Security Awareness Month Archive - 2019
Week 1 - Password Best Practices
The primary mechanism protecting one's account is the password; therefore, it is important to create and manage strong password or passphrases. Cybersecurity experts continually identify the use of strong, unique passwords or passphrases as one of their top recommendations. Additionally, you should strengthen an account’s security by implementing multi-factor authentication (MFA) wherever possible.
What makes a password strong?
The strength of a password is determined primarily by character length and character complexity. Every extra character in your password increases the difficulty for malicious actors to crack it. Here are a few interesting facts about passwords:
- The most commonly used password is…123456.
- Other common passwords include “password”, “welcome”, and “12345″.
- If you think having one extra letter or number in your password doesn’t mean much,
consider the following:
A 6-character password with only letters has over 308 million possible combinations
An 8-character password with only letters has over 208 billion possible combinations
An 8-character password with letters (upper & lower case) and includes numbers and symbols has over 6 quadrillion possible combinations
There is real strength in numbers. Strong password policies are in place for the benefit of users.
What's a passphrase?
We encourage the use of passphrases when possible. A passphrase is similar to a password but is usually longer and more secure. Passphrases typically consist of words or phrases that may be separated by spaces and may use a combination of symbols and punctuation. While simplistic passwords can be relatively easy for a malicious actor to guess or hack, passphrases are almost impossible to crack. When creating passphrases, please keep the following in mind:
- Strive for at least four unique words
- Don’t choose from the most common words, and don’t choose quotes or sayings. The words should be as random as possible.
- Use a unique passphrase for every account you own. That way, if one passphrase is ever exposed, the other accounts remain secure.
Use of one password for all accounts
It is never recommended to reuse the same password on multiple websites; but remembering multiple passwords can be difficult. A common solution is to use a password manager. Password managers store your login information for all of your accounts and can log you in automatically. The password manager encrypts the password database with a master password, which is the only password you’ll need to remember. Many password managers support multi-platforms such as Widows, Mac, iOS, Android, etc.
What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (MFA) is a security mechanism that provides an additional layer of protection by verifying digital users through at least two authentication factors. There are three common types of authentication factors:
- Something you know – This refers to information known only to the user. For example, unique passwords, security questions, PIN codes.
- Something you have - This refers to something that the user owns. For example, a smartphone or a security token
- Something you are – This factor refers to something that is exclusive to the user. For example, biometrics (e.g. fingerprint)
Multi-factor authentication is the most effective way to protect your accounts. With multi-factor authentication, even if a password is compromised, a malicious actor would have to obtain an additional piece of information to gain access. When offered to “enable” or “turn on” MFA on your personal accounts such as Facebook, Amazon or Google, we strongly encourage you to do so.
Check out these additional resources:
MFA at LSU
- Logging in with Multi-Factor Authentication (MFA) - https://grok.lsu.edu/article.aspx?articleid=19930
- Multi-Factor Authentication (MFA) Enrollment - https://grok.lsu.edu/article.aspx?articleid=19929
Password Complexity requirements at LSU
- Why You Need To Use A Password Manager - https://techcrunch.com/2018/12/25/cybersecurity-101-guide-password-manager/
- Best Password Managers of 2019 - https://www.cnet.com/news/the-best-password-managers-of-2019/
Other Helpful Links About Passwords:
Week 2 - Data Privacy and Social Media Best Practices
We live in a world of constant communication. Facebook, Twitter, LinkedIn, and Instagram are just a few examples of the many communication platforms that we use on a regular basis that store or have access to our personal data. Do you know how to keep your information private in this digital world? Read on to learn what data privacy is, why it matters, and tips to protect your privacy.
Data privacy relates to how a piece of information – or data – should be handled based on its relative importance. Data privacy is important because if your data gets into the wrong hands, bad things could happen that could negatively impact your life. The more information malicious actors can attain about you, the easier it is for them to take advantage of you. For example, using information that you provide online about your location, hobbies, interests, friends etc., a malicious actor could potentially access your private accounts by guessing a password. If security questions have been used for any accounts or as a password recovery mechanism, such information can also be used to answer such questions.
Any amount of your personal data could be used maliciously, so be wary of what you put online and how you secure it. Remember that even photos and videos can reveal information about yourself and your daily routine. Companies collect this type of information, and due to privacy notices often not being read or disregarded by users, perform all types of actions on it without the user’s knowledge. To avoid becoming a victim, it is vital to understand that your privacy is of utmost importance.
How can I protect myself?
- Enable and become a master of privacy settings. Keep an eye on these settings, as they update and change frequently
- Create strong, complex passwords. Use MFA (multi-factor authentication) wherever available
- Never share any information online that you consider private, regardless of your privacy settings
- Know which platforms permit third party processing by reading privacy policies more closely
- Treat the internet as a public resource. Regardless of your security settings, if you post it online, assume the world can see it
- Always fully log-out of your accounts when using public machines (e.g. lab computers)
Check out these additional resources:
Social Media and Privacy
- Tips for Protecting Your Social Media Privacy - https://us.norton.com/internetsecurity-privacy-protecting-privacy-social-media.html
- Cyber Tip: Social Media and the Use of Personal Information - https://www.fbi.gov/news/stories/cyber-tip-social-media-and-the-use-of-personal-information-national-cyber-security-awareness-month
- Internet Social Networking Risks - https://www.fbi.gov/file-repository/internet-social-networking-risks-1.pdf/view
Managing privacy settings on social media:
How to Manage your Privacy Settings on Social Media - https://www.experian.com/blogs/ask-experian/how-to-manage-your-privacy-settings-on-social-media/
Week 3 - Data Security (data classification, data storage best practices)
We all interact with data on a daily basis. Digital data can be maintained in a variety
of ways, including on your local computer, an external drive, or using cloud storage.
It is important to understand that all data cannot be treated equally in terms of
how we store and share it. The method that is the most appropriate for your data depends
heavily on the type of data you are working with. Many times, what is fast and convenient may
not be the best option. Read on for more information on safely storing and transmitting data.
* Please note that this article distinguishes between personal data and LSU owned data, with separate recommendations for each.
Personal data varies in terms of how important or sensitive it is. Personal data can include something as simple as your name and email address while it can also refer to sensitive items such as your social security number, bank account numbers, or financial aid information. All data is valuable, but some is more important or sensitive than others, and should be treated carefully.
Storing Personal Data:
Cloud storage services such as Google Drive or Dropbox are a great option for personal data storage. These services allow you to access your information from anywhere from any device as long as you have your log in credentials and an internet connection. As an added benefit, storing your data in the cloud can serve as a backup for your important documents. To better secure your data that you place in the cloud, we highly recommend you always implement multi-factor authentication whenever possible. If you are storing anything sensitive, you can take an extra precaution by making sure sensitive documents are password protected.
Transmitting Personal Data:
If you are transmitting sensitive data, make sure you use an encrypted communication channel. Note that email is not a secure mechanism for transmitting sensitive data. For web-based transmission, always ensure that the web site is protected by SSL. Communications sent over HTTP connections are not encrypted and can easily be read by anyone. HTTPS encrypts communications between your browser and the website you are connected to. In addition to an indication of secure HTTPS, always ensure the domain name exactly matches the site you are intending to visit. The image below illustrates an example of what browsers may display when a site is delivered over HTTP vs. HTTPS.
Additional Personal Data Handling Tips:
- Do not transmit confidential data via email
- Password protect all confidential data, and accounts with access to confidential data.
- Do not share passwords, and do not write passwords down.
- Do not store unencrypted confidential information on a laptop computer/desktop computer's hard drive, USB drive, CD, flash memory card, floppy drive, or other storage media.
- Always lock computers, offices, desks, and files that contain confidential information when unattended.
- Do not publicly display confidential data, or leave confidential data unattended.
- Do not share confidential documents or information with anyone unless required by government regulations, specific job responsibilities, or business requirements. Be prepared to say "no" when asked to provide that type of information.
- Do not communicate confidential information to others unless you know they are approved to handle confidential information.
If you are working with LSU data (i.e. student data, employee data, research data
etc.), there are some specific considerations, in addition to the ones highlighted
above. It is important to understand how the data is classified as data classification
drives how the data is to be protected. For information on LSU data classification,
please visit the link below:
Storing LSU Data
For storing LSU data, please work with your department IT Support to ensure you are taking advantage of all available options with regards to storage and backup. For cloud storage, LSU approved services include OneDrive and Box. For more information on LSU Cloud Storage Services, please visit the link here: https://grok.lsu.edu/article.aspx?articleId=16822
Transmitting LSU Data
As stated above, web based transmission of should always occur over HTTPS. Beyond
HTTPS, LSU offers two additional services for secure file transmission. See the links
below for more details.
FilesToGeaux for secure file transmission:
Encrypted Email at LSU:
Check out these additional resources:
- Protector Your Mobile Device
- All about Encryption
- Using Public Wi-Fi
Choosing a cloud vendor
Cloud storage risks
Week 4 - Phishing
Are you familiar with social engineering and Phishing? Can you effectively spot a Phishing email? See below to learn more!
Social Engineering and Phishing
In a social engineering attack, a malicious actor uses human interaction (social skills) to obtain or compromise information about a person or organization. The malicious actor may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by gather data from unsuspecting people, he or she may be able to piece together enough information to compromise an individual or organization.
The most common form of social engineering is phishing. Phishing emails are an attempt by malicious actors pretending to be legitimate entity or person for the purpose of stealing private information, such as username and passwords, social security numbers, or banking information. To protect yourself, become familiar with the “anatomy” of a phishing email. If you come to know some of the common indicators of a phish, you will be able to spot them more easily. Please visit the following link to learn more: https://www.lsu.edu/it_services/its_security/files/phishing_anatomy.pdf
Note that Phishing attacks are not isolated to emails. Attackers may contact you over the phone (i.e. voice phishing /“vishing”) as well, spoofing numbers that will appear legitimate. Attackers may also utilize cell phone text messages (i.e. SMiShing) to send bogus text messages that appear to come from banks, credit card companies and other legitimate organizations.
- Learn to identify suspected phishing emails
- Do not click on URLs without inspecting them first. Even e-mails from known sources can be malicious if their account has been compromised.
- Always ensure that your computer is applied with the latest security updates and patches to reduce the chances of vulnerabilities
- Enter sensitive data on secure trusted websites only
- Never email confidential or financial information
- Be suspicious of all unknown callers/text messages
- Don't inherently trust caller ID. Remember, telephone numbers can be spoofed, i.e. the number on caller ID may not be the actual number calling you.
- If you are unsure about a caller, ask lots of questions. If a caller is asking for personal information or wants you to purchase something, ask for company information and inform them that you will call back. You can search for the company and their customer support number to call back and confirm.
- Never respond to suspicious text messages
What if you have been hooked?
If you believe you have fallen for a phish, please take the following actions:
- If you accidentally shared your username and password, please change your password immediately. (NOTE: The new password must be unique and should not have been used anywhere else. If you use the same password for different services, you must change passwords for other services as well)
- If you shared your banking (credit card, debit card, bank account number, etc.) information, please reach out to your financial institutions immediately and take the necessary steps as recommended by the respective institution.
- If you shared any other personally identifiable information (Social Security Numbers, Date of Birth, etc.) you should take necessary steps to monitor your credit for any unauthorized changes. It is also a great idea to place a freeze on your credit with all credit bureaus.
Check out these additional resources:
- Reporting a Phish at LSU
- Use Cofense Reporter to report a phishing e-mail to LSU IT Security team - https://grok.lsu.edu/Article.aspx?articleid=19636.
- If Cofense Reporter is not an option available to you, please report phishing messages to LSU IT Security team as outlined here: https://grok.lsu.edu/Article.aspx?articleid=17107#Reporting
Week 5 - Identity Theft and What To Do
What should you do if you are a victim of cybercrime? See below to learn more about the next steps to take.
Identity theft occurs when someone uses another person's personal information such as name, Social Security number, driver's license number, credit card number, or other identifying information to take on that person's identity in order to commit fraud or other crimes.
How to Protect Yourself from Identity Theft
The following tips can help lower your risk of becoming a victim of identity theft:
- Protect your Social Security number. Don't carry your Social Security card or other cards that show your SSN. Do not email your SSN
- Use caution when giving out your personal information. Scam artists "phish" for victims by pretending to be banks, stores or government agencies. They do this over the phone, in e-mails, and in postal mail.
- Treat your trash carefully. Shred or destroy papers containing your personal information including credit card offers and "convenience checks" that you don't use.
- Check your bills and bank statements. Open your credit card bills and bank statements right away. Check carefully for any unauthorized charges or withdrawals and report them immediately.
- Check your credit reports. Review your credit report at least once a year. Check for changed addresses and fraudulent charges.
- Freeze your credit. If you do not plan on conducting any activities that require third parties to run a credit report of you, you can freeze your credit reports. This will prevent attackers from obtaining credit histories and opening new lines of credit.
- Ask questions. Ask questions whenever you are asked for personal information that seems inappropriate for the transaction. Ask how the information will be used and if it will be shared. Ask how it will be protected. If you're not satisfied with the answers, don't give your personal information.
- Protect your computer. Protect personal information on your computer by following
good security practices.
- Use strong, non-easily guessed passwords.
- Use firewall, and anti-virus software that must be updated regularly.
- Download software only from sites you know and trust and only after reading all the terms and conditions.
- Don't click on links in pop-up windows or in spam e-mail.
If Your Data Becomes Compromised or Stolen
If you have reason to believe your personal information has been compromised or stolen, contact your local Police Department and the Fraud Department of one of the three major credit bureaus. More information can be found here:
Security Incident at LSU
If you believe an information security incident has occurred at LSU that impacts LSU data or systems, please contact email@example.com immediately.