Setup and Multi-Factor Authentication
Here at SPU, MFA is a requirement for your account. This is because, while it’s not a “silver bullet,” it still provides additional security and verification, such as a code sent via text message or email, or biometrics like a fingerprint or facial recognition; it helps confirm our identities when logging in.
Just because you receive a prompt or notification for approval, doesn’t mean it’s always you who is logging in. It’s still important that when you receive notifications that you check and make sure you know why you’re getting a prompt and if it’s something you expect to have happen.
Setting up MFA aka a.k.a. Two-Factor Authentication is a step in the right direction towards protecting yourself and those around you.
Consider turning MFA on for all email accounts, banking, social media, online shopping, and any other location where information about your identity might be stored.
We hope these tips we shared with you today help you stay safter online. Stay tuned throughout October for more ways you can stay safe in our digital world.
As a reminder, CIS will never request your password or other protected information via email.
Keeping your Computer Secure - October 14, 2024
Today we’re going to cover tips on how to keep your personal computer update to date, which is also a way to keep your data safe & secure.
Regularly Install Operating System Updates
Ensuring your device has the latest Operating System (OS) updates is important. If you’re like us, you also have a personal computer and that means you’re the person in charge of determining when and how often you update your computer. By setting your updates to install automatically, you can ensure you have the latest security patches.
Updates not only keep your device working well, but they help close security loopholes and keep you save. Click the links below to learn how to check for updates yourself and ensure you have automatic updates set up.
https://support.apple.com/guide/mac-help/keep-your-mac-up-to-date-mchlpx1065/mac
Encrypt your Computer’s Hard Drive
Encryption is one way to ensure your data is secure and that someone can’t get to your data even if they extract the hard drive from the computer. This is the case for both Windows and Mac users, but if you want to keep your personal data secure, enabling hard drive encryption is one way you can protect yourself from unauthorized access.
Watch this video about BitLocker (Microsoft’s Encryption tool) to learn more about how it works: https://youtu.be/iX8QC2pRuYM?si=5qtlfugkpzByApRu
It’s important to ensure if you turn encryption on, that you read through all the documentation and have your encryption key backed up in a secure location. Without this key, your data may be lost.
https://support.microsoft.com/en-us/windows/bitlocker-overview-44c0c61c-989d-4a69-8822-b95cd49b1bbf
https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac
Keep your Software Up to Date
In addition to keeping your operating system up to date, it’s also important to ensure the software you install on your computer is also kept up to date. Often, you can do this by choosing automatic updates in the application’s menu interface, but if automatic updates aren’t available, add a quarterly reminder to your calendar or task list to check for updates.
https://www.google.com/chrome/update/
Other ways to Keep your Computer Secure
Operating systems have a variety of features that can help you keep your data safe & secure. These might be tools like Microsoft Defender, great for scanning your system for malicious software, firewall settings to prevent unwanted internet traffic and connections to your computer
Stay Protected with Windows Security
https://www.apple.com/macos/security/
https://support.apple.com/guide/security/welcome/web
Install Software from Known Vendors
It’s important to know what you’re installing on your computer and where it comes from. By default, both Mac and PC devices require installation packages to be “digitally signed” by the vendor. You can override these settings and install applications from other places, but it’s still important to properly vet your software choices, paying attention to not only if the company is reputable, but also their Terms of Use & Privacy statements.
https://support.apple.com/guide/mac-help/open-a-mac-app-from-an-unknown-developer-mh40616/mac
If you bought a Windows 11 PC in “S” Mode - which only allows apps from the Microsoft Store, you’ll need to switch out of “S” mode. Please note this is a One-way change. You can learn more at https://support.microsoft.com/en-us/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85
Retire Old Software & Systems
We all want to save money and often we think of computers in similar terms to the way we think about cars; use it and get as much life out of it as possible before selling it. Unfortunately, this mindset can lead to insecure systems because as the device ages, it will get to a point where the company no longer supports it or creates security patches for it. All software has a life cycle and it’s important to be aware of these, so you can know when to prepare to change software versions or upgrade to a new device with the latest operating system.
One major change that we know about, is Windows 10 coming to the end of its life cycle. As noted by Microsoft on their site: https://learn.microsoft.com/en-us/lifecycle/products/windows-10-home-and-pro on October 14, 2025, there will be no further major releases or monthly patching. If you haven’t thought about upgrading your personal PC yet, now is a good time to start planning that process.
https://learn.microsoft.com/en-us/lifecycle/
https://support.apple.com/en-us/100100
Exploring Phishing and Social Engineering Attacks - October 21, 2024
Last week we talked about your computer and ways you could keep the device safe and secure. This week let’s dive into Phishing and Social Engineering a bit more.
What is Social Engineering?
In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information from an organization or its computer systems. This even happens at SPU. The attacker may seem unassuming and respectable. They may even claim to be someone you know or a name you recognize, maybe even a position or job title that sounds legitimate. Just by asking questions, they may be able to piece enough information together to try to infiltrate and if they can’t get what they need through one avenue, then they’ll try another.
What is a Phishing Attack?
A phishing attack is a form of social engineering - these attacks typically utilize email or malicious websites to solicit information by posing as a trustworthy organization or person. For example, an email you receive may appear to be from a bank or other reputable company; sometimes a person offering a job. When you respond, attackers then gain access to all of the accounts and information you shared and, in some cases, may use this information to threaten you.
What are Common Indicators of Phishing Attempts?
Suspicious sender's address. The sender's address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters.
Generic greetings and signature. Both a generic greeting—such as "Dear Valued Customer" or "Sir/Ma'am"—and a lack of contact information in the signature block are strong indicators of a phishing email. A trusted organization will normally address you by name and provide their contact information.
Spoofed hyperlinks and websites. If you hover your cursor over any links in the body of the email, and the links do not match the text that appears when hovering over them, the link may be spoofed. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Additionally, cybercriminals may use a URL shortening service to hide the true destination of the link.
Spelling and layout. Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators of a possible phishing attempt. Reputable institutions have dedicated personnel that produce, verify, and proofread customer correspondence.
Suspicious attachments. An unsolicited email requesting a user download and open an attachment is a common delivery mechanism for malware. A cybercriminal may use a false sense of urgency or importance to help persuade a user to download or open an attachment without examining it first.
How do you Avoid Being a Victim?
Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
Don't send sensitive information over the internet before checking a website's security. (See Protecting Your Privacy for more information.)
Pay attention to the Uniform Resource Locator (URL) of a website. Look for URLs that begin with "https"—an indication that sites are secure—rather than "http."
Look for a closed padlock icon—a sign your information will be encrypted.
If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group. (See the APWG eCrime Research Papers).
Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. (See Understanding Firewalls for Home and Small Office Use, Protecting Against Malicious Code, and Reducing Spam for more information.)
Take advantage of any anti-phishing features offered by your email client and web browser.
Enforce multifactor authentication (MFA). (See Supplementing Passwords for more information.)
What Should you do if you’re a Victim of Phishing?
If you believe you might have revealed sensitive information about your yourself or SPU, immediately report it to the CIS HelpDesk so we can lock your account and prevent further access.
If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
Immediately change any passwords. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
Consider filing a report with the Office of Safety & Security (OSS). If money was stolen or you’re being threatened, OSS can work with local authorities to file reports and recover stolen property. Call 206-281-2922 or email securityinfo@spu.edu.
Watch for other signs of identity theft. (See Preventing and Responding to Identity Theft for more information.)
If you’re ever not sure, reach out to the CIS HelpDesk at help@spu.edu or at 206-281-2982 so we can assist you.
Source: Avoiding Social Engineering and Phishing Attacks. February 2021. Retrieved, October 2024. https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks