Blog

Higher Education Innovation In Action

  • Security, Service, and Shared Responsibilities

    by Mark Bonges, Vice President, Application Development | Oct 05, 2017

     
    Security or convenience? It always seems like a tradeoff. Strong passwords and multi-factor authentication help beef up security but they’re a headache for users, who need to keep track of dozens (or even hundreds) of logins. On the flipside, login credentials that are easy to remember are also easily cracked, and that can expose everything from an individual’s sensitive data to an entire network.

    No doubt your institution’s IT department faces this dilemma every time they upgrade campus WiFi. A robust wireless infrastructure is a necessary part of the service you offer students. Multiple hotspots, which used to be a luxury, are now an industry standard. Students are bringing more connectable devices to campus than ever before. How can your institution meet these ever-increasing demands and still provide increasingly higher levels of security?

    The answer, unfortunately, is that there is no easy answer (or one-size-fits-all solution). But this should help put things into perspective: While excellent service may be your IT department’s responsibility, network security is a shared responsibility, and that also happens to be the theme of this year’s National Cyber Security Awareness Month

    Every year in October, the U.S. Department of Homeland Security and National Cyber Security Alliance (NCSAM) team up to raise awareness about online safety. This year the focus is on end users, and as the semester rolls on, it’s a good opportunity to remind students and staff about securing passwords and recognizing common threats, and to reiterate your institution’s policies on what to do when a device gets breached.

    Here’s a quick preview of the topics they’re covering each week (which you can read about in detail here):

    • STOP. THINK. CONNECT: Simple Steps to Online Safety (October 2-6). This first week is dedicated to good online habits, current threats, and what to do if you’re the victim of a cybercrime.

       

    • Cybersecurity in the Workplace is Everyone’s Business (October 9-13). Week 2 centers around institutional responsibilities for educating employees, customers, and students. It also highlights resources to help you reinforce your institution’s policies and infrastructure.

       

    • Today’s Predictions for Tomorrow’s Internet (October 16-20). During Week 3, NCSAM will look at the implications of an increasingly connected future. The Internet of Things is here to stay -- what’s the best way to keep your devices and data safe?

       

    • The Internet Wants You: Consider a Career in Cybersecurity (October 23-27). This fourth week may be of special interest to your STEM majors and technology staff. NCSAM highlights this growing career as well as ongoing education for those already in the workforce.

       

    • Protecting Critical Infrastructure from Cyber Threats (October 30-31). Week 5 offers a preview of the latest developments in a smart and secure public infrastructure.

    To circle back to the question that opened this post, security and convenience don’t have to be mutually exclusive. In some situations, you can teach users how to enable fingerprint security features on their phone and computer, or two-step authentication via text message. That’s one way to bring good service into your security plan. Another is to regularly communicate with everyone at your institution about the latest phishing scam or teach them how to troubleshoot when problems arise. Ultimately, end users are your first line of defense, and empowering them can only help reinforce your campus network and overall cyber security.

  • Cybersecurity Awareness - Educating Staff and Students About Phishing

    by CS Staff | May 25, 2017

     
    Two major security breaches have been in the news in recent weeks: a phishing attack that targeted millions of Gmail users, and a ransomware attack that hit dozens of countries, including the UK where it crippled the National Health Service (NHS) for a time. Although cyber-attacks don’t always make the headlines, they happen with alarming frequency at colleges and universities. Higher ed has long been an attractive target for hackers due to its information-sharing ethos, a wealth of sensitive data on file, and a BYOD (bring your own device) culture that keeps technology decentralized and difficult to regulate.

    But technology can only go so far. No matter how secure your network may be, your end users are the first line of defense in an attack. That’s the main message behind leading cybersecurity awareness programs, and it’s why colleges and universities around the country have stepped up efforts to educate staff and students about phishing. Last month, University Business magazine took a look at what some institutions are doing to raise awareness.

    Simulated Phishing Attacks

    One of the most popular ways to educate students and staff is through simulated phishing, according to the article. Some schools develop phishing campaigns in-house – IT staff send out a fake phishing email with an embedded link, and any user who clicks the link is taken to a web page that informs him or her of the simulation and offers further educational information.

    Other schools partner with outside vendors like KnowBe4, which specializes in security awareness training and phishing simulations. The Florida-based firm offers videos, games, posters and other products that can be customized to fit the needs of many types of organizations.

    Additional Techniques to Raise Awareness

    The article also suggests a few other ways that schools can communicate the importance of cybersecurity. For example:

    • Schedule annual presentations for incoming freshmen
    • Send out campuswide email alerts any time there is suspicious activity
    • Hold a “security awareness day” with engaging and fun activities for students

    Bolstering the Technology

    Of course, technological security is still an important piece of the puzzle, and while schools are educating users, they’re also requiring multifactor authentication for logins, reinforcing firewalls, and monitoring spam filters to ensure malicious messages are caught.

    Phishing Simulation Tips

    If you’re interested in launching phishing awareness training at your school, whether it’s in-house or through a third-party, keep in mind that a well-designed simulation should:

    • Present users with a realistic type of cyber-attack
    • Include a follow-up meeting for end users and IT personnel to discuss the results of the campaign (for example, the percentage of users who fell for the simulation) and how to avoid scams in the future
    • Prompt further security training based on the results

    The ultimate goal of a phishing drill is not to trick or embarrass your staff or students, but to educate them so they can better protect themselves, and, by extension, your systems and network.

  • Password Best Practices: Tips for at Work and Home

    by Mark Bonges, Vice President, Application Development | Mar 29, 2017

     
    The average person maintains anywhere from dozens to hundreds of passwords. That seems like a lot until you add up the number of social media sites and discussion forums you visit, along with bank and credit card sites, airline and hotel accounts, media streaming services, web-based email… not to mention the different devices you need to secure, like wireless routers and smartphones.

    Managing so many login credentials takes effort, so everyone cuts corners from time to time – whether they use passwords that are easy to remember or the same password across multiple sites.

    And that’s where the problems begin.

    How cyberthieves use your login credentials

    As the number of online accounts grows, so do cyberattacks. But cyberthieves don’t simply steal hundreds of millions of passwords and go on a hacking spree. The overall process is more methodical than that, and it can take years before a login is fully exploited.

    With an almost endless supply of stolen passwords to choose from, hackers tend to go for the “low-hanging fruit,” the commonly used passwords that are easy to crack.

    The takeaway? While there’s nothing you can do to prevent massive online data breaches and theft of your login credentials, you can still minimize your risk after a breach occurs by following a few recommended security practices.

    Make passwords complex and long

    The strongest passwords contain some combination of complexity and length. “Complexity” has evolved over the years and is defined differently by different websites, but essentially it means a combination of upper- and lowercase letters, numbers, and special characters.

    An increasingly common practice is to string several words together to create a passphrase, but be sure to avoid pop song lyrics or famous quotes. Passphrases should be meaningful to you so that you can remember them, but difficult for someone else to guess.

    Use caution when managing your passwords

    Password management services or “vaults” offer an easy way to store all of your passwords in one place and help you avoid the security risk of using the same password for multiple sites. There are many to choose from, like 1Password and LastPass, and are recommended by security experts.

    If you decide to use this type of service, consider leaving out the passwords that protect your most sensitive data, like your primary email address and bank account. Also note that a centralized set of passwords creates a single point of failure for your digital life. If a hacker breaches your password vault, they’ll have access to all passwords in the vault.

    Set up multi-factor authentication

    Beyond passwords, one of the strongest forms of login security available today is multi-factor authentication (also sometimes known as “two-step verification”). It adds an extra layer of protection by requiring a separate login credential, over and above your username and password. This credential can be anything from a PIN to a temporary numeric code that is generated on a separate device, like a smartphone. So, even if a hacker has your username and password, they would still need access to your PIN or smartphone to be able to break in.

    Many websites offer multi-factor authentication as an option, and it’s a good idea to set this up wherever you can, especially for your email and financial accounts.

    Think about what you’re trying to protect

    Finally, whenever you go to create a password, think about what you’re trying to protect and what you’re protecting yourself from. Don’t skimp on security when it comes to your most sensitive data. Ensure that your critical passwords are unique and difficult to break, omit them from your password vault if you use one, take advantage of multi-factor authentication, and set calendar reminders to regularly change your passwords.

    Cybercrime is constantly evolving as the Internet evolves, and no form of security is ever 100% bulletproof. Strong passwords should be only one part of a multifaceted and ongoing security plan. Keep an eye on the trends and be proactive – it’s your best line of defense.

  • A Security Issue You Need to Know About – MouseJacking

    by J. Jeffrey Geldermann, President & COO | Oct 06, 2016

     
    You’ve heard it before and you’ll hear it again… When it comes to data security, you’re never finished protecting yourself, your organization, and your customers. Hackers evolve in order to constantly create advanced malicious attacks, so you need to be both proactive AND retroactive! It’s ultimately up to you to stay abreast of evolving threats and respond accordingly.

    Take a look at this short video created by Bastille, which we recently shared with all Credentials staff. Consider showing it to your work associates, family, and friends. You could even take it one step further like us and ban the use of these devices that can be easily compromised.

    This is just another security vulnerability that should scare you.