SPU has seen an alarming increase in the number of attacks targeting the SPU community and computing systems in the last year (see blog posts: Password Safety Reminder and Mandatory Password Reset).  Incidents of data loss and fraud are impacting increasing numbers of SPU employees. 

External auditors and insurance providers have strongly recommended SPU provide Two-Factor Authentication (2FA) to all SPU Faculty, Staff and Student Employees. Enabling 2FA protects you and the sensitive personal, student and financial data you have access to.

What is Two-Factor Authentication?

Two-Factor Authentication is a process by which you use both a password (something you know) and a registered security device such as a smart phone (something you have) to log into services. It has become a common practice for many services (Facebook, Google, Banks, etc.) to offer, or even mandate, 2FA for user accounts. This technology ensures that even if a malicious user manages to acquires your account password, they will still be unable to log into the account without the something you have as well.

See this two-minute video from Duo Security for more information on what 2FA is: https://www.youtube.com/watch?v=0mvCeNsTa1g

How it Works

CIS has worked to make this additional security layer minimally intrusive in your day to day. When you enable 2FA and login you will be prompted to "authenticate" the login. The most common way to do so is to use an app installed on the your smart phone, as demonstrated in this 20-second video on the right.

Enrolling in Duo 2FA

There are three steps to initially setting up your account to use 2FA:

1. Request the Duo 2FA Resource
2. Setup 2FA Device
3. Register Duo Account

For instructions and a video walk-through of how to setup your account for 2FA, see our Enrolling in Duo 2FA wiki article.

Services Protected by 2FA

All services that use SPU's Single Sign On (SSO) platform through login.spu.edu and all Microsoft Office 365 (O365) services are now protected by 2FA. Other services that authenticate using different methods cannot be configured to use 2FA at this time. CIS is currently exploring 2FA support for many of these products to secure them as well.

CIS HelpDesk Support and Hours

We're here to help! For more information about 2FA at SPU, please see these articles or contact the CIS HelpDesk: help@spu.edu

Office Hours 
Monday - Friday 7:30 a.m. - 5:00 p.m.

Extended Hours
(Telephone, email and classroom support, office visits by appointment) 
Monday - Thursday 5:00 p.m. - 9:00 p.m. 
Saturday 9:00 a.m. - 1:00 p.m.

SPU will NEVER ask you to send your login credentials or other personal/confidential information via email. Your account credentials should not be shared with anyone.

Your mobile devices – including smartphones, laptops, and tablets – are always within reach everywhere you go, whether for work, travel, or entertainment. These devices make it easy to connect to the world around you, but they can also pack a lot of info about you, your friends and family, and your employer. This includes information like access to your social media accounts, contacts, photos, videos, emails, location, health and financial data, and sensitive work-related data. It is important to use your mobile device safely!

The first steps are to:

• STOP: make sure security measures are in place
• THINK: about the consequences of your actions and behaviors online
• CONNECT: enjoy your devices with more peace of mind

YOUR PERSONAL INFORMATION IS LIKE MONEY. VALUE IT. PROTECT IT.

Secure Your Devices

Use strong passwords or Touch ID features to lock your devices. If your device is lost or stolen, these security measures can help protect your information, keep prying eyes out, and even aid in locating/recovering the gadget.

• Authentication: Configure a strong password or pin and set up a fingerprint login or face ID. Also enable auto lock on your device so it will require authentication if you leave it unattended.
• Backup your data:  Make sure to regularly backup your device. Many mobile devices are lost, stolen, or break and you don't want to lose those important photos and files.

Securing Your Phone/Tablet

All phones and tablets come with reliable ways to secure them - but you may need to take action to enable these features. Here are a few tips:

• Find a lost device: Install and/or configure applications like Find-My-iPhone or Locate-My-Droid. If your device is lost or stolen you may be able to quickly find and recover the device.
• Remote erase: Enable the remote wipe or the remote data deletion option on your device to protect data if your device is lost.
• Hacking / jailbreak: Don't "jailbreak" your device. This often removes many of the security precautions put in place by the manufacturer or wireless carrier.

Securing Your Laptop

• Encryption: Make sure your laptop hard disk is encrypted to ensure a thief can't get access to your data if your device is lost. 

  All University-owned computers are encrypted to protect sensitive student and institutional data.

Keep Your Device Clean

Automate software updates: Mobile devices are just as vulnerable to malware as a regular computer. Fortunately, many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.

Keep security software current: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.

Plug & scan: USBs and other external devices can be infected by viruses and malware. Use your security software to scan them.

Delete when done: Many of us download apps for specific purposes, such as vacation planning, and no longer need them afterwards. Or, we have previously downloaded apps that are no longer useful or interesting to us. It is a good security practice to delete apps you no longer use.

Get Savvy About WiFi

Public WiFi is not secure, which means that anyone can potentially see what you are doing on your mobile device while you are connected. This includes WiFi offered in coffee shops, restaurants, hotels, etc., and company guest WiFi (like SPU-Guests at SPU). Limit what you do on public WiFi and avoid logging in to key accounts like email and financial services while on these open networks. Consider using a virtual private network (VPN) or a personal/mobile hotspot if you need a more secure connection on the go.  When using Public WiFi, take some precautions:

• Use secure sites: When banking and shopping, ensure the site is security enabled. Look for web addresses with “https://” or “shttp://", which means the site takes extra measures to help secure your information. “http://” is not secure.
• Stay up-to-date: Update your operating system, firewall and virus protection regularly. You are exposed to a much higher level of potential risk on a public WiFi connection. Protect yourself beforehand.

SPU WiFi Security

The SPU-Wireless network is secure, requires authentication, and encrypts the data that travels through the air to prevent hackers from listening in on your communications. The SPU-Guests network is not secure and is provided as a convenience for university guests only. SPU students and employees SHOULD NOT use SPU-Guests. If you are connecting to SPU-Guests, use this opportunity to change to SPU-Wireless: How to use SPU's Network and Internet.

Safeguard Yourself Against Theft

While phones are common, they also bring a demanding price on the black market. Record the device's make, model number, serial number (the IMEI, MEID, or ESN #), and contact information for your carrier. Immediately report a device theft to your carrier and law enforcement. If lost while on campus, contact the Office of Safety and Security (206-281-2922). Working with CIS, OSS may be able to locate the device if it is still connected to the campus network.

Phishing / Scams on Mobile

Multiple research studies have shown you are three times as likely to be tricked by phishing and scams when using a mobile device. Review any suspicious messages more closely from a laptop or desktop. If that is not an option, learn how to verify the address of an email sender and how to inspect links on your mobile device.

Spotting Malicious Email

A malicious email may look like it comes from legitimate sources like the Helpdesk, the "IT Dept," an SPU employee, a financial institution, an e-commerce site, a government agency, or other service or business. It often urges you to act quickly, because your account has been compromised, you'll lose access to a resource, your order cannot be fulfilled, or there is another urgent matter to address.

If you are unsure whether an email request is legitimate, try to verify it with these steps:

• Beware of Clickable links that re-direct you to another web site. Always be cautious.  Use the "hover" technique to inspect links in email messages.
• Contact the person or company directly – do not reply to the email, but instead use contact information provided on an account statement, the company’s official website, or other official resource to reach out and verify the authenticity of the email.
• Search for the company online – but not with information provided in the email.

Phishing

"Phishing" is the name given to email messages that try and trick you to give up your username and password. Phishing scams often involve highly specialized attacks against specific targets or small groups of targets to collect information or gain access to protected systems. Cybercriminals have launched spear-phishing attacks against SPU in the past in order to steal credentials to view student data, re-route paychecks, or steal financial aid. Once compromised, the attacker may use your email account to phish others at SPU. Since SPU email addresses look more authentic to us, the phish will prove more effective in compromising others.

• See an example of a recent attack

Scams and Fraud

Scams are different than phish in the sense that scams typically involve money - your money. As one would expect, the number of scams increase in frequency and impact every year.  Scammers know what they are doing and are intent on tricking you: they may offer you a job, ask you to transfer money for some sympathetic cause, send them gift cards, or solicit sensitive information about you or others. Often they'll pretend to be someone you know.  Here are some examples of how you can combat the threat of scams and fraudulent:

• Enable filters on your email programs: Most internet service providers (ISPs) and email providers offer spam filters and ways for you to mark an email as spam. Be careful with this, however, as you may end up blocking emails you want if the filtering is too strict. It’s a good idea to occasionally check your Junk and Spam folder to ensure the filters are working properly.
• Report Scams and Fraud:  If you come across anything suspicious, please refrain from responding; alert Computer and Information Systems by forwarding the message to help@spu.edu.
• Own your online presence: Consider hiding your email address from online profiles and social networking sites or only allowing certain people to view your personal information. 

Reporting Fraud

To report a scam, file a complaint online with the Federal Trade Commission. Check out their video on how to report scam and more ways to avoid fraud.  You can also report fraud to the FBI Internet Crime Complaint office

Report Phishing and Scams on Social Networks

Spam, phishing and other scams aren’t limited to just email. They’re also prevalent on social networking sites. The same rules apply: When in doubt, throw it out. This rule applies to links in online ads, status updates, tweets and other posts. Here are ways to report spam and phishing on major social networks:

• Reporting spam and phishing on Facebook
• Reporting spam on Twitter
• Reporting spam and phishing on YouTube

Tips for Avoiding Being a Victim

• Do not reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in an email.
• Do not send anyone confidential documents via email unless they are encrypted.
• Before sending or entering sensitive information online, check the security of the website.
• Pay attention to the website’s URL. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net).
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on an account statement, not information provided in an email. Check out the Anti-Phishing Working Group (APWG) to learn about known phishing attacks and/or report phishing.
• Keep a clean machine. Keep all software on internet-connected devices – including PCs, smartphones and tablets – up to date to reduce risk of infection from malware.

Use the "Hover" Technique

Many phishing messages include links that send the user to a malicious website or a fake login page. Hover-over the web links with your mouse to inspect the web site address BEFORE YOU CLICK! An example might be the printed URL and actual destination addresses don't match.

What to Do if You Are a Victim

• If you think you might have fallen for a scam and exposed your SPU username and password, immediately go to the Banner System (Personal Menu → Computer Accounts Menu → Change Your Password) and reset your SPU password.
• If you believe your financial accounts may be compromised, contact your financial institution immediately.
• Watch for any unauthorized charges to your account.
• Consider reporting the attack to your local police department, and file a report with the Federal Trade Commission or the Internet Crime Complaint Center.

STOP.THINK.CONNECT.™ Tips

• When in doubt, throw it out: Links in email, tweets, posts and online advertising are often how cybercriminals try to compromise your information. If it looks suspicious, even if you know the source, it’s best to delete or – if appropriate – mark it as junk.
• Think before you act: Be wary of communications that implores you to act immediately, offers something that sounds too good to be true or asks for personal information.
• Make your password a sentence: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
• Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.
• Lock down your login: Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys, or a unique one-time code through an app on your mobile device (all examples of Two-Factor Authentication, or 2FA). Your usernames and passwords are not enough to protect key accounts like email, banking, and social media.

Visit the STOP.THINK.CONNECT website for more tips.

CIS HelpDesk Support and Hours

We're here to help! Stop by the CIS HelpDesk in Lower Marston Hall or give us a call.

Office Hours 
Monday - Friday 7:30 a.m. - 5:00 p.m.

Extended Hours
(Telephone, email and classroom support, office visits by appointment) 
Monday - Thursday 5:00 p.m. - 9:00 p.m. 
Saturday 9:00 a.m. - 1:00 p.m.