October Is Cybersecurity Awareness Month
Multifactor Authentication Everywhere
Whether it's as a part of your SPU account or your bank account, Multi-factor Authentication (MFA) is here to stay. While it's not a silver bullet against all cybersecurity threats (and we still need to be on the watch for "phishy" behavior), it's a simple measure that should be enabled anywhere it is available.
Multi-factor Authentication is a process by which you use a second "factor" to login to an online account, in addition to the username and password you already know. This second factor is most often "something you have", and can be a device with a registered application, a phone number to receive calls or texts, or a dedicated security token that generates an authentication code.
SPU is finishing up its migration of all "@spu.edu" accounts to MFA this Fall using Azure MFA (if you haven't enrolled already, do so now!). This means that all logins used to access SPU systems will be afforded this protection and our accounts and systems will be more secure. Importantly, this will also help prevent bad actors from using a compromised account to bombard campus inboxes with phishing or scamming attempts.
Do your part and set up MFA both here at SPU and anywhere else you have the option of doing so!
Getting set up with a Password Manager
Last week we talked about the importance of using Multi-factor Authentication Everywhere and how it can help protect you against cybersecurity threats. This week we’re focused on your password and how you can protect yourself by setting up a Password Manager!
Most people tend to use easy to remember passwords, but those are also easily guessed and are thus weak to cyber-attacks. If you use the same password for your email, bank, social media, and healthcare accounts, an identity thief who found your login info on the dark web would be able to access all kinds of sensitive information with a single username and password.
What are the Benefits of a Password Manager?
Individuals and businesses may find password managers useful in several circumstances:
- They can generate secure passwords for you.
Many password managers will prompt you with an automatically generated secure password whenever you create a new account through an app or website. These passwords tend to be long blends of letters, numbers, and special characters. If you opt to use a suggested password, the manager will automatically store it for you. - They can save time. While keeping all your login information safe is certainly a plus, a password manager can also store and auto-fill information like your address, phone number, and credit card. Online shopping just got a lot easier!
- They protect your identity. If a criminal can guess one of your passwords, they’ll try to access more of your accounts by trying that same password in other commonly used websites. But if you’re using unique passwords, they may not be able to gain access to your other accounts. While a password manager isn’t foolproof, it does provide an extra layer of security.
- They can let you know about phishing sites. Phishing and spear phishing websites are scams that spoof legitimate websites. While they may look like the real deal, their goal is to steal your login information and commit fraud. A password manager can offer protection from phishing sites because each username and password is tied to a specific URL. Even if you visit a phishing site, your login information won’t autofill because the URL doesn’t match the one saved in the password manager. This might give you pause before you enter your personal information and keep a criminal from stealing your personal information.
Apart from using a service or app to manage your login information, other steps that you can take to keep your information safe include not reusing passwords and creating strong, unique passwords for each website or application you log into.
What password manager should I adopt?
There are many password managers to choose from, how do I pick a good one? Checking reviews from reputable sources, like Wired or CNET will help you identify a password manager that will meet your needs. Some commonly used Password Managers are: 1Password, Bitwarden, LastPass, and many others.
Additional Resources
Looking for more information about how password managers work? Check out the following resources.
Colby, C., Hodge, R., Tomascheck, A., October 2022. Best password manager to use for 2022. https://www.cnet.com/tech/services-and-software/best-password-manager/. Retrieved October, 2022.
Gilbertson, S. August 2022. The best password managers to secure your digital life. Wired. https://www.wired.com/story/best-password-managers/. Retrieved on October, 2022.
National Cybersecurity Alliance. May 2022. Online safety + Privacy basics: Passwords. https://staysafeonline.org/online-safety-privacy-basics/passwords-securing-accounts/. Retrieved October 2022.
National Cybersecurity Alliance. September 2022. Online safety + Privacy basics: Password managers. https://staysafeonline.org/online-safety-privacy-basics/password-managers/. Retrieved October 2022.
Identifying Malicious Emails
If you’ve been following along with our weekly Cybersecurity Awareness posts, by now you have MFA enabled on your accounts and a password manager set up to store all your passwords. Those tools help to secure your account, but malicious actors have other ways to steal data or defraud users.
Since the start of October, Microsoft has flagged 125,766 emails sent to SPU addresses as either phishing attempts, fraud, or malware. Can you distinguish between the different types?
- Phishing emails attempt to steal your account credentials.
- Fraud emails attempt to steal money from you. These can be emails such as:
- Requests gift cards that will be “paid back right away”
- Help wanted postings that require you to send money before they can hire you
- Malware emails contain attachments that install malicious programs on your system when opened.
The large majority of attempts like those mentioned above are automatically blocked by safeguards CIS has implemented in SPU’s systems. But for those that make it through, here are some steps you can take to protect yourself:
- Take a few seconds to reread and review the email (answering yes to any of the following questions increases the chances the email is a phishing attempt).
- Is the offer too good to be true?
- Is the sender asking you to send them personal information and/or money?
- Is the language urgent or threatening permanent loss of access?
- Is the greeting generic or ambiguous?
- Is the request in the email a strange business request, especially from that particular sender?
- Confirm the sender of the email.
- Hover over the display name of the email to review the address from which it was sent. Does the address match the supposed sender of the email?
- Beware of email addresses that are very similar looking to valid addresses such as: pavpal.com vs paypal.com or anazon.com vs amazon.com
- Never click links in suspicious emails.
- Never use a link in the email to contact the sender. Call them using contact information on their website instead, to confirm whether or not the emailed request is valid.
- Don’t open attachments from non-trusted senders.
- Opening attachments risks installing malware on your computer. Once installed, the malware can quickly propagate out to other areas of our network and infect the entire system.
- Contact CIS if you still have questions.
- If you receive an email that passes all of the above checks but still seems suspect to you, contact CIS (help@spu.edu) and ask us to review it. We have additional tools and resources we can use to attempt to confirm its validity.
Managing your Software
In our last installment for Cybersecurity Awareness, we’re focusing on software updates. Often, when we think about software updates, we think about our computer and our phone, but there’s more to updates than just those devices.
The key things to remember about software updates are:
- Update often
New patches come out on a regular basis and there will be new vulnerabilities. The longer you wait, the more vulnerable you and your data are to bad actors. - Automate it whenever possible
With the number of devices and applications out there that we each use, it can be hard to keep track of updates. This is where automation comes into play. Sometimes, your devices and applications can keep themselves updated, taking some of the burden off you to remember to do this. - Replace or upgrade unsupported software and hardware
Hardware and/or software that is no longer supported and receiving updates can be problematic because there won’t be patches to protect the system and your information from new attacks and vulnerabilities. Where possible, upgrade or stop connecting the older devices to the internet to keep yourself and your data safe. - Every device that connects to the internet should be updated.
This includes your home router, smart devices used at home like security cameras and doorbells, Bluetooth deadbolt setups, car software, TV’s and more! If your system is online, we recommend keeping up with the updates!
We’re at the end of Cybersecurity Awareness month, but we hope by sharing these resources with you, that you will have the tools and information necessary to make informed decisions when using the Internet.