Cybersecurity Awareness Month Archive - 2021

Week 1 - Password Best Practices and Multi-Factor Authentication (MFA)

October is Cybersecurity Awareness Month

 

In most cases, the primary mechanism protecting your account is your password. Cybersecurity experts continually identify the use of strong, unique passwords or passphrases as one of their top recommendations. Additionally, you should strengthen an account’s security by implementing multi-factor authentication (MFA) wherever possible.   

What makes a password strong? 

The strength of a password is determined primarily by character length and character complexity. Every extra character in your password increases the difficulty for malicious actors to crack it. Here are a few interesting facts about passwords: 

  • The most commonly used password is…123456.
  • Other common passwords include “password”, “welcome”, and “12345″.
  • If you think having one extra letter or number in your password doesn’t mean much, consider the following:
    • A 6-character password with only letters has over 308 million possible combinations
    • An 8-character password with only letters has over 208 billion possible combinations
    • An 8-character password with letters (upper & lower case) and includes numbers and symbols has over 6 quadrillion possible combinations

There is real strength in numbers.  Strong password policies are in place for the benefit of users.   

What's a passphrase? 

We encourage the use of passphrases when possible. Passphrases typically consist of a sequence of unrelated words or phrases. The words/phrases may be separated by spaces and may also incorporate symbols and/or punctuation. While simplistic passwords can be relatively easy for a malicious actor to guess or hack, a well-designed passphrase is almost impossible to crack. When creating passphrases, please keep the following in mind: 

  • Strive for at least four unique words
  • Don’t use common quotes or sayings. The words should be as random as possible.
  • Use a unique passphrase for every account you own. That way, if one passphrase is ever exposed, the other accounts remain secure.

Use of one password for all accounts 

It is never recommended to reuse the same password across multiple websites; but remembering multiple passwords can be difficult. A common solution is to use a password manager. Password managers store your login information for all of your accounts and can log you in automatically. The password manager encrypts the password database with a master password, which is the only password you’ll need to remember. Most password managers support multiple platforms such as Widows, Mac, iOS, Android, etc. 

What is Multi-Factor Authentication (MFA)? 

Multi-Factor Authentication (MFA) is a security mechanism that provides an additional layer of protection by verifying digital users through at least two authentication factors. There are three common types of authentication factors: 

  • Something you know – This refers to information known only to the user. For example, unique passwords, security questions, PIN codes.
  • Something you have - This refers to something that the user owns. For example, a smartphone or a security token
  • ]Something you are – This factor refers to something that is exclusive to the user. For example, biometrics (e.g. fingerprint) 

Multi-factor authentication is the most effective way to protect your accounts. With multi-factor authentication, even if a password is compromised, a malicious actor would have to obtain an additional piece of information to gain access. When offered to “enable” or “turn on” MFA on your personal accounts such as Facebook, Amazon or Google, we strongly encourage you to do so. At LSU, MFA is offered for all applications behind Microsoft authentication such as Workday, LSU email, Teams, Box, and Zoom. All users will need to configure two methods for MFA, one as a primary method and a secondary method to be used as a backup. It is recommended that MFA be configured on different devices to ensure that you do not lose access in the event that a device and/or phone number change.   

Check out these additional resources: 
MFA at LSU 

Password Complexity requirements at LSU 
https://grok.lsu.edu/Article.aspx?articleid=15849 

Other Helpful Links About Passwords: 
https://www.us-cert.gov/ncas/tips/ST04-002 

 

Week 2 – Social Engineering and Phishing

Cyber Security Awareness Month Banner

Are you familiar with social engineering and Phishing? Can you effectively spot a Phishing email? See below to learn more!  

Social Engineering and Phishing

In a social engineering attack, a malicious actor uses human interaction (social skills) to obtain or compromise information about a person or organization. The malicious actor may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by gathering data from unsuspecting people, he or she may be able to piece together enough information to compromise an individual or organization.   
 
The most common form of social engineering is phishing. Phishing emails are an attempt by malicious actors pretending to be legitimate entity or person for the purpose of stealing private information, such as username and passwords, social security numbers, or banking information. To protect yourself, become familiar with the “anatomy” of a phishing email. If you come to know some of the common indicators of a phish, you will be able to spot them more easily.   
 
Please visit the following link to learn more:   
https://www.lsu.edu/it_services/its_security/files/phishing_anatomy.pdf

Note that Phishing attacks are not isolated to emails. Attackers may contact you over the phone (i.e. voice phishing /“vishing”) as well, spoofing numbers that will appear legitimate. Attackers may also utilize cell phone text messages (i.e. SMiShing) to send bogus text messages that appear to come from banks, credit card companies and other legitimate organizations.  

General Recommendations  

  • Learn the common indicators of phishing emails 
  • Do not click on URLs from unknown sources.    
  • Always ensure that your computer has the latest security updates and patches to reduce the chances of a vulnerable system that can be compromised or infected 
  • Enter sensitive data on secure trusted websites only 
  • Never email confidential or financial information 
  • Be suspicious of all unknown callers/text messages 
  • Don't inherently trust caller ID. Remember, telephone numbers can be spoofed, i.e. the number on caller ID may not be the actual number calling you. 
  • If you are unsure about a caller, ask lots of questions. If a caller is asking for personal information or wants you to purchase something, ask for company information and inform them that you will call back. You can search for the company and their customer support number to call back and confirm. 
  • Never respond to suspicious text messages 
  • Only approve Multi-factor authentication requests if you are actively logging in to your account(s)
  • Never share your MFA token, code, etc. with anyone else.   

NOTE: LSU will never ask for your password over a phone call or e-mail.

What if you have been hooked?  

If you believe you have fallen for a phish, please take the following actions:  

  • If you accidentally shared your username and password, please change your password immediately. (NOTE: The new password must be unique and should not have been used anywhere else. If you use the same password for different services, you must change passwords for other services as well) 
  • If you shared your banking (credit card, debit card, bank account number, etc.) information, please reach out to your financial institutions immediately and take the necessary steps as recommended by the respective institution. 
  • If you shared any other personally identifiable information (Social Security Numbers, Date of Birth, etc.) you should take necessary steps to monitor your credit for any unauthorized changes. It is also a great idea to place a freeze on your credit with all credit bureaus.  

Check out these additional resources:  
Reporting a Phish at LSU Use Cofense Reporter to report a phishing e-mail to LSU IT Security team - https://grok.lsu.edu/Article.aspx?articleid=19636

If Cofense Reporter is not an option available to you, please report phishing messages to LSU IT Security team as outlined here:  https://grok.lsu.edu/Article.aspx?articleid=17107#Reporting   

 

Week 3 – Incorporating Cybersecurity Into All we Do  

Cyber Security Awareness Month

You do not have to be a cybersecurity expert in order to protect yourself. Adopting a cybersecurity mindset and incorporating it into everything you do can help keep your information safe.   
 
Secure Your Technology with Updates  
Operating system and software application updates are critical to your digital safety and cyber security.  Software updates help improve performance, reliability, and security. Keep your systems and applications up to date as much as possible.  Click links below for more information. 
 
Windows update: FAQ  
 
Update Your Mac device 
Keep your computer secure at home  
Protect your computer from viruses, hackers, and spies  
Use Social Media Responsibility   
Social media can be enjoyed when used responsibly, but always be mindful of oversharing information. You may think you are only sharing within your trusted circle of friends and family, but your posts can be shared without your knowledge or your permission. Click the links below to learn more about cyber security for social media, risks and challenges, and solutions on social media threats.  
 
Social media cybersecurity  
Navigating the social media world safely   
Social media safety tips  
Understand the Risks of Public Resources  
Public Wi-Fi 
Public Wi-fi networks can be found in places like coffee shops, hotels, or even grocery stores. While connecting to a free public WiFi network can feel like a great perk, it is important to understand the risks involved with doing so. Malicious actors may create public WiFi access points of their own, and then take advantage of users who join. Malicious networks may capture your sensitive data, such as usernames, passwords, financial information etc.   
 
Here is what should be considered before connecting to a public network:   
 
1. Avoid public networks if possible – in general, avoid public networks.  Consider using a mobile phone as a hot spot if that feature      is available to you. 

2. If you must join, verify the network and password with a trusted source. That trusted source could be an employee, a barista, or a      librarian. Always confirm the WiFi information before connecting to a access point.  Once connected, consider using a VPN                solution if you have one available to encrypt your network traffic.

3. Be mindful of your activities - if you must connect to a public WiFi network, avoid accessing anything sensitive such as logging          on to your bank account, email account, or any other site requiring your password or other sensitive information.   
 
More info: 
 
Wireless network security tips  
How to safely use public WiFi networks 
Public WiFi quick tips 
Public Computers 
Public computers are not as safe as personal computers because users do not know whether the machine has updated security protocols, such as antivirus protection. Also, users do not know whether previous users installed malicious software such as keylogger software or hardware which captures all passwords entered in the machine. Given these risks, ITS recommends the following:  

1. Avoid conducting any sensitive transactions on public computers.  
2. Do not allow the browser to save your user credentials (i.e. username and password) 
3. Do not leave the computer unattended while it may be displaying any of your personal information. 
4. Log out of the computer when done.  

 

Week 4 - Security Services and Training Offered by ITS

October is Cyber Security Awareness Month

Effective cybersecurity requires participation from all LSU students, faculty and staff. To assist you in achieving the best possible security posture, ITS has many resources available in the form of IT services, training and awareness content.  

IT Security Services  

  • Phishing Analysis
  • System Security Reviews
  • General Security consulting
  • Security Incident response  
  • MFA 

Phishing Analysis  

To combat Phishing, the primary tool available to students/faculty/staff is the Cofense Reporter application. The application is directly incorporated into all LSU mailboxes (i.e. outlook desktop, mobile, and web mail). Should you ever receive a suspicious email, you can quickly and easily report it to ITSP using the Cofense Reporter, and ITSP will investigate the situation.  

More Phishing info can be found here - https://www.lsu.edu/it_services/its_security/phishatLSU.php  
 
System Security Reviews  

If you are setting up a new departmental server or perhaps you have an existing server that you’d like to ensure is properly secured, ITS can help. Please submit a Security Consulting request with details about your server and members of ITSP will help review and harden your security posture.  
 
General Security Consulting 
If you have any questions at all pertaining to cybersecurity, ITS offers security consulting services to all students, faculty and staff. Security consulting can be requested through the ITS Team Dynamix Portal Security Consulting Service.  

Incident Response 
In the event that you experience a cybersecurity incident (e.g. system breach, account compromise, unauthorized access, data security breach, equipment theft etc.), ITS is here to help. All security incidents should be reported to the IT Security team through the Team Dynamix Portal Incident Response Service, via email at security@lsu.edu, or you can also reach out to ITSP personnel directly. Per PS-114, Security of Computing Resources, potential incidents must be reported immediately.  
 
MFA  
Multi-factor authentication is the most effective way to protect your accounts. With multi-factor authentication, even if a password is compromised, a malicious actor would have to obtain an additional piece of information to gain access. At LSU, MFA is offered for all applications behind Microsoft authentication such as Workday, LSU email, Teams, Box, and Zoom. All users will need to configure two methods for MFA, one as a primary method and a secondary method to be used as a backup. It is recommended that MFA be configured on different devices to ensure that you do not lose access in the event that a device and/or phone number change.   

Check out these additional resources:

 MFA at LSU 

Security Training and Awareness

Security training and awareness can help lower security risk to LSU and potentially prevent security incidents that result in the loss of personally identifiable information and intellectual property. To increase security awareness, a security training and awareness course is available to everyone on Moodle. You can self-register and complete the training within an hour.  

The Security Training and Awareness Course can be found here - https://www.lsu.edu/security_training