Introducing the new and improved Cybersecurity Hub! 09/10/2024
For years now, the Cybersecurity Hub has been the go to web site for everything cybersecurity at Mount Royal University. It started out with a few simple links to training, the newsletter, events and general cybersecurity information. However, over time new policies were implemented and new iniatives were born. With each one, the Hub gained new links until it became impossible to navigate.
The home page contained tons of valuable information, however it was so confusing to sort through that it was challenging to find what you were looking for. It became apparent that we needed to simplify things. Last year, we began that process.
Working with University Marketing and Communications, we were able to identify the key areas of interest and break them down into 6 topics. Outdated information was updated or removed, information that could be found elsewhere was deleted and what was left was consolidated. I am pleased to announce that the new Cybersecurity Hub was launched on September 5.
Not only is the new site easier to navigate but we have added a new section for alerts and announcements. This information is front and center and is updated in real time as new threats are identified. You no longer have to wait for the newsletter to come out on Wednesday to find out about the latest phishing emails hitting inboxes.
Please go and take a look at the new site. Poke around and see what you can find. You might discover some new information that was there all along but too buried to see.
Cybersecurity awareness training for current employees goes live August 15 – 08/12/2024
It’s that time of the year again … faculty returns to campus eager to meet a new group of bright eyed students and the new cybersecurity awareness training for current employees goes live. Yes, I am sure you have all been waiting with bated breath for the new training and just can’t wait to get started.
The good news is this year’s pre-test only has 22 questions. The bad news is for some topics there are only three questions, so if you only get one wrong you will be assigned training. We are less than pleased with this solution and are looking at new ways to deliver the training in the future. Your patience with this process is appreciated.
On a more positive note, there will be new monthly videos. Sadly (or fortunately depending on your tastes) we have worked our way through the entire Cyber Guys series. Starting in October, a new video series, “When Emotions Run High” will be launched. The two minute videos focus on how to take the stress out of being cybersafe with simple straight forward tips. It was chosen by our focus group which included members from across the campus. After watching the videos they felt empowered and more confident in their ability to spot and stop cyber attacks. We hope they will leave you feeling the same way.
To encourage and reward those that take time out of their busy day to watch the videos, everyone who views them will be entered in the monthly Random Acts of Cybersecuriy draw. The winner of the draw gets to spin the prize wheel. Every spin is a win.
Supervisors are also winners this training year as we are updating our training platform enrollment process to ensure we have accurate and up to date information on employees and who they report to. When training status reports go out in March, supervisors won’t have to waste time letting me know who is missing from their team and who has left.
We hope that these updates to the cybersecurity awareness program will help you become more confident and empower you to stay cybersafe. If you have feedback on the program, suggestions on how to make it better or would like to particpate in future focus groups, please fill out our feedback form.
Your student ID does not belong in your email signature – 06/27/2024
As a member of the IT Security team, I regularly have students emailing me looking for cybersafety guidance. However, recently I have noticed a concerning trend , student IDs are showing up in these emails. While I am aware that many instructors and professors ask students to include their ID in correspondence to confirm their identity, the place for this information is not in the email signature.
When the student ID is in the signature, it gets sent to every person you email. Even if you only use your MRU email to converse with University members, not everyone on campus should have this information.
Student IDs are used by the University to uniquely identify you. That is why your instructor/professor is asking for it. With that information and your name, someone can impersonate you. They could use this information to view your records, access banking information, drop you from classes and generally wreak havoc on your life.
While putting your student ID in your email signature can save you time, it can come at a great cost. Instead, create an email template that contains your student ID in the body. When you need to email your instructor or professor, use this template. This little extra effort can protect you from a lot of grief later on.
Beware of malicious files in your Shared with Me folder – 02/05/2024
How attackers are using Google Drive
Google Drive is a wonderful tool that allows you to collaborate with colleagues and share information easily. All you need is someone’s email address and the file you share shows up in their Shared with me folder. Easy peasy, lemon squeezy. Unfortunately you are not the only one taking advantage of this. Scammers too love the easy way they can deliver malicious documents directly into your Shared with me folder.
Some attackers like to send an email notification, thinking their email is clever enough to direct you to the document. Others are less confident of their composition skills and skip the email, hoping you will stumble upon the malicious document the next time you cruise through your Shared with me folder. The expecation is once the document is discovered, curiosity will drive you to open it.
The good news is Google scans all shared documents so if you do open it, nothing bad will happen. However the danger is not in opening the document. The danger is in what the document contains … malicious links. Those link take you to a Google form or a malicious website that harvests login credentials or loads malware onto your machine. One click and your computer can be compromised.
How to protect yourself
If you stumble upon a document you don’t recognize in your Shared with me folder, right click it and choose File information>Details. Scroll down until you find the name of the creator. If they are a MRU colleague, email them using their MRU email address and ask for more details about the document.
If they are outside of MRU and you have their phone number, call them and ask about the document. If you don’t know them, consider the document malicious. Drag the file to your Google Drive Spam folder (yes you have one). A dialog box will appear asking you why you are reporting the file and giving you the option to block further document shares from that email address. Make your selections and click the Report button. It won’t prevent the attacker from creating another email address and sharing another document, but it gives Google information it can use to stop similar document shares in the future.
Cybersecurity Awareness Month is coming and so are the prizes! 09/25/2023
Oct. 1 marks the beginning of Cybersecurity Awareness Month. To celebrate we have fun activities to participate in and prizes to give away.
The Virtual Treasure Hunt returns this year. Solve puzzles, collect clues and find Blue Beard’s treasure. Everyone who finds the treasure is entered into a draw for an Anker PowerWare 10 Dual Pad wireless charger donated by Proofpoint. To make things even more fun, each clue you find gives you an entry into a draw for a spin of the prize wheel. The prize wheel is loaded with fun prizes such as travel mugs, reuable memo pads, insulated mugs, golf shirts and more. The first treasure hunt clue is dropped on Oct. 3. However you can register anytime before Oct. 31 and still participate. Registration is open now. Students, staff and faculty can all register. Sign up and get in on the fun.
Also returning is the Random Acts of Cybersecurity program. Starting Oct. 1 you can nominate a colleague for being cybersafe. Each nomination will earn the nominee AND the nominator one entry into a draw to spin the prize wheel. Two winners will be selected, one nominee and one nominator. Share with your colleagues the cybersafe things you are doing and get nominated or ask your colleagues how they are being cybersafe and start nominating. The program will run until the end of March 2023. Unfortunately only staff and faculty can participate. A big thank you to our sponsors, Proofpoint, Paolo Alto and CDW.
Support scam freaks out a student and library staff – 09/11/2023
One poor student got more than they bargained for when they did some web surfing on a library computer. An innocent click on a search result produced this alarming notification.
The freaked out student asked library staff for help and IT Services was contacted. Once the technician arrived, he realized the computer was a victim of a Chrome browser takeover. In a Chrome browser takeover, it looks like the computer itself has been compromised as the normal Window controls are missing and the only way to get rid of the alerts appears to be by calling the toll free number.
In reality, the computer is just fine and it is only the Chrome browser that has been hijacked. Since Microsoft does not monitor computers for malicious software, nor do they block access to your computer, the technician knew what type of attack he was dealing with. To regain access to the computer, he did the following:
- Pressed CTRL + ALT + DELETE to view the Task Manager
- Clicked on Google Chrome in the Apps list
- Clicked the End task button
This closed down Chrome and returned the computer to normal. Both the student and the library staff were releived that no harm had been done. So was the technician who congratulated them both on contacting the IT Service Desk rather than trying to resolve the issue on their own.
Unfortuately there is no way this attack could have been prevented. The website that iniated the attack was a legitimate site that had been compromised. There was no way to know that before the link was clicked as that site had been visited many times before without issue.
Remember, if you see an alert appear on your computer insisting that you call a phone number to fix it, it is a scam. Close the browser window and don’t visit that website again. If the Window controls are missing, shut down the browser using the task manager. No legitimate anti-virus software will ask you to call them.
Twelve character passwords are now being hacked on a regular basis. 08/01/2023
For years you have been hearing that a strong password is greater than 8 characters long, has uppercase letters, lowercase letters, numbers and symbols. Today that is no longer the case. The threat actors now have computing power and tools that allow them to brute force hack any 8 character password in less than a day.
So how long should your password be? Well that depends on whether you have created the password yourself or have had a password manager do it. According to experts, if you generate the password yourself, it has to be 20 characters long. If you have a password manager generate a random one for you, then it only needs to be 12 characters long.
Why the discrepancy? The thought is the human brain cannot generate a random enough password to keep criminals out. We tend to use dictionary words and dates making it easier for these types of passwords to be cracked. In comparison, a password manager generates a completely random combination of characters which is much more secure.
I know what you are thinking, isn’t 20 characters overkill? Well we have had multiple accounts on campus brute force hacked in the past year. The passwords were unique, were used no where else, had 12 characters or less and included all the recommended characters. There was no way that the passwords could have been stolen from elsewhere. A brute force hack is the only explanation of how the accounts were compromised.
A 20 character password may be secure, but if you are trying to come up with a single word that is that long, it can be bloody hard. The whole process is easier if you use four random words that have meaning to you, but would be nonsensical to anyone else. Once you hae your words, insert a number into each one and capitalize one letter in the word. You can use spaces as your special character or replace the spaces with a special character. For example, saddlepad blue shiny bay, becomes s4addlepaD#b4luE#s4hinY#b4aY.
To make it easy to remember, I insert the same number in the same place, captialize the last letter and replace the spaces with the same symbol. The result is a monster password that will take years to crack but can be remembered.
While having a 20 character password will keep your accounts safe for now, it won’t be long before we will need 33 character passwords or longer. To add an extra layer of security, enable multi-factor authentication on all your accounts so that if your passwords are cracked, the attackers won’t be able to gain access.
The space audit is coming, cover up sensitive information – 05/31/2023
Starting June 12, Facilities Management will be conducting its annual space audit. Employees will enter all rooms on campus in order to update space information. Photos will be taken to record the condition of finishes, furniture layouts and equipment. Part of the project involves auditors creating work requests in the Frontline system for maintenance issues they identify.
Checking an email? Get a bigger screen – 12/08/2023
Updated 07/18/2023
Phishing emails are the bane of our existence. They take our precious time as we slow down to take a close look and make sure that email from our colleague is really coming from our colleague. This whole experience is a lot more challenging when we are attempting to do our analysis on a smartphone.
While reading an email on our phone is perfectly harmless, things can become dangerous when the email asks us to take action. To click or not to click? Do we send the requested information or not? How is one to know when it is hard to see the link URL or sender’s email address on that small screen?
It is so challenging to spot a malicious email on a phone, that even IT professionals get tricked. That’s right … Information Technology professionals get tricked. The people that get tricked repeatedly in IT are ALL trying to see phishing red flags on a smartphone screen and fail.
The next time you read an email on your phone that has a link, contains an attachment or is asking for sensitive information, mark it unread. When you are able to view it on a larger screen; re read it and look at the sender’s email address , hover over the links and check the grammar. While taking the extra time is inconvenient, it is far less painful than loosing half a day of work while you factory reset your phone or deal with the fallout of a data breach.
Password managers the secret weapon against cybercrime – 09/01/22
Passwords, they are our saviors keeping our data safe while at the same time they are our oppressors clogging our brains and stressing us out. We know we should have long, complicated passwords and that we shouldn’t reuse them. However, who has the time to be that creative every time you sign up for a new service, never mind being able to memorize them all? It isn’t surprising that password reuse is as common as grilled cheese.
Attackers know that, which is why credential stuffing is one of their favorite attack methods. It takes little skill and effort. Just go on the dark web and find a list of stolen credentials, plug them into a software program and let it run. After a few minutes you have a whole list of websites that you can login to hassle free. You don’t even have to buy stolen credentials anymore. Over a hundred of them are just sitting there, free for the taking.
Thankfully there is a way to have long, strong unique passwords for every service without losing your mind. This magical tool even logs in for you, saving you valuable time and effort. The best part is you only have to create and remember one password. Yup, only one, the one to gain access to the tool. After that, this gift from the Gods creates passwords for you. They are long, complicated monsters that would take years to brute force hack. They would be impossible for a human mind to remember, but this genius of an application does it for you.
What is this mythical piece of software? It is a password manager. In the past they have been known for their ability to effortlessly store passwords, however their other skills are largely unknown. They are your secret weapon against credential stuffing.
There are many, many types of password managers. On workstations across campus you can find KeePass. While functional, it doesn’t look very user friendly and it strikes terror into the hearts of most. All it takes to tame the beast is a quick training session. However, for those less adventurous there are alternatives. The one we recommend is Bitwarden. It uses a browser extension to enable functionality and offers a full range of features for free.
If you aren’t sure if Bitwarden is for you, PC magazine does a great job of reviewing the most popular password managers every year. All of them allow you to use them for free for at least a week before you buy. I suggest picking three and trying them out one at at time. It works best if you only enter your login credentials for your most used services. That way you don’t invest a lot of time into a tool that you decide you don’t want to use later on.
Which password manager is the best? The one that you use. Each one has it’s own quirks and features. Some you may like, others you may not. If you don’t use the tool, then it isn’t the right one for you. That is why I recommend giving a few of them a try. Ideally you want to find one that fits in so seamlessly with your work that you barely notice it is there.