them secret, this is the most important rule in properly dealing with passwords – do NOT reuse them. Make sure passwords are unique across all accounts.

Good passwords are also long, complex, and not based on easily located data, like birthdays, pet’s names, high school mascots or other public record information.

How long?

Truthfully, twelve to fifteen characters, minimum.

How complex?

Have a mix of upper and lower case letters, numbers, symbols and even spaces, if an account allows it.

Based on what?

There’s several good ways to do this. If the password must be memorable, try imagining a picture of a favorite place, a scene from a book, movie or TV show, or other vivid image that you won’t forget, or be prone to alter. Pick four or five words that describe that image, string them together, capitalize a word, or all of them, and throw in a number. For example, a memorable scene might include a cowboy trying to stay on a bucking bull in a rodeo. Words to pick from this scene could include cowboy, bull, horns, bucking and a number could be 8 (as in, the cowboy has to stay on the bull 8 seconds to get a score).

The resulting password could be “Cowboy-Bull-Horns-Bucking-8”.

What makes this a good password?

    • It is long – 27 characters
    • It is complex – upper and lower case letters, a number, and symbols

What weakens this password?

    • It is based on words which are all in the dictionary

The length and complexity wildly outweigh the weakness of being based on dictionary words. This would be a great password, but read on for why it is not.

Our awesome example password is no longer a great password because it has been exposed. It has been used as an example and therefore should NOT be used as a password. No length or complexity will ever outweigh the disadvantage of an exposed password. Keep your passwords secret and never share or reuse them.

If you prefer not to create 27+ word pictures for your accounts, your passwords, of course, don’t need to be memorable if they will be stored in a password manager and possibly generated by a password manager. They can be as long, complex, and random as you wish, as you will never have to type them in, or even know them.

Password managers like LastPass, 1Password, BitWarden, and even iCloud Keychain for you Apple-only folks, allow you to use long, complex, and unique passwords for EVERY account you have. You only have to remember one, good, strong password to lock away the rest of your passwords. Visit the sites for the managers above or run a search in your browser for “password manager” and see how many results you get.

There are so many options and in your search results you’ll also find sites that will compare some of the available managers, providing recommendations and showing how they stack up against each other. Some have unique features or are better suited for families. Some may not support all of your devices, so be sure to check that your chosen phone, tablet, or operating system is supported. Be sure to pick a recent review, as vendors continuously attempt to improve their products, pricing and supported platforms. Find one you like, try multiple ones out if you need to. Many have trial periods, others don’t cost anything to use, but may have severe limitations. You are almost guaranteed to find one that matches your needs, wants, and budget.

Virtual Scavenger Hunt

If you missed the information about the Virtual Scavenger Hunt (VSH) in the October newsletter, head over there to read about it, then read the CAM 2020 page, and then the VSH Start Page. It will tell you about the hunt, how to participate, and information about the grand prize.

Good hunting!

If you get stuck in the VSH, be sure to follow Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit) for clues. Other, potentially more important information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check the InfoSec News And Alerts Site for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like training will be posted.

 

Photo Credit: Photo by BENCE BOROS on Unsplash

June News from Information Security

Welcome to the very late June newsletter!

A failure to plan and pre-write the June newsletter, plus a virtual conference during the first week of June, then a frenzy of activity at work, then a couple of vacation days has pushed this edition way past its normal publishing date.

But here we are, still stewing in the social distancing mire, but at least able to do more things, like eat AT restaurants instead of getting food delivered, or, gasp!, going out and picking it up curbside. I hope all of you are healthy and well and have been able to resume some sense of “old normalcy”.

As I mentioned in the last newsletter, phishers, scammers, and the like have been VERY busy trying to take advantage of this time of flux, if not outright chaos. I write this newsletter as cities around the country stagger under the effects of not just the coronavirus, but protests and riots. Both are happening, and many protests that start peacefully are stirred into riots by organized bad actors. I hope you or your loved ones have not been affected…and that’s all I’m going to say about that.

I’ve interacted with several of you about suspect emails over the last few weeks and I appreciate your caution and skepticism. Everything from fake voice mail notifications to fraudulent signature requests have arrived in our email inboxes. Companies continue to improperly care for the data they acquire from us. There are a couple of upcoming breach notifications that I need to finish and publish to the site.

With that said, I encourage everyone to go to Have I Been Pwned to see what data about you has been exposed. Notice I don’t say “IF” data has been exposed, but “what” data has been exposed. It’s easy. Go to the site, put in your email address(es), and be sure you are sitting down when you click “pwned?”. While you are there, sign up to be notified when information connected to your email addresses has been exposed. You’ll have to register each email individually.

As I mentioned in May’s newsletter, all email should be carefully examined. Actually, I said that “almost all emails should be considered suspect” and I stand by that statement. I also said that this was the number one safety tip I could offer during this time. Here are tips two and three.

Most Important Tip #2: Update your devices.

Your device, whether it is a Windows or macOS computer, or an Android or iOS device should be set to automatically update. If you have an undeniable fear of automatic updates, then at least make sure that update notifications are turned on. Then, when Windows or macOS notify you of an update, or your Android or iOS device chime to tell you an update is available, first confirm that it is a real update notification. Update notifications don’t come in your email, nor do they pop up inside your browser. These notifications come directly from the operating system of the device. Examples are shown below:

Windows 10 :

macOS:

Left iOS (iPhone and iPad) and Right Android phone (Motorola, others may vary)

Most Important Tip #3: Use a strong, unique password and multi-factor authentication for every login account you have.

What do I mean by a strong password?

  • At least 13 characters long, 20 is better…
  • Don’t worry about complexity unless the particular site or service requires it.
  • No dictionary words by themselves.
  • Do not use any part of your username or real name/nickname in the password.

What?! Thirteen characters? Twenty characters? Yes. Find a password manager you like and use it to both generate and store your passwords. That means you only need to remember one long password, to open the password manager. Longer passwords are better than short, complex passwords. If you insist on making long passwords that are non-random, don’t use long dictionary words. Use multiple, unrelated words, as explained in the Good Password Guidelines Quick Info article here on this site.

Get multi-factor authentication enabled on every account you can, especially accounts for banks and other financial sites, sites which handle your medical records, other confidential and sensitive sites, and your Berry account.

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!
If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted.

 

Photo Credit: Photo by Max Kleinen on Unsplash